What questions should staff ask their DPO?

All staff are responsible for complying with data protection law. Caroline Collins offers questions different staff members can ask their data protection officer to clarify their understanding

Author details

Caroline is the Head of School Business Strategy and Resources at Miles Coverdale Primary School in London. 

The General Data Protection Regulations (GDPR) require schools to have a data protection officer (DPO). The DPO reports directly to the highest management level of the school, which will be the governing body or trustees.

The DPO is responsible for data protection including training staff, managing the information audit, implementing policies and dealing with breaches and subject access requests.  

Staff members are responsible for complying with data protection. To be compliant the school’s DPO will have conducted training and signposted relevant policies and procedures.

Staff members should know what they can and can’t do when managing data and they should know where to look for answers.


As headteacher you should be aware of any breaches that have taken place and your school staffing policies should outline what will happen if a breach of policy occurs. You need to be satisfied that data protection is being managed appropriately and that any breaches have been brought to your attention so that you can conduct any follow up disciplinary action. 

To satisfy that the school’s data protection requirements are being managed well and your DPO is carrying out the work appropriately, you could ask the following.

  • Has the school received any subject access requests?
  • How were these managed?
  • Was the response sent within the legal timeframe?
  • Who dealt with the response?
  • Has any staff member breached the GDPR? If so, how was this handled?
  • Are you aware of any breaches of school policy? If so, how was this handled?
  • How are you ensuring consent is received if you are relying on it?
  • Have you undertaken any further professional training?
  • How much time are you spending on knowledge-based training?

Senior leadership team (SLT)

The SLT structure varies from school to school but their responsibilities will mirror other schools.  With this in mind the SLT might want to ask the DPO questions around staff data as well as pupil data, such as the following.

  • As a line manager I deal with my team’s personal data through performance reviews etc.  This is shared with the headteacher – do I need to seek consent from the staff member?
  • We want to implement a new tracking system for pupils using an external provider. What procedure should we follow and what do we need to consider?
  • We store pupil data for 10 years locked in a secure room – is this correct?
  • We minute our SLT meetings which includes information about staff and pupils – would this comply with data protection?


The SENCO will process a lot of personal data, much of which will be sensitive. They will need to understand how they can comply with the GDPR and data protection when working with a multitude of external agencies.

  • How do I differentiate between personal data and sensitive personal data?
  • How do I know if the agencies I work with have been included in the asset register?
  • How can I be sure that external agents are working in accordance with the GDPR?
  • What mechanism do I use to share data with those agencies?

Designated safeguarding lead (DSL)

Like the SENCO, the DSL will be processing sensitive personal data. The DSL needs to be confident that the data is not accessed by others and that it is held securely.

  • I need to share personal data and sensitive personal data with a number of agencies including social services, GPs and other schools. We do this through email. Does the school have a secure email system in place that I should be using?
  • I store my e-files on the server with password protection. Is this acceptable?
  • When I go to multi-agency meetings I have to take files with me containing sensitive personal data. What do I need to be aware of?
  • I have to share personal data with other staff members using school systems and email. Is there anything I can do to make sure no child’s data is compromised in doing this?
  • Should I be requesting a written confirmation from agencies that they are complying with the GDPR?
  • Do I need to inform the DPO if I use a new external agent?

Office-based support staff

Admin support staff will process more personal data than most of their colleagues. Dealing with admissions and enrolment they will have access to all data which will then be recorded in the school’s system. The office-based support staff should be asking questions along the lines of the following.

  • When a pupil leaves we send the data to the new school by post. Is this acceptable?
  • Our pupil files are in a locked cupboard in the office which some staff members request access to. Should I be allowing that?
  • My computer is sometimes used by other staff members – is this allowed under the GDPR?
  • I scan all enrolment documents and save it to my hard drive unprotected. Is there a different procedure I should follow?
  • I photocopy relevant documents and keep them in my in-tray until I have time to put them on the system. Is this allowed, or should they be locked away?
  • What policies and procedures do I need to be aware of to comply with the GDPR?

Classroom-based support staff

Processing personal data will take different forms and the classroom-based support staff will process less than admin support staff. Classroom based support staff could ask questions such as those below.

  • What procedures do we follow when reporting behaviour incidents that happen in the playground?
  • What should we do if we think our class teacher has breached data protection?
  • Our accident book is kept in the first aid room and it records the child’s name and date of birth – should this be locked away?


It wouldn’t be possible to include all questions that staff should, or could, ask their DPO. These are just a few questions that might arise.

Each staff member is responsible for making sure he or she is complying with the GDPR. It’s easy for staff members to forget about data protection as they focus on teaching and learning.

The DPO needs to make sure that compliance is kept at the forefront by:

  • conducting whole-staff training at least once a year with refreshers throughout the year
  • making sure policies and procedures are up-to-date and accessible
  • providing induction training to new staff members
  • sending bite-sized data protection information to staff members
  • sharing the information asset register with colleagues
  • providing links to online resources so that staff members can access information and knowledge-based training
  • keeping themselves up-to-date with changes by registering for email alerts from the ICO and DfE.
Last Updated: 
15 Apr 2019