2f5de000
Jan 9, 2026

Legal and Ethical Failures

English schools operate in a comprehensive legal framework designed to protect children's data and privacy. In practice, these protections are routine; circumvented, misapplied or simply ignored. The gap between what the law requires and what actually happens in schools reveals fundamental failures in both implementation and enforcement.

The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 established strict rules for processing personal data, with enhanced protection for children. Schools must comply with these laws. Most don't - at least not properly.

Under GDPR, every processing activity requires a lawful basis. For most school data processing, the lawful basis is either:

  • Public task (Article 6(1)(e)): Processing necessary for a task carried out in the public interest or in the exercise of official authority

  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with a legal obligation

  • Consent (Article 6(1)(a)): The individual has given clear consent for processing their personal data for a specific purpose

Schools routinely claim inappropriate lawful bases to justify surveillance practices that should require explicit consent.

Some schools claim "legitimate interests" (Article 6(1)(f)) as their lawful basis for processing children's data. However, GDPR explicitly states that public authorities (including state schools) performing their tasks cannot rely on legitimate interests as a lawful basis[1]. This is a fundamental legal error that invalidates the processing.

Schools argue that commercial platforms like Google Workspace, ClassDojo, or biometric lunch payment systems are "necessary" for delivering education under the public task basis. But "necessary" has a specific legal meaning - it must be genuinely required, not merely convenient or cost effective.

Children were educated successfully for centuries without biometric fingerprint scanners or behavioural point systems. These systems are conveniences that schools have chosen to adopt, not necessities. Under GDPR, convenience is not necessity. [2]

The public task basis justifies processing that schools must undertake to fulfil their core educational mission - maintaining attendance records, recording academic progress, managing enrolment. It does not justify:

  • Posting children's photos on Facebook for marketing purposes

  • Using commercial behaviour tracking apps owned by US companies

  • Collecting biometric data to speed up lunch queues

  • Sharing detailed behavioural profiles with researchers

These activities serve institutional convenience, public relations or commercial interests, not the core public task of education.

When schools do seek consent - typically for photographs and videos - the consent often fails to meet GDPR's requirements. Valid consent must be freely given, specific, informed, and unambiguous.[3]

Consent is not "freely given" when refusing it results in the child being excluded from activities, left out of class photos, or stigmatised as the "difficult family." The power imbalance between schools and parents, combined with the social pressure to allow children to participate fully in school life, means consent in educational settings is rarely truly voluntary.

GDPR recognises this problem. Recital 43 states:

"In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller." [4]

The relationship between school (with compulsory attendance requirements and institutional authority) and a parent desperate for their child not to be excluded creates exactly this imbalance.

For consent to be informed, parents must understand:

  • What data will be collected

  • How it will be used

  • Who will have access to it

  • How long it will be retained

  • Where it will be stored

  • What the risks are

Most school consent forms provide non of this detail. A typical form might state: "I consent to photographs of my child being used for school purposes including social media."

Parents signing this don't know:

  • Their child's image will be on (and accessible by) a US company's servers

  • The photo might be used in marketing materials seen by thousands

  • It could be scraped for facial recognition training data

  • It will be indexed by search engines permanently

  • It might be seen by estranged family members or those with safeguarding restriction

Without this information, consent cannot be truly informed.

GDPR requires consent to be specific to each purpose.[5] A single checkbox covering "photographs and videos for school purposes including newsletters, website, and social media" is too broad. Each use - newsletter, website, Twitter (X), Facebook, prospectus, local newspaper - should require separate specific consent.

This granularity matters because parents might be comfortable with photos in internal newsletters but not in public social media. Lumping all uses together denies parents meaningful choice.

GDPR guarantees to right to withdraw consent at any time.[6] In theory, parents can withdraw photo consent. In practice, doing so means: The child is excluded from class photos. They're removed from trip documentation. Their achievements aren't celebrated publicly. They may be the only child in their year with this restriction.

This isn't a genuine right to withdraw, it's a choice between accepting surveillance or accepting that your child will be othered and excluded.

Data Minimisation Ignored

GDPR's data minimisation principle (Article 5(1)(c)) requires that personal data must be "adequate", relevant and limited to what is necessary in relation to the purpose for which they are processed."[7]

Schools systematically violate this principle:

Does a school need to collect children's nationality and country of birth? The DfE thought so in 2016, justifying it as necessary for understanding the needs of children with English as an additional language. After a successful campaign by Defend Digital Me and Against Borders for Children, the collection was stopped in 2018.[8] It was never necessary - it was convenient for a particular policy goal unrelated to educating specific children.

Does a primary school need timestamped photographs of every activity four-year-old does throughout the day uploaded to a commercial platform? Schools claim this is necessary for "documenting learning" and "parental engagement." But children learned successfully for generations without minute-by-minute photo documentation stored on corporate servers.

GDPR requires data to be kept no longer than is needed (Article 5(1)(e)) [9]Yet:

  • CPOMS safeguarding records are kept until age 26 even for children who were never at risk

  • The National Pupil Database retains data permanently - for people now in their 40s

  • School photos on social media remain indefinitely

  • Google Workspace documents persist unless actively deleted

Schools rarely conduct data retention reviews to access whether the data they're holding is still viable. Data accumulates because deletion is harder than retention.

The NPD data sharing scandal documented in 'The National Pupil Database' exemplifies excessive sharing. Between 2012 and 2020, the DfE approved over 1,000 requests for identifiable pupil data, distributing information to journalists, commercial companies, and researchers.[10] This mass distribution bears no relationship to the "necessary" sharing required for education.

GDPR requires controllers to regularly review whether their processing activities remain necessary and lawful. Schools rarely do this. Systems adopted years ago, often during COVID's emergency remote learning period, remain in use without anyone questioning whether they're still needed or whether less intrusive alternatives now exist.

GDPR mandates transparency. Data subjects must receive clear information about how their data is processed (Articles 13 and 14).[11]

Schools privacy notices fail this requirement systematically. Privacy notes are written for lawyers, not parents. They run to dozens of pages, use technical terminology, and bury key information in dense paragraphs. Few parents read them.

GDPR requires information to be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child." [12] School privacy notices fail this standard.

Privacy notices may mention that data is shared with DfE but fail to explain that it then goes into the Nation Pupil Database where it can be distributed to hundreds of third parties. They mention CPOMS for safeguarding but don't explain that subjective observations about friendship difficulties or behavioural concerns become permanent records.

The ICO's 2020 audit of the Department of Education found that "many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional." [13] If parents don't know data collection is happening, transparency has failed completely.

When schools adopt new platforms, change data sharing practices, or modify their policies, they're supposed to inform parents. In practice, privacy notice updates are posted quietly on websites without direct communication. Parents whose children enrolled years ago operate under assumptions that may no longer be accurate.

Parents wanting to know what data a school holds about their child must submit a Subject Access Request (SAR). The process is bureaucratic, time-consuming, and often confusing. Schools have one month to respond but can extend this by two further months if the request is complex.[14] This is hardly "easily accessible" information.

ICO (Information Commissioner's Office) Concerns

The Information Commissioner's Office is the UK's data protection regulator, responsible for enforcing GDPR and investigating complaints. The ICO has repeatedly identified serious problems in the education sector.

The ICO's October 2020 compulsory audit of the Department for Education - triggered by the National Pupil Database data sharing concerns and the Learner Records Service breach involving gambling companies - identified 139 recommendations for improvement, with over 60% classified as urgent or high priority. [15]

The audit found that the DfE was "failing to comply fully with GDPR" because parents and pupils were often "entirely unaware" of data collection and sharing. The ICO concluded that "data protection was not being prioritised and this had severely impacted the DfE's ability to comply with the UK's data protection laws."[16]

If the Department for Education - which sets policy for schools - cannot comply with data protection law, what hope do individual schools have?

Most schools don't employ data protection specialists. Responsibility for GDPR compliance typically falls to:

  • A headteacher juggling dozens of responsibilities

  • A school business manager without data protection training

  • An IT technician focused on keeping systems running

  • An external consultant providing generic advice

Data Protection Officers (DPOs) are required for public authorities under GDPR .[17] Many schools either don't appoint DPOs at all, or appoint someone without appropriate expertise. The ICO's guidance on DPOs emphasises they must have "expert knowledge of data protection law and practices," yet many school DPOs have received minimal training.[18]

The ICO publishes extensive guidance for schools on data protection, including specific resources on taking photographs in schools, biometric data, Subject Access Requests, and data sharing.[19]

School's don't know the guidance exists. Staff are too busy to read detailed technical guidance. Implementing the guidance properly requires time and money schools don't have. Non-compliance rarely results in enforcement action.

The ICO's enforcement approach tends to be educational rather than punitive, especially toward public sector organisations. Schools know they're unlikely to face fines for data protection failures unless something catastrophic occurs. This creates moral hazard - why invest in compliance when non-compliance has no consequences?

Despite widespread GDPR violations in schools, ICO enforcement actions are rare. The ICO issued a reprimand to the DfE in November 2022 over the Learner Records Service breach, noting "it would have warranted a £10 million fine in this specific case" but that fines cannot be issued to government departments under current rules.[20]

Individual schools face even less scrutiny. The ICO's 2024 analysis of education sector data focused on incident reporting, not on the underlying systemic compliance failures that make breaches likely.[21]

This enforcement gap means schools can violate GDPR with impunity, knowing the ICO lacks resources to investigate every complaint and rarely takes action against educational institutions.

Children's Rights Under UNCRC

Beyond data protection law, children have fundamental rights under the UN Convention on the Rights of the Child (UNCRC), which the UK ratified in 1991. The convention establishes that children are right-holders, not merely objects of adult protection.

Article 16 states: "No child shall be subjected to arbitrary or unlawful interference with his or her family, home or correspondence, nor to lawful attacks on his or her honour and reputation. The child has the right to the protection of the law against such interference or attacks."[22]

The UN committee on the Rights of the Child's General Comment No.25 (2021) on children's rights in the digital environment emphasises:

"States should ensure that children are not subject to arbitrary or unlawful surveillance in their homes, schools or on online platforms. Data collection and monitoring should be based on respect for the child's privacy and designed to support and empower children to exercise their rights."[23]

Constant photographing, behavioural tracking, biometric data collection, and comprehensive record-keeping are not necessary for education. They're convenient for schools and profitable for EdTech companies, but not required for children to learn. Interference with privacy that isn't necessary is, by definition, arbitrary.

Even when processing has a lawful basis under GDPR, it may still violate children's fundamental right to privacy under UNCRC if it's disproportionate. Legally and legitimacy are not the same.

Article 12 of UNCRC guarantees children the right to express their views on matters affecting them.[24] Children are rarely consulted about school surveillance systems. They're not asked whether they want their photos on social media, their behaviour tracked by apps, or their biometric data collected. These decisions are made by adults - parents, teachers, policymakers - without meaningful input from children whose rights are affected.

Article 29 states that education should be directed to "the development of respect for human rights and fundamental freedoms."[25]

There's a profound contradiction in teaching children about rights and freedoms when subjecting them to comprehensive surveillance. How can children develop genuine understanding of privacy rights when they've never experienced privacy? How can they learn to value autonomy when their every action is monitored and recorded?

The UN Committee's General Comment No.25 addresses this directly[26]:

"Monitoring, tracking and profiling of children by educational settings should not become normalised, as this risks undermining children's sense of privacy, dignity and agency."[26]

Yet normalisation is exactly what's happening. Children growing up under school surveillance systems learn that monitoring is natural, expected, and benign. They're being trained for compliance, not educated for freedom.

The Ethical Failure

Beyond legal violations, there's a deeper ethical failure: the instrumentalisation of children's data for adult's purposes.

Children's images are used for school marketing. Their behavioural data feeds EdTech business models. Their biometric information proves institutional efficiency. Their personal details become research datasets. None of this serves children's interest - it serves the interests of schools, companies, and researchers.

This violates the fundamental principle that children are persons with rights, not resources to be exploited or tools for achieving adult goals.

The ethical framework that should govern children's data is simple: Dose this serve the child's best interests? Most surveillance practices fail this test. They serve institutional convenience, commercial profit, or policy goals - not the wellbeing and development of the children whose data is being collected.

Sources:

[1] GDPR Article 6(1): gdpr-info.eu/art-6-gdpr

[2] ICO guidance on lawful basis: ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/legitimate-interests

[3] GDPR Article 4(11) definition of consent: gdpr-info.eu/art-4-gdpr

[4] GDPR Recital 43: gdpr-info.eu/recitals/no-43

[5] GDPR Recital 32: gdpr-info.eu/recitals/no-32

[6] GDPR Article 7(3): gdpr-info.eu/art-7-gdpr

[7] GDPR Article 5(1)(c): gdpr-info.eu/art-5-gdpr

[8] Digital Freedom Fund, "Challenging Misuse of Children's Data in the UK," digitalfreedomfund.org/challenging-misuse-of-childrens-data-the-uks-national-pupil-database

[9] GDPR Article 5(1)(e): gdpr-info.eu/art-5-gdpr

[10] Defend Digital Me, "An update on National Pupil Data," July 1, 2021, defenddigitalme.org/2021/07/01/an-update-on-national-pupil-data

[11] GDPR Articles 13 and 14: gdpr-info.eu/art-13-gdpr and gdpr-info.eu/art-14-gdpr

[12] GDPR Article 12(1): gdpr-info.eu/art-12-gdpr

[13] Schools Week, "DfE facing action over 'serious' data protection breaches," September 23, 2022, schoolsweek.co.uk/dfe-facing-action-over-wide-ranging-and-serious-data-protection-breaches

[14] GDPR Article 12(3): gdpr-info.eu/art-12-gdpr

[15] Digital Freedom Fund, "Challenging Misuse of Children's Data in the UK," digitalfreedomfund.org/challenging-misuse-of-childrens-data-the-uks-national-pupil-database

[16] Digital Freedom Fund, "Challenging Misuse of Children's Data in the UK," digitalfreedomfund.org/challenging-misuse-of-childrens-data-the-uks-national-pupil-database

[17] GDPR Article 37: gdpr-info.eu/art-37-gdpr

[18] ICO, "Data protection officers," ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-officers

[19] ICO, "Education" guidance hub: ico.org.uk/for-organisations/education

[20] Defend Digital Me, "Ten-years after National Pupil Database commercialisation: ICO reprimands the Department for Education over 'woeful' misuse," November 6, 2022, defenddigitalme.org/2022/11/06/ten-years-after-national-pupil-database-commercialisation-ico-reprimands-the-department-for-education-over-woeful-misuse

[21] Infosecurity Magazine, "ICO Warns of Student-Led Data Breaches in UK Schools," October 6, 2024, www.infosecurity-magazine.com/news/ico-student-data-breaches-uk

[22] UN Convention on the Rights of the Child, Article 16: www.ohchr.org/en/instruments-mechanisms/instruments/convention-rights-child

[23] UN Committee on the Rights of the Child, General Comment No. 25 (2021): www.ohchr.org/en/documents/general-comments-and-recommendations/general-comment-no-25-2021-childrens-rights-relation

[24] UN Convention on the Rights of the Child, Article 12: www.ohchr.org/en/instruments-mechanisms/instruments/convention-rights-child

[25] UN Convention on the Rights of the Child, Article 29: www.ohchr.org/en/instruments-mechanisms/instruments/convention-rights-child

[26] UN Committee on the Rights of the Child, General Comment No. 25 (2021), paragraph 71: www.ohchr.org/en/documents/general-comments-and-recommendations/general-comment-no-25-2021-childrens-rights-relation