Data Protection Compliance Audits in Schools and Multi-Academy Trusts

What is a data protection audit? 

A data protection audit helps to assess whether your school or Trust is complying with its obligations in respect of data protection compliance.  

Why is an audit required? 

The audit will review your current policies, processes and procedures to highlight any gaps in compliance and, in turn, identify the risk areas for your school/Trust. 

Once those risks have been identified, the audit will enable you to implement the measures to address those risks.  

What should the audit cover? 

The Information Commissioners Office (ICO) conduct audits in different orgnisations to monitor compliance. We would advise that your audit mirrors the questions covered by the ICO, tailored to reflect how schools/Trusts control and process personal data.  

The main areas covered in the ICO audit are: 

  • data protection governance, and the structures, policies and procedures to ensure compliance with data protection legislation; 
  • the processes for managing both electronic and manual records containing personal data; 
  • the processes for responding to any request for personal data, including requests by individuals for copies of their data as well as those made by third parties, and sharing agreements; 
  • the technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form; 
  • the provision and monitoring of staff data protection training and the awareness of data protection requirements. 

The audit should assess overall compliance with data protection legislation, including the practices, policies and staff awareness.  

You should use your audit to create an action plan for the year ahead.  

How frequently should you be audited? 

It is recommended that the audit should be reviewed on an annual basis. You may not need to carry out a full audit every year but should constantly monitor your compliance and update your practices as necessary.   

You must ensure that you follow up on any points in your action plan.  

Your audit and action plan are likely to be evolving working documents and changes and updates will reflect your current data protection compliance status.   

Who should carry out your audit? 

Your Data Protection Officer should carry out the audit but will need to liaise with your SLT, records management officer and other staff in order to complete it and ensure that everyone within your organisation understands their obligations when it comes to data protection.  

An update should be provided to your governing body or Trustees whenever an audit and action plan has been carried out. It is also good practice to include a data protection update as a regular agenda item.  

Register for DPOCOMS++ or DPOCOMS+ which includes a self-audit tool that you can complete which will help to generate your action plan.

Alternatively, If you have any questions about the audit process or would like to book a compliance audit for your school or Trust please contact