Read Again: Building a Resilient Data Culture in Schools

Over the past few months, Helen Burge’s series on Data Management has provided guidance on handling breaches and preparing for scrutiny. In this final instalment, she explores how schools and trusts can cultivate a strong data culture to ensure compliance, security and responsible data practice

Schools are no longer passive custodians of information – they are frontline defenders of digital integrity! From the recent attacks on household names like Marks & Spencer and Co-op to the DfE’s Cyber Security Breaches Survey (revealing that over half of UK schools have faced cyber incidents) the message is clear: data protection is no longer optional, and resilience must be built from the inside out and throughout the school’s data estate.

In this concluding article, I’m bringing together three critical strands explored in previous Ed Exec features – data clean-up, internal scrutiny and breach response – and reframing them as a unified strategy for school business leaders. The goal? To move beyond compliance and towards a confident data estate, with a proactive data culture that supports governance, operations and trust.

Prevention – Taming the Data Estate

The first step in building resilience is understanding your data estate. That means identifying what data you hold, where it lives, who owns it and why it’s still there. Many schools are sitting on years of legacy data, redundant notes, outdated spreadsheets, duplicated pupil records. It serves no operational purpose but poses significant risk!

Applying the ROT test – Redundant, Outdated, Trivial

This is a powerful way to assess your data estate. Follow this up with a structured clean-up which can:

• Reduce exposure to cyber threats and accidental breaches
• Improve system performance and reduce storage costs
• Support compliance with retention schedules and subject access requests
• Cut digital clutter and carbon footprint

But clean-up isn’t just a technical exercise, it’s a cultural one. Staff need clear guidance, practical tools and a shared understanding of why data hygiene matters. Appointing data champions, celebrating progress, and embedding clean-up into annual routines can help make it “stick”. The data estate will then look and be in good order. And you can have confidence if your school starts using AI on its data that the data is current and correct.

Preparedness – Internal Scrutiny as a Strategic Lever

Internal scrutiny is often misunderstood as a compliance burden, but in reality, it’s a strategic opportunity. Whether prompted by a new DPO appointment, a scheduled audit, or a governance review, scrutiny allows schools to take stock, identify gaps and drive improvement. It should be welcomed, not feared.

Key areas to review include:

• Core documentation: Data Protection Policy, Privacy Notices, Records of Processing Activities (ROPA), Data Protection Impact Assessments (DPIA), breach logs, training records
• Operational controls: Are staff trained and confident? Are retention schedules followed? Are third-party risks managed?
• Governance structures: Is data protection on the risk register? Are trustees receiving regular updates and assurances? Is there a clear escalation route for concerns?

Even if your systems aren’t perfect, knowing where your documents are and how your processes work is half the battle. Use scrutiny findings to refine reporting, inform CPD and benchmark progress year-on-year. And don’t forget to align your internal audit cycle with your data protection priorities, maybe your school has a new MIS, gone paperless etc. This ensures that scrutiny isn’t siloed but integrated into broader governance.

Response – Acting Fast

Despite best efforts, breaches can – and do – happen. Whether it’s a misdirected email, a stolen device or a ransomware attack, the first 48 hours are critical. A well-handled breach can mitigate harm, preserve trust and demonstrate accountability.

Your response plan should include:

• Containment – Isolate systems, revoke access, secure devices
• Assessment – What data was involved? How many individuals? Is the breach ongoing?
• Notification – Inform your DPO, consider ICO reporting and communicate with affected individuals if necessary
• Remediation – Engage IT support, update governors, begin root cause analysis
• Learning – Review policies, deliver refresher training, log the incident and monitor for patterns

Schools should rehearse breach scenarios just as they would fire drills (although maybe not so frequently!) – ensuring that staff know who to contact, what to document and how to escalate. Templates for incident logging, communication and ICO reporting can save precious time and reduce stress. A well-handled breach can actually strengthen trust, showing that your school takes accountability seriously and learns from mistakes.

Bringing it all Together

Data protection isn’t just about avoiding fines or ticking off statutory duties. It’s about building a school culture where data is respected, understood and used wisely. That means the school is treating data as a strategic asset, not a burden. They have embedded data hygiene into policy reviews, staff training, and governance reporting, and use scrutiny and data breach responses as tools for continuous improvement. Data protection is resilient and consistent throughout the data estate. This integrated approach creates a cycle your data estate will be grateful for!