The Becta website will be closing on 31 January 2011.

Most of our online resources are now available under the Open Government Licence for anyone to re-use. Find out more.

Access menu:
Skip to content, access key c
Local navigation, access key l
Schools menu, access key s
Becta menu, access key b

Data handling security guidance for schools

We have published a series of good practice guides to help your school to secure sensitive and personal data that you hold on learners, staff and other individuals.

The Data Protection Act 1998 requires all organisations to secure any personal data they hold. This covers data held both electronically and on paper.

Personal data is any combination of data items that identifies an individual and gives specific information about them, their families or circumstances. This includes names, contact details, gender, dates of birth, behaviour and assessment records. The Data Protection Act 1998 specifies additional data items as ‘sensitive personal data’, this includes medical records, criminal convictions and ethnic origin.

Revised good practice guides

Produced by Becta on behalf of the Department for Children, Schools and Families, these revised good practice guides have been reviewed and updated with feedback from a number of cross-sector organisations including the Department for Children, Schools and families (DCSF), Department for Business, Innovation and Skills (BIS), Joint Information Systems Committee (JISC) Legal, The Information Authority and JANET (UK), as well as from schools, local authorities, regional broadband consortia and suppliers.

We have based our guides on the measures contained in the following Cabinet Office documents:

Data Handling Procedures in Government: Final report
HMG Security Policy Framework

These set out the measures central government departments and their agencies must adopt to protect sensitive and personal data. Becta’s guides are a practical interpretation of these measures that should be considered by schools, colleges and universities to help minimise the risk of data being lost or corrupted and any subsequent adverse consequences such as identity theft, news headlines or breaches of statutory/legal obligations.

Information Security is everyone's responsibility and needs to be embedded into culture and ways of working, therefore, we encourage you to contribute to discuss data handling and information security and to feedback on these guides by joining our online community.

Keeping data secure, safe and legal

This is a summary document for network managers, senior leaders or staff with a responsibility for securing data. It outlines the key measures organisations should adopt.

Keeping data secure, safe and legal (Word 159KB)
Keeping data secure, safe and legal (PDF 304KB)
Keeping data secure, safe and legal (OpenDocument text format 83KB)

Dos and Don’ts

This is a common sense guide that senior leaders can make available to staff to ensure everyone within an organisation knows how they should be helping keep data secure.

Dos and Don'ts (Word 102KB)
Dos and Don'ts (PDF 194KB)
Dos and Don'ts (OpenDocument text format 76KB)

The following documents are more technical good practice guides for network managers and those responsible for implementing technical solutions. Each guide gives details of the measures organisations should adopt together with starting points for putting the measure in place.

Information risk management and protective markings

Information risk management and protective markings (Word 224KB)
Information risk management and protective markings (PDF 134KB)
Information risk management and protective markings (OpenDocument text format 81KB)

Data encryption

Data encryption (Word 194KB)
Data encryption (PDF 355KB)
Data encryption (OpenDocument text format 78KB)

Audit logging and incident handling

Audit logging and incident handling (Word 645KB)
Audit logging and incident handling (PDF 844KB)
Audit logging and incident handling (OpenDocument text format 540KB)

Secure remote access

Secure remote access (Word 205KB)
Secure remote access (PDF 527KB)
Secure remote access (OpenDocument text format 120KB)

These guides describe procedures and possible technical and operational solutions that can help organisations reduce the risks of data security incidents and comply with current legislation. They are not definitive and may not cover the full range of technologies, products and procedures organisations can use to secure data, but are indicative of the types of solutions that should be put in place. Becta will update these guides to reflect new developments when needed.


Join our online community to discuss information handling and the good practice guides.

Further information

The Information Commissioner’s Office has more advice on the Data Protection Act.

Advice on data processing and sharing from the DCSF, including guidance on the privacy notice that schools are required to issue to parents and children is available from Teachernet.

Printer friendly printer friendly version of this page Published: 06 February 2008
Last modified: 07 September 2009