How Schools and Trusts Must Align Filtering and Monitoring with Data Protection
The Department for Education (DfE) has recently updated its Data Protection in Schools guidance, explicitly bringing filtering and monitoring within its data protection expectations.
Filtering and monitoring have become increasingly important, both as an extension of safeguarding and as a means of managing data security and keep children safe. Filtering helps block harmful or inappropriate content while monitoring enables identification of concerning activity and potential risks.
This direction of travel is consistent with the DfE’s introduction of six core standards for schools, which include filtering and monitoring. However, these systems should be applied carefully, as their use typically involves processing significant amounts of personal data such as browsing activity, search terms, user identifiers and behavioural patterns. Systems will typically link activity to individual users so that concerns can be properly investigated and acted upon.
The updated guidance from the DfE reinforces the expectation that schools can clearly demonstrate that:
- They have appropriate processes in place to manage safety;
- Processes are actively monitored and reviewed in practice; and
- Decision-making is documented and can be evidenced where issues arise.
Alongside this sits the requirement to apply core data protection principles, ensuring that filtering and monitoring remain fair and proportionate. Key considerations include:
- Limiting access to filtering and monitoring data to a small number of authorised staff;
- Ensuring system use is transparent and understood by users, including where AI is used for analysis or alerts; and
- Setting retention periods that are proportionate to the purpose, recognising that monitoring is intrusive and so data should not be retained longer than necessary.
In practical terms, conducting a Data Protection Impact Assessment (DPIA) is essential. They should be completed where new systems are introduced or there is a significant change in processing activity. The DfE guidance is clear that implementing a new third-party filtering and monitoring solution will generally require a DPIA, highlighting the need for documented decision-making.
The guidance also places emphasis on collaboration. Effective filtering and monitoring require a cross-functional approach, with inputs from safeguarding, data protection and IT teams, alongside senior leadership and those responsible for governance and oversight.
Central to the guidance is the need to strike the right balance. Over-monitoring can infringe on privacy expectations while under monitoring can expose safeguarding risks. The expectation is not to prioritise one over the other but to maintain continuous risk-based decision-making.
It is also important to recognise that filtering and monitoring standards will continue to evolve, particularly in response to emerging risks, such as generative AI. As a result, the focus has shifted from simply having controls in place for filtering and monitoring to embedding them effectively within organisational frameworks.
Overall, this reflects continued progress and reinforces the importance of addressing safeguarding, data protection and governance as a connected set of responsibilities, with AI, cyber security and complaint handling emerging as key areas of joined-up approach. At its core, this brings together all three disciplines:
- Safeguarding: a statutory duty to protect children from harm, including mitigating online risks and preventing access to harmful content.
- Data Protection: ensuring personal data is processed lawfully, fairly and transparently, with appropriate safeguards in place, including proportional data use, secure handling and limited access.
- Governance: ensuring clear accountability, oversight and assurance across filtering and monitoring. This includes defined roles and responsibilities, documented policies and procedures, DPIAs, effective risk management and regular reviews of system effectiveness.
Related content
Learn the do’s and don’ts of processing biometric data in schools. Discover how to manage privacy risks, handle ICO audits, and ensure school compliance.
Understand the link between data retention and effective breach management in schools. This article covers the fundamental building blocks of a retention strategy, the risks of keeping data too long, and how structured disposal makes responding to a breach more manageable.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 11th February, with our Data Protection consultant, Shaafah Mohamed. This session explored the use of CCTV within school settings and its link to data protection. Why CCTV is considered privacy intrusive, the legal basis for its use under UK GDPR, and practical steps schools should take to ensure compliance.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 12th December, with our Data Protection Consultant Daniel Richardson.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 22nd October, with our Data Protection Consultant Jessica Vannan. In this session, we broke down what constitutes a data breach, how it should be assessed, and what effective breach management looks like.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 24th September, with our Data Protection Consultant Thomas Wynne.
Sofa Sessions | Data Protection