Data protection and multi academy trusts conversion

26 May 2022

Multi academy trusts conversion – what does the white paper mean for data protection?

Earlier this year, the government published its white paper setting out the vision for converting all maintained schools into academies and multi academy trusts.

Opportunity for all: Strong schools with great teachers for your child’ plans for multi academy trusts to take over the running of all schools in England.

We asked our schools DPO team what this means in terms of data protection and UK GDPR.

Target date for multi academy trust conversions

The government’s target is for all schools to be in multi academy trusts, or have ‘plans to join or form one’, by 2030.

Local authorities will be permitted to establish multi academy trusts.

The white paper sets out that councils will gain the legal power to request that schools join a trust (where appropriate).

Part of the plans also include reviewing the ‘accountability and regulation’ of multi academy trusts.

Data protection implications with multi academy trusts

With this white paper there are some data protection and compliance implications that you should bear in mind.

Our Senior Information Governance Officer, Rosie Kelly, looks after our DPO service for schools. Here’s her guidance:

“Multi academy trusts will be responsible for compliance with data protection principles, including information security and holding records to demonstrate accountability.

This means it’s usually appropriate to have centralised documentation such as:

  • policies and privacy notices
  • logs for data subject requests
  • a trust-level Information Asset Register
  • conducting trust-level DPIAs for systems and applications used across the trust”

When a previously maintained school joins a trust, the individual school is no longer considered a data controller.

Instead, the multi academy trust is the data controller. The trust carries the overall responsibility for meeting requirements of UK GDPR.

What is a data controller?

A data controller is an organisation which processes personal data for its own purposes and makes decisions about that data.

This includes for example maintained schools, academies, local authorities, the NHS, etc.

It’s different from a data processor which is when an organisation processes personal data on behalf of an organisation.

Data processors only process data under the instructions of the data controller.

An example would be Microsoft Teams – they process data that the controller has given, such as names and email addresses.

The Information Commissioner’s Office says:

“Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing?”

Do you need more support with compliance?

If you’re a DPO client, please get in touch with the team. Or, you can explore Veritau’s services for schools and academies

Offsite resource

White paper on multi academy trust conversions

Read the government's paper: 'Opportunity for all: strong schools with great teachers for your child'


View this resource