Global menu

Our global pages


Academies Briefing Autumn 2018

  • United Kingdom
  • Education - Briefings


In this issue:

The impact of GDPR on requests for pupil data, past and present

Academy mergers - risks and opportunities from an IT perspective

A guide to apprenticeships for the school workforce

Stress management – a new focus

The impact of GDPR on requests for pupil data, past and present

The day to day management of school life relies upon the school or academy, as a controller (being the entity that makes decisions about what personal data is collected and how and for what purpose(s) it may be used), processing its pupils’ and former pupils’ personal data, including disclosure of data to third parties. The General Data Protection Regulation 2016/670 (GDPR) and Data Protection Act 2018 (DPA) have introduced new requirements for processing personal data which schools and academies must consider carefully to ensure their processing activities are carried out lawfully, especially considering the potential fines of up to £17 million for non-compliance.

Third parties’ requests for personal data

Personal data may only be processed if there is a lawful basis for doing so. Accordingly, prior to agreeing to third parties’ requests for access to pupils’ personal data, schools and academies must consider if one of the lawful bases listed below can be relied upon. If the third party requests sensitive personal data, such as information on a child’s health, ethnic origin or religion, the list of applicable lawful bases that are required becomes much stricter and is likely to require a legal requirement or explicit consent.

Third parties may legitimately request personal data of pupils and former pupils from schools: for instance, the police or social services may request records when conducting investigations relating to pupils or former pupils. Prior to such disclosure, schools should consider whether there is a lawful basis for doing so. That said, providing third parties such as social services and the police with information about a pupil or former pupil can be crucial in safeguarding the child in question. Indeed, when sharing a pupil or former pupil’s sensitive personal data in such circumstances, schools and academies can rely upon “safeguarding of children and individuals at risk” as a processing condition under the DPA.

Sharing Information

Government guidance stresses that information should be shared proactively with appropriate parties as early as possible. If a school or academy is concerned about a child’s welfare or risks of harm to a child, it should share that information with social services and/or the police, albeit in circumstances and in a manner which meets the requirements of data protection laws. Despite the onerous obligations imposed by data protection legislation, the guidance makes it clear that “fears about sharing information must not be allowed to stand in the way of the need to promote the welfare, and protect the safety, of children” (Working Together to Safeguard Children, HM Government 2018).

Schools and academies should aim to obtain the consent of the pupil (or their parent or guardian if under 13 years old) before sharing any information. However, sharing may take place without consent if the institution feels obtaining consent is not possible or would place the child at risk and another lawful basis can be relied upon. The consent must comply with the GDPR, as is discussed in further detail below.

Lawful bases for processing

The lawful bases for processing are set out in Article 6 of the GDPR:

Personal Data

Sensitive / Special Categories of Personal Data

Consent: the individual (or their parent or guardian if under 13 years old) has agreed that the school or academy may process their personal data for a specific purpose.

Explicit consent: the individual (or their parent or guardian if under 13 years old) has consented to the particular processing in question for the given purpose.


Contract: the processing is necessary to perform or enter into a contract with the data subject.

Preventative medicine: the processing is necessary for medical diagnosis or preventative health reasons.


Legal obligation: the processing is necessary for the school or academy to comply with the law or a binding request, such as a court order.

Employment or social protection legal obligation: the processing is necessary for the school or academy to comply with an obligation or to enable the school/academy or a data subject to exercise its rights in the field of employment and social protection law.


Vital interests: the processing is necessary to protect the data subject (or someone else) from death or serious harm.

Vital interests: the processing is necessary to protect the data subject (or someone else) from death or serious harm and the data subject is not capable of giving their consent.


Public task: the processing is necessary for the school or academy to perform a task in the public interest or for the school or academy’s official functions which are provided for statute or common law.

Legal claims: the data controller needs to use a data subject’s personal information to investigate, take advice on bring or defend legal claims.



Legitimate interests: on balance and being fair to the data subject, the data controller has a good and lawful business reason for processing. Public authorities, such as schools and academies are more limited in their ability to rely upon legitimate interests, as they may only do so for processing which is not part of the performance of their tasks as a public authority (such as alumni fundraising or commercial activities). For processing which is necessary for tasks in the public interest, schools and academies should consider relying upon the “public task” basis instead.


Substantial public interest: the processing is necessary for reasons of substantial public interest or the greater public good. The processing must be proportionate to the aim pursued, taking account of the rights and interests of the data subjects and must be carried out in a way which ensures that their personal data is protected.


GDPR compliant consent

The GDPR has introduced more stringent requirements for consent to be “freely given”, “specific”, “informed” and “unambiguous”. If schools and academies want to rely on consent as a lawful ground for processing, the consent must:

• include a positive opt-in which involves an affirmative action, such as signing a consent form or ticking a box. If asking for consent for processing sensitive personal data, the consent must be explicit, meaning it is confirmed in words, rather than by another positive action;

• specifically identify the processing which is to take place;

• be granular in that it identifies and asks for consent for each of the different types of processing;

• be clear, easy to understand, prominent and unbundled from other terms and conditions; and

• be properly documented and easily withdrawn.

If the consent obtained does not meet these requirements, a different legal basis must be relied upon. Further, consent can be withdrawn by the data subject at any stage. If another legal basis cannot be identified, the school or academy cannot lawfully continue processing the data in that way.

It is recommended that schools and academies rely upon other lawful bases, in addition to consent.


Schools and academies can continue to process their pupils’ and former pupils’ data, including sharing it with third parties, but they must ensure that they respect the pupils’ rights, and meet the obligations under the GDPR and DPA, in doing so. Schools and academies should not allow the fear of data protection law to stop them fulfilling their key duties, but should ensure they are guided by their obligations in that regard.

A key factor in a school or academy’s decision-making would be to ascertain whether a pupil’s or former pupil’s safety and welfare would be at risk if the information requested was either shared or withheld from the third party that has requested it. It may be lawful to refuse the request if it would not promote the welfare of the relevant child or young person concerned.

For more information, please contact

Dave Hughes, Principal Associate
01223 44 3642

Academy mergers - risks and opportunities from an IT perspective

With academy trust mergers on the increase, as part of wider consolidation in the sector, the role of IT is something that should be front of mind, plainly from an operational point of view, but as importantly from the risks and opportunities that can arise from a legal perspective. We set out some of the current issues below.

In this article we use the term “merger” to mean a situation where a single academy trust joins an existing multi-academy trust (MAT) or where a number of single academy trusts form a new MAT.

Software licensing disputes

Software is increasingly critical and all pervasive within most organisations. Software licensors are keen to protect their intellectual property and customers are inadvertently getting into positions of potential non-compliance through many different ways. The claims advanced by licensors, where they consider a breach of licence terms to have occurred, can be in the order of millions of pounds.

Claims of non-compliance typically arise when there is a change to IT provision, such as the adoption of novel technologies, systems or applications, a move to the cloud, or improved access including by third parties. An absence of regular internal software audits means that claims tend to come when a licensor conducts its own audit and can be many years after the relevant change occurred, leading to an unexpected and significant claim, and the trust on the back-foot. The trust’s ability to respond can be impaired because relevant people may have moved on, contemporaneous documents are difficult to find and systems have since changed.

A further key event that can trigger claims for non-compliance can be organisational change, through acquisition, merger or disposal. Depending on the change and how it is structured, issues can arise through unauthorised use of the software by entities not covered by the scope of the licence, unauthorised sub-licensing, or breaching particular change of control or acquisition-type restrictions. Conversely, a merged trust could find itself over-licensed, thereby paying for redundant licences.

Due diligence is clearly important. Taking a merger of academy trusts as an example, a part of the process should include a review of rights and obligations under existing software licences (including all variations) and any prior audits. In addition, due diligence should be undertaken in respect of the licensing and audit position of all the trusts which are participating in the merger, to ascertain whether there are any pending legal claims or liabilities, for which the MAT could become liable, post-merger.

In order to avoid disputes or under-licensing following a merger, trusts should consider the following:

• Whether there are any prohibitions on sub-licensing or assignment in the licences held by any of the parties to the merger

• The scope of the ‘enterprise’ or ‘group’ use provisions

• Whether the consent of the licensor is required, if licences need sub-licensing or assigning

• The scope of the licences held, in terms of the nature and extent of the licences, and the rights and obligations - this can include notification to the licensor in certain circumstances

In respect of the latter bullet point, commonly, older licences were not drafted with newer technological advances in mind and so may be vague in respect of definitions and the position with regard to indirect access or virtualisation. In such a scenario, advice should be sought early to avoid getting into a dispute.

Conversely, if the trusts are able to identify any excess licences, the initial reaction may be to surrender those licences as part of any renewal with the licensor. However, if the licences bought were perpetual, they hold value and therefore the opportunity to re-sell any such licences (or obtain proper value for them on any surrender) should not be overlooked.

In order to combat the risk of under-licensing following a merger or otherwise, our practical tips for future compliance are as follows:

• Create a central record of all licences, variations and addendums so that the MAT knows what its rights and obligations are in respect of its licensing;

• Record all external advice and recommendations, and retain all prior external audits undertaken;

• Prepare a schematic diagram of the MAT’s IT system which maps all use cases;

• Be clear about the role of resellers or outsource providers in relation to responsibilities for licence compliance.

• Conduct regular internal audits, particularly if any new technology has been implemented, to ensure continuous compliance. If an internal audit has not been done recently, then do one now. Such an audit needs to combine a technical, factual and legal assessment. Such reviews should be led and co-ordinated by external legal support so that legal professional privilege can be sought.

IT systems and managed services provision

With any merger, trusts will also need to consider how to integrate and manage their existing IT systems with those of the proposed merger partner(s). Again, this is often seen as a purely operational process, but does have important legal risks and opportunities.

A duplication of systems and services opens the opportunity for savings, but the terms of exit (whether full or partial), charges and transition need to be carefully considered against existing contractual arrangements. Wrongful termination or breach of particular terms could lead to a claim for damages. Careful planning and assessment, whether pre- and/or post-merger, is vitally important.

For more information, please contact

James Hyde, Partner, Head of TMT disputes
0113 200 4066
Gen Bell, Associate
0113 200 4320

A guide to apprenticeships for the school workforce

In April 2017 the Government changed the way it funds apprenticeships in England with the introduction of the apprenticeship levy charged at a rate of 0.5% of an employer’s annual pay bill. Whilst the levy applies to all employers there is an annual levy allowance of £15,000 which employers can to offset against their levy liability, meaning that only employers with an annual pay bill of over £3 million pay the levy. Eligible employers report and pay the levy to HMRC through the PAYE process.

In addition, as a result of the Public Sector Apprenticeship Targets Regulations 2017, public sector bodies in England (which includes academies) with 250 or more staff must have regard to a target to employ an average of at least 2.3% of their headcount as new apprentices by March 2021.

On 29 June 2018, the Government published “A guide to apprenticeships for the school workforce” providing information specific to schools and academies on what apprenticeships are, how the school/academy can use them to benefit its workforce, and how the apprenticeship levy and public sector target apply to schools and academies.

The guide states that apprenticeships are a great way for schools and academies to improve the skills base of their employees as “they are a tried and tested way to recruit new staff, and to retrain or upskill existing staff of all ages and levels of experience, in a wide variety of roles”.

It goes on to say that, having read the guide, there are a number key steps for academies to take as follows:

• Consider how the academy can use apprenticeships – pointing out that whether the academy pays the levy or not, it can access co-investment to purchase apprenticeship training from an approved provider

• Check whether the academy is paying the levy

• Check whether the academy is in scope of the public sector target

• If the academy is part of a larger employer group (for example, if a multi-academy trust is the employer), get in contact to agree how to access available funds to spend on apprenticeships

The guide

The guide has sections on an introduction to apprenticeships; what the apprenticeship levy means for schools and academies; registering to use apprenticeship funding; apprenticeship options for schools and academies; the public sector target and how it applies to schools and academies and apprenticeship training providers. There are also annexes on apprenticeships relevant to schools/academies; a list of frequently asked questions and four case studies (including one of an 11-16 academy and another involving a multi-academy trust).

Whilst there is nothing new in the guidance there are a number of key points which are worth noting:

• For academies, including free schools and academies in multi-academy trusts, the MAT is generally the employer of all the academies’ staff and therefore if the MAT’s pay bill is more than £3 million then it will need to pay the levy. In such circumstances academies within the MAT will need to agree with the MAT on how to access levy funds available to spend on apprenticeships.

• If the academy does not pay the levy, either on its own or as part of a MAT, it can still take on apprentices and access co-investment to purchase apprenticeship training from an approved provider. In this instance, the Government will pay 90% of the cost of training and assessment, and the academy will be responsible for paying 10% of the costs up to the maximum funding band set for each individual apprenticeship.

• From April 2018, employers who pay the apprenticeship levy are able to transfer a maximum of 10% of annual funds to other employers on the apprenticeship service. Therefore academies may want to consider whether they want to transfer, or receive transferred, funds – this can support new or additional apprenticeships within academies if they are receiving funds, or support employers in the supply chain or locality if they are transferring funds.

• In relation to the public sector apprenticeship target, academy trusts came in scope in April 2018, and are therefore (unlike maintained schools) not required to publish and report on their progress towards the target for starts between April 2017 and March 2018. They will, however, need to do so for the first time from April 2019 (for starts between April 2018 and March 2019). The first returns are due by 30 September 2019. The target is for new apprenticeship starts, which includes both existing staff that start an apprenticeship and new recruits. For academies, the target will be assessed as an average over three years to give flexibility and to take into account peaks and troughs in recruitment.

• Once the academy has decided which apprenticeship it wants to recruit for it will need to select an appropriate training provider from the Register of Apprenticeship Training Providers. There is an online tool that can be used to search for apprenticeship training by job role or keyword; find training providers who offer the apprenticeship training required; or find a named training provider the academy wishes to use.

For more information please contact:

Ben Wood, Partner
0113 200 4273

Stress management – a new focus

The HSE’s most recent stated sector plan for public services (which includes the provision of education services as well as health and social care, and local and central government) identifies that around 400,000 people in the sector each year suffer from an illness they believe to be work-related. A significant proportion of these illnesses relate to workplace stress and the focus is now firmly on employers to ensure they have suitable provision in place to manage this risk.

According to the report from the HSE “Work-related Stress, Depression or Anxiety Statistics in Great Britain 2017”, the average prevalence rate for work-related stress, depression or anxiety across all industries was 1,230 cases per 100,000 workers over the three-year period 2014/15-2016/17. The average rate in the education sector was, however, 1,860 cases per 100,000 workers each with education being one of three industry sectors with a statistically significantly higher rate than the average for all industries.

Research carried out by the Liberal Democrats published at the start of this year suggested that 3,750 teachers were signed off on long term sick leave in 2016-17 (a 5% rise on the year before) and that 1.3 million days were lost in the four year period 2013-14 to 2016-17 due to teacher absence for stress and mental health reasons.

What does the law say you have to do?

As well as the moral considerations to get this right, academies should be aware of their underlying legal duties in this area.

There is no single health and safety law which deals with employers responsibilities towards managing workplace stress. Instead, academies must think about their wider health and safety obligations and consider how they apply to stress.

Section 2 of the Health and Safety at Work etc. Act 1974 sets out employers’ duties to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees. Managing work-related stress falls squarely within this duty. Employers also have a duty to carry out a risk assessment for stress and act upon its findings, as set out within the Management of Health and Safety at Work Regulations 1999.

Whilst the HSE’s focus is currently on educating employers if failures are identified, historically, organisations have been subject to improvement notices for failing to manage work-related stress effectively. It is possible that the HSE may return to using this enforcement tool for those organisations that do not take steps to tackle work related stress effectively.

Academies should be aware that even if there is no criminal penalty, they may be subject to civil sanctions (for example as a result of a claim for personal injury made through the high or county court or claims through the employment tribunal – such as where an employee resigns because of a perceived failure by the academy to deal with concerns about workload. In the worst case scenario, the academy may be asked to explain its conduct before a Coroner, potentially giving rise to serious reputational harm.

How can you achieve compliance?

The HSE refreshed its guidance in this area last year in the form of the stress “Management Standards”. This approach is a five step model which asks employers to:

1. Identify the risk factors

2. Consider who can be harmed and how

3. Evaluate the risks

4. Record findings

5. Monitor and review

In particular, the Management Standards identify six key areas of work design that are associated with stress, and which can form the basis of a stress risk assessment. These are demands, control, support, relationships, role and change. All academies should consider how these risk factors are managed internally and identify whether there are any additional control measures which should be put in place, such as training for line managers on how to manage employees and joined up HR, EHS (Environmental, Health and Safety) and Occupational Health processes.

For further information please contact: 

Paul Verrico, Partner
0113 200 4084


Surekha Gollapudi, Senior Associate
0113 200 4247