rsimmonsltd@gmail.com 07704-838512
Personal, practical and affordable Data Protection support for schools and colleges
Making a Data Protection Complaint
about a school
Purpose of this document
The Data Use and Access Act 2025 came into law on 19 June 2025, providing additional clarity to the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). A requirement of the law is for schools to have an independent Data Protection Complaint Process that can be used to help resolve concerns at a school level and avoid the need to escalate the complaint to the Information Commissioner’s Office (ICO).
​
This document is designed to support the data subjects, schools and colleges who are supported by Roger Simmons Ltd, under a Data Protection Support agreement. Before considering a complaint about a school via this process, please check the school’s GDPR documentation, or the ICO Register of Fee Payers, to ensure Roger Simmons is noted as the school DPO. If in doubt, please call Roger Simmons for confirmation.
​
The document sets out the key data protection responsibilities of schools, what you can do if you have a concern about how your data has been managed, how you can make a data protection complaint to the DPO and how you can escalate the complaint to the Information Commissioner’s Office. At the end of this document, you will find a copy of the online Microsoft Form – Making a Data Protection Complaint About a School.
​
Much of the information contained in the document intentionally mirrors that provided by the ICO to ensure a fair and consistent approach is taken in assessing the concerns raised.
Data Protection in schools
Schools take the secure management of personal data very seriously. They must tell their pupils, parents, staff, volunteers and Governors what information they are processing, why they are processing it, who they may need to share the data with and the legal basis for processing their information. Schools will share this information, along with the data protection rights of individuals, in their Privacy Notices.
​
Schools must take measures to process and store information securely. This is documented in the school’s Data Protection and Information Security Policy, along with the principles of data protection the school must follow.
When a data subject makes a request regarding their data protection rights, the school must respond to the request within a month. There are some exemptions to what the school is allowed to do and the time scale for response may sometimes be extended in certain circumstances.
​
If personal data is lost, or subject to unauthorised access, the school may have had a data breach. This should be identified, manged and recorded by the school in a Breach Management Report in order to mitigate the impact on the data subject.
​
All of the above documents are available via the school website and it is important that when considering a complaint, that the compliance obligations of the school are known and understood.
If you have a data protection concern
You have the right to complain to a school if you think it has not handled your personal information responsibly and in line with their GDPR policies and procedures.
​
When can I complain to a school?
You can complain to a school about how it is handling your information if it:
-
has not properly responded to your request for your personal information;
-
is not keeping information secure;
-
holds inaccurate information about you;
-
has disclosed information about you;
-
is keeping information about you for longer than is necessary;
-
has collected information for one reason and is using it for something else; or
-
has not upheld any of your data protection rights
-
​
In the first instance, you should give the school a chance to sort things out before making a Data Protection Complaint to the DPO. Many data protection complaints can be resolved quickly and easily with the school.
Making a complaint to the school DPO
Should the school be unable to resolve your concern, you may submit a Data Protection Complaint to the school’s Data Protection Officer. The DPO is an independent data protection expert, who will assess your concerns against the school’s compliance with the GDPR.
​
A complaint can be submitted via the Microsoft Form – Making a Data Protection Complaint, or by emailing a completed Word version of the Making a Data Protection Complaint Form. Links to both documents are below.
The Data Protection Officer Details are:
Roger Simmons (DPO and GDPR Practitioner), Roger Simmons Ltd, rsimmonsltd@gmail.com
The DPO can also be contacted on 07704 – 838 512.
Making a complaint via the Microsoft Form
- Making a Data Protection Complaint
Making a complaint via a downloadable Word Document
- Making a Data Protection Complaint
Your privacy and the DPO
Roger Simmons Limited provides Data Protection Support Services to schools, colleges and Trusts throughout the UK. It is registered with the ICO (Reg number: ZA498463) and is named by many schools as their DPO on their ICO registration.
​
When you submit a Data Protection Complaint Form, you will be asked to share some basic personal information to enable your complaint to be investigated and to enable contact to be made with you. Your information will only be shared with the school and only for the task of investigating your concerns.
​
Your information will be processed under the legal basis of consent as you have agreed to share your information to enable a review of your concerns and you have a legitimate interest in receiving information about your complaint.
​
Your personal information will only be kept digitally, within the Microsoft Office system, which offers end to end encryption. The data will be retained for a period of 12 months following resolution of the complaint, or 12 months following the decision of the ICO in the case of escalation. Your data will be securely deleted when no longer required.
​
The DPO’s Privacy Notice is available on the DPO website, RSimmonsltd.com
The complaint process
The DPO needs information from you to investigate your complaint properly, so the complaint form is designed to prompt you to give the key information to help the DPO understand what’s happened. If you are acting on behalf of someone making a complaint, we’ll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else’s behalf.
​
When a complaint is received, the DPO will acknowledge your complaint and set up a case file. This includes your contact details and any other information you have provided about the other parties in your complaint. No third parties have access to your personal information unless the law allows them to do so. However, as you are making a complaint about a school the DPO will usually have to disclose your identity to them when advising them that a complaint has been made.
​
The DPO will review your concerns to establish if the school has not followed its policies and procedures or if it has not complied with the UK GDPR. During the review the DPO may need to contact you or the school for further clarification of the facts. This means the DPO can clearly explain to the school what you think has gone wrong. It also means we will usually receive information about you from them. If you don’t want information that identifies you to be shared with the school, the DPO will contact you to discuss the limitations of an anonymous complaint.
​
Following a review of the key information and clarification with the data subject and the school, the DPO will provide a brief summary of the complaint and the conclusion reached by the information available. The summary will be shared with the data subject and the school. The summary may contain recommendations for the school or clarifications about the law for the data subject. It may also contain a suggested solution to resolve the complaint.
​
The complaint process should be concluded within a month and not subject to any undue delay.
Taking your complaint to the ICO
In the event that your complaint to the DPO is unresolved, you retain the right to make a complaint to the Information Commissioner’s Office. The ICO is the regulatory body that will investigate and take regulatory action in line with its statutory duties.
The ICO has a complaint process on their website, which will help you raise your concerns. Before you submit a compliant to the ICO you should read the ICO guidance about “what to expect from the ICO”.
​
The ICO can be contacted via:
Website: https://ico.org.uk/
Helpline: 0303 123 1113
Postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF