We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Artificial Intelligence (AI) in schools: guidelines and guardrails

Published
25 March 2026
From
Cabinet Secretary for Education and Skills
Directorate
Learning Directorate, +1 more … Education Reform Directorate
Topic
Education
ISBN
9781806437283

Guidance and exemplification for schools and other education settings on the safe and ethical use of AI in education.

View supporting documents Supporting documents

Section 4 - Data Protection and AI in Schools

Local Authorities are data controllers when they use AI tools in education. This means Local Authorities are legally responsible for how personal data is collected, used, and shared. This section explains what you need to do to comply with UK GDPR and the Data Protection Act 2018.

Data protection principles

When using AI, you must follow the core data protection principles:

  • Identify the correct lawful basis for processing (e.g., public task). Consent is rarely appropriate for public authorities.
  • Provide clear privacy notices explaining what data is collected, why, and how it is used.
  • Collect only what you need (data minimisation).
  • Keep data accurate and up to date (accuracy).
  • Store data securely and delete it when no longer needed (storage limitation and security).

Data Protection Impact Assessment (DPIA)

Before introducing any AI tool that processes personal data:

  • Complete a DPIA – this is mandatory where there is a high risk to individuals’ rights and freedoms.
  • Consult your Data Protection Officer (DPO) for advice.
  • Your DPIA should cover: what personal data the AI tool will process, risks of bias, profiling, or automated decisions, international transfers and safeguards, and vendor compliance checks.

Automated decision-making & children’s data

  • If AI makes decisions that significantly affect individuals (e.g., grading, progression), you must provide human oversight and explainability.
  • Children’s data requires extra care under UK GDPR. Use age-appropriate privacy notices and ensure transparency.

Controller - processor relationships

If you use a third-party AI provider: you are the controller, they are the processor.

  • Put a Data Processing Agreement (DPA) in place that states the provider acts only on your instructions and includes security requirements.
  • Check if the provider stores data outside the UK and apply legal safeguards (e.g., adequacy decision or contractual clauses).
  • Document these checks in your DPIA.

Data subject rights requests

You need clear processes for handling rights requests involving personal data processed by AI tools:

  • Ensure you can retrieve, correct, and delete personal data from AI systems.
  • Be prepared to respond to subject access requests (SARs) within statutory deadlines.

Accountability and governance

  • Maintain records of processing activities involving AI.
  • Ensure staff are trained on data protection risks associated with AI.
  • Regularly review AI systems for compliance and effectiveness.

Compliance checklist:

Lawful basis identified

Privacy notice provided

DPIA completed and DPO consulted

SAR and breach processes in place Data Processing Agreement signed

International transfers checked

Staff trained

Records maintained

Contact

Email: Russell.cockburn@gov.scot

Back to top