Third-party suppliers for schools

Schools rely on third-party IT platforms for services like:

• MIS (Management Information Systems)
• catering
• CCTV
• parent portals

These third-parties supply vital systems and often hold valuable school and personal data. But even when suppliers provide a service for the school, the school is still the “data controller”. This means they are responsible for how information is kept safe and shared. Because of the kind of information schools hold, this can be very sensitive personal data.

When schools assess suppliers, they need to make sure suppliers can manage data and systems properly and are following best practice.

Choosing a supplier

You can use our checklist to find out more about a supplier’s cyber security understanding and provisions.

Checklist

• Do you have cyber security certifications?

  The most common standard expected is Cyber Essentials or Cyber Essentials Plus. Larger or highly critical suppliers may require an ISO 27001 certification.

• Do you comply with the ICT standards for education settings?

  They should be aware of and comply with all the DfE Meeting digital and technology standards.

• Are you compliant with UK GDPR?

  Ask:

  • how they process, store, and securely delete sensitive school data
  • to see their privacy and data retention policies

• Where will our data be hosted, and is it encrypted?

  Confirm data is encrypted both “at rest and in transit”. This means:

  • protecting sensitive information at all stages
  • ensuring data is unreadable to unauthorised parties, whether it is sitting securely in storage or moving across networks

• How do you control access to your systems?

  Check they implement multi-factor authentication for all accounts, and how they make sure staff cannot access data they do not need. Make sure information is not, and cannot be, accessed outside of the UK.

• How do you vet and train your own employees?

  Ask for evidence of their staff background checks and regular cyber security awareness training.

• Do you have disaster recovery and business continuity plans that have been tested?

  Ask what happens if they suffer a ransomware attack or outage, and how quickly they can restore your services. Make sure they provide secure, accessible, and frequently tested data backups. Ask to see their incident response plans and check who is accountable for data recovery if there is a breach.

• How and when will you notify us of a data breach?

  The contract should have clear requirements for managing and reporting incidents, and timescales for alerting the school.

• What is your process for a cyber breach involving our data?

  Make sure there are clear instructions on roles and responsibilities.

• Do you outsource any part of this service to third-parties or cloud service providers?

  If they use subcontractors, check if they have access to your data. Check they have background checks in place for their own employees and vendors.

• What happens to our data if you go out of business?

  Make sure there is a clear plan to securely get your data back.

School responsibilities

Even when another supplier provides a service, the school is still the data controller. They are legally responsible for:

• data privacy – making sure suppliers handling sensitive data meet GDPR regulations
• safeguarding - ensuring that all external contractors and their staff have passed necessary background checks before working on-site, or remotely if they are working with personal or sensitive data
• health and safety - the school (or governing body) is accountable for the health and safety of pupils and staff, even when services are outsourced
• proper expenditure of public funds
• managing contracts - schools must actively monitor supplier performance, track agreed deliverables, document any issues, and ensure compliance with public procurement rules
• due diligence - trustees and school leaders are expected to carry out proper due diligence and follow the Procurement Act 2023 and the NGA Procurement Guide when choosing suppliers

Supplier responsibilities

Suppliers are responsible for:

• providing the goods, services, or maintenance specified in the contract
• compliance and safety - making sure their equipment is safe, legally compliant, and that their staff follow all school and health and safety regulations
• data protection - suppliers acting as data processors must comply with UK GDPR, use appropriate security measures and notify the school "without undue delay" if they have a data breach

Check in with suppliers

Supply chain security is an ongoing process, not a one-time check. DfE and the National Cyber Security Centre recommend reviewing supply chain cyber security at least annually, or whenever there is a significant change to the services provided. At least every 12 months, schools should review:

• supplier compliance and request proof of certifications (like Cyber Essentials)
• internal risk registers (and revisit them termly), including evaluating the risks from external IT support, cloud providers, and software vendors

When things go wrong

If you experience an issue with a supplier:

1. review the contract's dispute resolution procedure and deal with the supplier directly
2. escalate to Trading Standards or use the Public Procurement Review Service for contracting issues

Useful links

• Gov.UK blog: Update for schools and trusts on Procurement Act 2023
• Gov.UK blog: Buying for schools: how to buy what you need
• NCSC: Understanding the cyber security risks from suppliers and other third parties

---

Page last reviewed
25 June 2026