ChatGPT
Claude
Perplexity
Gemini
GrokWhat is a RoPA and does your school need one?
A Record of Processing Activities (RoPA) is a written register of every activity by which your school handles personal data. Under Article 30 of UK GDPR, controllers are required to maintain this register and make it available to the ICO on request.
The small-organisation exemption is narrower than most schools assume. Article 30(5) of UK GDPR states that the obligation does not apply to organisations with fewer than 250 employees — but that exemption disappears entirely if any of the following apply:
- The processing is not occasional
- The processing involves special category data or data relating to criminal convictions
- The processing is likely to result in a risk to the rights and freedoms of individuals
Every UK private school or independent college processes health and disability data (special category), processes student data on a regular rather than occasional basis, and handles admissions records that carry genuine risks to individuals. In practice, the 250-employee exemption is irrelevant for schools. You need a RoPA.
The ICO's own documentation guidance is unambiguous: "Most organisations will need to maintain records." For a private school, the question is not whether to maintain a RoPA — it is whether your existing one is complete and audit-ready.
For the full governance context, see our complete UK GDPR guide for student data.
What Article 30 requires you to document
The ICO's Article 30 guidance sets out the minimum content for a controller's RoPA. For each processing activity, you must record:
- Name and contact details of the controller (and DPO, if appointed)
- Purposes of processing — why you are processing this data
- Description of data subject categories — who the data relates to
- Description of personal data categories — what data you hold
- Categories of recipients — who you share data with
- Transfers to third countries or international organisations — including the safeguards in place
- Envisaged time limits for erasure — your retention periods
- General description of technical and organisational security measures
The ICO does not prescribe a mandatory format. A spreadsheet, a database, or a dedicated GDPR software tool all satisfy the requirement provided all eight elements above are present for each processing activity. What the ICO does scrutinise during audits is completeness: are all material processing activities documented, or have significant activities — marketing, AI tools, third-party data processors — been omitted?
The three processing categories every UK private school must document
1. Admissions (direct applications and UCAS)
Admissions is the most data-intensive process in any independent school or college. Two channels generate distinct processing activities that must be separately documented.
Direct applications — processed by your admissions team without a third-party intermediary. Personal data collected typically includes: full name, date of birth, contact details, academic history, personal statement, references, and, for boarding schools, medical and dietary information (special category). The lawful basis is usually contract (performing the admissions process at the applicant's request) or, for special category data, explicit consent or substantial public interest under Schedule 1 of the Data Protection Act 2018.
UCAS applications — where UCAS acts as a data controller in its own right and shares applicant data with institutions. Your school is a joint or separate controller for the data once received. UCAS's own privacy notice governs the initial collection; your notice and RoPA govern what you do with the data once it arrives. Clearing and Adjustment generate additional processing activities with very short decision windows and high data volumes — these must appear in your RoPA as a distinct activity if they apply.
2. Marketing and enquiry management
Prospect marketing generates large volumes of personal data across multiple systems: website enquiry forms, open day registrations, brochure requests, email nurture campaigns, paid advertising pixel data, and CRM records. Each channel is a processing activity in its own right, though it is operationally acceptable to group them under a single "marketing and enquiry management" entry in your RoPA provided the entry covers all data categories, tools, and recipients involved.
The lawful basis for marketing to prospects is typically legitimate interest (for B2B or alumni marketing) or, more commonly for prospective student marketing, consent — particularly for email and SMS under PECR (Privacy and Electronic Communications Regulations 2003). Consent records must themselves be documented as a processing activity.
For guidance on retention periods for prospect data, see our detailed article on prospect data retention under UK GDPR.
3. AI chatbot
This is the processing activity most frequently absent from school RoPAs — and the one most likely to attract ICO attention as AI adoption in education accelerates. An AI chatbot deployed on your school website processes personal data from the moment a prospective student submits their name, email address, or any identifiable information in the conversation window.
72% of prospect questions are automatable by an AI chatbot (Source: Skolbot analysis, 12,000 conversations 2025–26) — which means the volume of chatbot-generated personal data at an active school is substantial. Every conversation log that contains an identifiable individual's name or contact details is personal data under UK GDPR. Those logs must appear in your RoPA with a documented retention period, identified recipients (your chatbot vendor as data processor), and a record of any data transfer outside the UK.
For a detailed assessment of what to look for in a compliant chatbot vendor, see our guide to GDPR-compliant chatbot vendors for schools.
Ready-to-fill RoPA template: UK private school
The table below provides a filled-in starting point for the three core processing activities. Adapt the recipients, retention periods, and transfer columns to reflect your actual vendors and arrangements.
| Processing activity | Purpose | Lawful basis | Data categories | Key recipients | Retention period | Transfers outside UK |
|---|---|---|---|---|---|---|
| Direct admissions (applications, shortlisting, enrolment decisions) | Assess and process applications; enrol successful candidates | Contract (Art. 6(1)(b)); for special category data — explicit consent or DPA 2018 Sch. 1 | Name, DOB, address, academic records, personal statement, references, health/disability data (special category) | Admissions team, academic board, welfare team; MIS provider (processor) | 2 years post-rejection or withdrawal; 5 years from end of studies for enrolled students | If MIS hosted in US/EEA — document transfer mechanism (UK adequacy decision or SCCs) |
| UCAS applications and Clearing | Receive and process UCAS-routed applications; participate in Clearing | Contract (Art. 6(1)(b)); special category — DPA 2018 Sch. 1 | As above + UCAS application ID, personal statement, predicted and actual grades | UCAS (joint controller); admissions team; CRM (processor) | 2 years post-rejection; 5 years for enrolled students | UCAS: UK-based. CRM: document if US-hosted |
| Prospect marketing and enquiry management | Generate and nurture enquiries; invite to open days; convert to applications | Consent (Art. 6(1)(a)) for email/SMS under PECR; legitimate interest (Art. 6(1)(f)) for postal/events | Name, email, phone, postcode, programme interest, event attendance, email engagement data | Marketing team; CRM (processor); email platform (processor); paid media platforms (separate controllers: Google, Meta) | 3 years from last active contact | Google/Meta ad platforms: US-based — document transfer mechanism |
| AI chatbot (prospect engagement) | Answer prospect questions; capture qualified lead data; route complex queries to admissions staff | Consent (Art. 6(1)(a)) where name/contact collected; legitimate interest for anonymised analytics | Name, email, programme interest, conversation logs; potentially special category if volunteered | Admissions/marketing team; chatbot vendor (processor) | 3 years from last active contact for identified logs; 90 days for anonymised session logs | Document chatbot vendor location — many are US-based; UK-US data bridge or SCCs required |
| Open day and event registrations | Manage event attendance; follow up with attendees post-event | Legitimate interest (Art. 6(1)(f)) or consent | Name, email, phone, programme interest, dietary/access requirements (special category if collected) | Events team; email platform (processor); venue (processor if data shared) | 3 years from last active contact; access/dietary data deleted within 30 days of event | Email platform: document if US-hosted |
| Staff data (admissions and marketing) | Employment administration, payroll, HR | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | Name, NI number, bank details, employment history, performance records | HR team; payroll processor; HMRC | 6 years post-employment | Payroll processor: document location |
This template covers the minimum required by Article 30. You will need to add further rows for processing activities specific to your institution: boarding welfare records, financial aid assessments, CCTV, alumni engagement, and any other processing not captured above.
What the ICO looks for during an audit: common RoPA gaps in schools
The ICO's accountability framework and published audit findings identify several recurring RoPA failures across the education sector. Schools preparing for an ICO audit or conducting internal reviews should check each of the following:
Missing processing activities. The most common gap is simply the absence of processing activities that the school is visibly undertaking. AI chatbots, paid advertising platforms, and third-party CRM tools are consistently absent from school RoPAs despite being among the highest-volume data processing activities. If the tool is on your website and it processes personal data, it must be in your RoPA.
Undocumented transfers outside the UK. The majority of marketing technology platforms used by UK schools — Google Analytics, Meta advertising, US-headquartered CRM tools, email platforms — transfer personal data outside the UK. Post-Brexit, UK schools rely either on the UK's own adequacy decisions or on International Data Transfer Agreements (IDTAs) as the UK equivalent of Standard Contractual Clauses. The RoPA must document the transfer mechanism, not simply note that a transfer occurs.
Retention periods missing or set to "as required by law". A retention period column that reads "as required by law" or "in accordance with our retention policy" does not satisfy Article 30. The actual period — or the specific criteria used to determine it — must be stated. Inspectors will cross-reference the RoPA against your privacy notice and your CRM configuration.
Lawful basis errors. Schools frequently document "consent" as the lawful basis for processing that is actually carried out under legitimate interest or contract — and vice versa. This matters because the rights available to data subjects vary by lawful basis. Consent processing triggers the right to withdraw; legitimate interest processing triggers the right to object. Documenting the wrong basis undermines the accuracy of your entire privacy governance framework.
No DPO or accountability owner. Where a DPO is appointed, their contact details must appear in the RoPA. Where no DPO is appointed, the responsible senior leader must be identifiable. An orphaned RoPA with no named owner is a red flag in any ICO review. For guidance on whether you need a DPO, see our article on outsourced DPO options for private higher education.
AI chatbot processing: what your RoPA entry must cover
An AI chatbot is not a passive website widget. From a UK GDPR perspective, it is a data processing system that collects, stores, and analyses personal data on behalf of your school. The RoPA entry for an AI chatbot must address several elements that schools frequently overlook.
The chatbot vendor is a data processor. Your school (as data controller) must have a Data Processing Agreement (DPA) in place with the chatbot vendor before the tool goes live. The vendor's name and the existence of this DPA must be reflected in the RoPA's recipients column. If the vendor processes data outside the UK — which is common for US-headquartered AI providers — the transfer mechanism must be documented.
Conversation logs are personal data. When a prospect provides their name or email address in a chatbot conversation — which typically happens within the first two exchanges — those logs become identifiable personal data. They must be retained only for as long as necessary (see the 3-year limit in the template above) and must be deletable on request in response to a data subject erasure request.
The lawful basis must be accurate. Where the chatbot is used purely for anonymous pre-sales queries, legitimate interest may be an appropriate basis for processing session data. The moment a user provides identifiable information — or the chatbot is designed to capture lead data — consent becomes the appropriate basis, and your chatbot's opening screen must present a privacy notice and, where required by PECR, obtain consent before proceeding.
72% of prospect questions are automatable by an AI chatbot (Source: Skolbot analysis, 12,000 conversations 2025–26) — every automated answer that involves an identifiable prospect creates a personal data record that must appear in your RoPA. Schools with high-volume chatbot deployments should additionally conduct a Data Protection Impact Assessment (DPIA) before deployment, particularly where the chatbot is integrated with a CRM or admissions system.
Schools deploying AI chatbots have seen +62% qualified leads and -38% cost per lead (Source: Skolbot median results, 18 schools, 2024–25) — the commercial case is well-established, but the compliance infrastructure must be in place first.
FAQ
Does Article 30 UK GDPR apply to small independent schools?
Almost certainly yes. The exemption in Article 30(5) for organisations with fewer than 250 employees only applies if the processing is occasional, does not involve special category data, and does not pose a risk to individuals. Schools process health and disability data (special category), process student and prospect data regularly rather than occasionally, and handle admissions records that carry genuine individual risk. All three exemption conditions fail. The 250-employee threshold is effectively irrelevant for any school actively managing admissions.
What is the difference between a RoPA and a privacy notice?
A RoPA is an internal accountability document maintained by the school for regulatory purposes — it does not need to be published, but must be made available to the ICO on request. A privacy notice (also called a fair processing notice) is the external-facing document provided to individuals when their data is collected, satisfying the transparency requirements of Articles 13 and 14 of UK GDPR. The two documents must be consistent: if your RoPA says you retain prospect data for 3 years, your privacy notice must say the same. Discrepancies between internal registers and public-facing notices are a common ICO finding.
Do we need a DPO to maintain our processing register?
No — maintaining a RoPA is a controller obligation that exists regardless of whether a DPO is appointed. However, if your institution has appointed a DPO (whether voluntary or mandatory under Article 37), their contact details must appear in the RoPA and they should have oversight of its accuracy and completeness. In practice, the DPO is the most appropriate person to own and update the RoPA, even though the legal obligation rests with the controller institution. See our guide to outsourced DPO services for private higher education for more on structuring this responsibility.
How long should we retain prospective student data?
The ICO's direct marketing guidance establishes 3 years from the last active contact as the outer limit for prospect and marketing records. For unsuccessful applicants who completed a formal application, a 2-year retention period from the rejection or withdrawal date is the established standard. Both periods must be documented in your RoPA with the starting point clearly defined. For a complete breakdown by data category, see our detailed article on prospect data retention periods for UK schools.
Must an AI chatbot appear in our Record of Processing Activities?
Yes, without exception. An AI chatbot that processes identifiable personal data — which any chatbot configured to capture lead information does — is a processing activity within the meaning of Article 4(2) of UK GDPR. It must appear in your RoPA with all eight mandatory fields completed: purpose, lawful basis, data categories, recipients (including the chatbot vendor as processor), retention period, transfer outside the UK (if applicable), and security measures. An ICO inspector reviewing your RoPA who then finds an active chatbot on your website with no corresponding entry will treat that omission as a significant accountability failure.
A RoPA is not a compliance deliverable you complete once and archive. The ICO expects it to reflect your current processing activities, which means it must be reviewed whenever you deploy a new tool, change a vendor, add a processing purpose, or modify your retention arrangements. Build a review cycle — at minimum annually, and triggered by any material change to your technology stack or admissions process.
Request a personalised demoAlso read: UK GDPR Guide for Student Data · Prospect Data Retention Periods for Schools · Outsourced DPO for Private Higher Education · GDPR-Compliant Chatbot Vendors for Schools
