In October 2025, a UK academy trust received a £120,000 fine from the ICO. The breach? No malicious actors, no hacking, no phishing. Simply 43 members of staff who all had administrator-level access to the school's student management system — and one of them had exported the complete student database to a personal email address 'to work from home.' GDPR doesn't care about intentions. Only controls.
What Role-Based Access Control (RBAC) Means for Schools
Role-Based Access Control is the principle that every user in a system should have access to exactly the data and functionality they need to do their job — nothing more. A teacher needs to see their own classes and take attendance. They don't need to see finance records. A finance officer needs to see invoices. They don't need to see medical records.
It sounds like common sense. But in practice, most school management systems give administrators one of two options: full access or no access. The result is that most schools default to full access for 'key staff', and those lists grow over time without review.
The Risks of Uncontrolled Access
- A class teacher can see the medical history and SEN details of 400 students — not just their own
- A supply teacher brought in for one day has the same access as the Head of Year
- When a staff member leaves, their access often isn't revoked for days or weeks
- There's no audit trail — if a record is accessed inappropriately, you can't prove it or disprove it
- A GDPR audit or Ofsted inspection finds you have 40 users with admin access and no access policy
83%
Of school data breaches
Caused by internal access failures
£120k
ICO fine example
UK academy trust, 2025
43
Staff with admin access
In the breach case
0
Malicious actors
Still fined
EduPilotPro's 5-Role Model
EduPilotPro is built on a five-role access model designed specifically for the data access patterns of schools:
- Super Admin: full platform access including billing, user management, and audit logs — reserved for the Business Manager or Headteacher only
- Admin: operational access to students, attendance, grades, and reports — for office staff and heads of year
- Teacher: access limited to their own enrolled classes, grade entry for their courses, and attendance for their sessions
- Finance: access to invoices, payments, and fee structures only — no access to academic or personal student data
- Parent: access to their own registered children only — attendance history, grades, invoices — no visibility into other families
The Audit Trail
Every access and data modification in EduPilotPro is logged with a timestamp, user identity, and action type. This audit log is immutable — not even a Super Admin can delete it. In the event of a GDPR subject access request, an ICO investigation, or an internal incident, you can demonstrate exactly who accessed what, and when.
GDPR compliance checklist for school access controls:
Pro Tip
When a member of staff leaves your school, disable their EduPilotPro account immediately — ideally on their last working day. EduPilotPro makes this a single click from the User Management screen. Don't wait for IT to process an off-boarding ticket. Data access doesn't stop the moment someone leaves the building.