Ask.School is an AI-powered parent communication platform for UK schools that minimises data protection risk by design — no personal data is collected from parents, and conversation data is never used for model training. Schools process large amounts of personal data every day. Student records, attendance data, safeguarding logs, parent contact details and medical information are all part of the daily operation. When a school introduces an AI tool, data protection obligations become even more important.

The Department for Education’s guidance on generative AI in education is clear: schools must ensure compliance with data protection legislation when using AI tools. The UK government’s Generative AI Product Safety Standards go further, requiring Data Protection Impact Assessments and prohibiting the use of personal data for model training without explicit consent.

Here is what schools need to consider.

Data protection sits alongside safeguarding as a core requirement — see our guide on what KCSIE means for AI tools in schools for the safeguarding side of the picture, and the Generative AI Product Safety Standards explained for how the government’s standards address data protection.

The key questions

Does the AI tool process personal data?

This is the first question to ask. If a chatbot collects names, email addresses, device identifiers or any information that could identify an individual, it is processing personal data and UK GDPR applies in full.

Some AI tools require users to create accounts before they can interact with the system. This immediately creates a data protection obligation. Others collect data passively through cookies, analytics or conversation logging.

The safest approach for a school-facing AI tool is to avoid collecting personal data from end users altogether. If parents and students can ask questions without creating accounts or providing identifying information, the data protection risk is significantly lower. Schools should also understand how any documents they upload are handled — see our guide on personal data in documents for how Ask.School approaches this.

Is data used for model training?

Many consumer AI tools use the conversations people have with them to train and improve their models. This means that anything a parent types into a chatbot could be fed into a training dataset and potentially surface in responses to other users.

For schools, this is unacceptable. The AI Product Safety Standards explicitly state that personal data must not be collected for commercial purposes such as model training without explicit consent. Even where data is anonymised, the risk of re-identification means schools should treat this as a red line.

When evaluating an AI tool, ask the vendor directly: is any conversation data used to train AI models? If the answer is yes, or if the answer is unclear, that tool is not appropriate for use in a school setting.

Where is data stored?

UK GDPR requires that personal data is stored securely and that international transfers comply with adequacy requirements. Schools should check where an AI vendor stores data and whether it is transferred outside the UK.

Cloud-hosted services are common, but the location of the data centre matters. Data stored in the UK or within a country with an adequacy decision from the UK government is generally acceptable. Data transferred to jurisdictions without adequacy decisions requires additional safeguards.

Has a DPIA been completed?

The AI Product Safety Standards require developers to carry out a Data Protection Impact Assessment (DPIA) during development and throughout the product lifecycle. Schools should ask vendors to share their DPIA or at least confirm that one exists.

If your school is deploying a new AI tool, you may also need to complete your own DPIA as a data controller. The ICO provides guidance on when a DPIA is required.

A checklist for schools

Before deploying any AI tool, schools should be able to answer yes to all of the following:

  • The tool does not require end users to provide personal data
  • Conversation data is not used for AI model training
  • Data is stored in a jurisdiction with UK adequacy
  • The vendor has completed a DPIA
  • The tool has been included in the school’s privacy notice
  • The DPO (or data protection lead) has reviewed and approved the tool
  • Staff understand how the tool processes data

How Ask.School handles data protection

Ask.School is designed to minimise data protection risk for schools. Parents and students can ask questions without creating accounts or providing any personal information. Conversation data is never used to train AI models. All data is stored securely and processed in compliance with UK GDPR and the Data Protection Act 2018.

We maintain a Data Protection Impact Assessment that is available on request. Your school’s data stays within your organisation and is never shared with other schools, third parties or used for any purpose other than providing the chatbot service. Schools can further protect their accounts with two-factor authentication and security controls, and configure guardrails to control what the chatbot can and cannot discuss.

You can read more about our approach on our safeguarding page. For step-by-step guidance on completing a Data Protection Impact Assessment, see our practical DPIA guide for AI in schools. If you are evaluating multiple AI vendors, our procurement checklist for school AI tools covers the data protection questions you should ask.

Start your 14-day free trial or view pricing.