From the introduction to our password policy:

"The purpose of a password is to prevent unauthorised individuals from accessing school data, devices or resources.

Under the GDPR and the Data Protection Act 2018, [Our School] has an obligation to implement technological and organisational measures to show we have considered and integrated data protection into our data processing activities.

“Measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.”

Passwords can be considered one of the appropriate safeguards to ensure the security of accounts and the confidentiality of sensitive information, provided an appropriate password policy is in place."


One of the main issues we encounter is that thousands of pounds may have been spent purchasing a system that when developed had ten's of thousands of pounds spent on its security features to protect the data it holds.

This data is important so the password requirements are complex. So what happens? Security is negated for ease of access...and we store passwords in the browser.
Or we write them in a book. 
Or we stick them on the monitor.

This is a real photograph taken in a school office in summer 2018. Needless to say this is not our recommended procedure: