The security risks faced by schools are many and varied. This breadth of scope is mirrored by the numerous legal issues relating to security. Mark Blois from Browne Jacobson LLP offers an overview of some of the most important issues, followed by some advice on good practice.

Legislation does not assign responsibility for school security to any one body. In practice, management responsibility is usually shared between the Local Education Authority (in the case of LEA maintained schools), the governing body, and the headteacher. However other agencies, in particular the police, fire service, social services, insurers, equipment providers, and maintenance contractors, can all make valuable contributions. A multiagency approach to school security is likely to be the most effective.

Research sponsored by the DfES, and published in April 2003, showed the top security concern for schools to be the personal safety of staff, pupils and visitors. Next came intrusion onto school premises, vandalism, arson and burglary. To emphasise the diverse range of legal issues involved, also mentioned were trespasses, violent or abusive parents, pupil exclusions, offensive weapons, public rights of way, fire protection, child protection and information security. In turn, legislation as diverse as the Countryside and Rights of Way Act 2000; Education Act 1996; Occupiers Liability Act 1954; Health & Safety at Work Act 1974; Knives Act 1997; Offensive Weapons Act 1996 and the Data Protection Act 1998; all have something to say in this area.

SCHOOL WELFARE DUTIES – The duty to ensure children in your care are safe from accidental injury and death

The Education Act 2002 and subsequently the Children Act 2004, placed a duty on schools to “safeguard and promote the welfare of children”. As the 2005 joint inspectors report makes clear, there is still a lot of uncertainty about the scope of this duty and we still have no precise legal definitions for any of the key words: “safeguard”; “promote”; “welfare”. However, guidance has described “safeguarding” as being a matter of “protecting children from maltreatment and preventing impairment of children’s health or development; and “promotion of welfare” as ensuring that children are growing up in circumstances consistent with the provision of safe and effective care and undertaking that role so as to enable those children to have optimum life chances and to enter adulthood successfully.”

The Children Act 2004 (the Act) also places a duty on agencies working with children to co-operate in order to improve the well being of children. The Act goes on to say that “well-being” comprises the
following five outcomes:

1. Physical and mental health and emotional well being 2. Protection from harm and neglect 3. Education, training and recreation 4. Contribution made by children to society

5. Social and economic well-being

The second of these, protection from harm and neglect, is directly relevant to the issue of school security. Guidance gives further detail on what is required to achieve this outcome. Children must be:

a. Safe from mal-treatment, violence, and sexual exploitation; b. Safe from accidental injury and death; c. Safe from bullying and discrimination; d. Safe from crime and anti social behaviour in and out of school.

e. And they must have security, stability and be cared for.

Inspection criteria for schools have been amended to make direct reference to these five outcomes. Schools can therefore, expect to be assessed directly on how their security measures achieve the outcomes listed above.

OCCUPIERS LIABILITY ACTS 1957 AND 1984 – Your responsibility towards lawful and unlawful visitors to the school premises

A school owes duties both to invited guests and trespassers to take ‘reasonable steps’ to ensure they do not suffer injury on the school premises. This must be borne in mind when a school is putting its security measures in place. A balance must be achieved between enhancing security and creating other safety hazards. For example, putting razor wire on a 10-foot high wall that has nothing leaning against it to help children climb onto it may be reasonable. Putting the same razor wire on a 7-foot wall that children are known to climb over, and which has the school’s bins standing against it, may well not be.

The responsibility for both lawful and unlawful visitors is an important consideration for school security. This responsibility lies with the “occupier” of the premises, even in the case of a trespasser on school property.

An occupier is a person with a sufficient degree of control over those premises. There can be more than one occupier. In the case of a school, the individual teacher in a classroom, the school’s management, the governing body and the local education authority can all potentially be an “occupier” in law. In reality, most civil claims are picked up by the insurance policy holder for the premises, which is usually the local education authority.

Under the Occupiers Liability Act 1987, a duty is owed to all visitors who come on to school property with either express or implied permission, or by reason of a contract. Contractors visiting a school to carry out repairs are included. The duty owed is “to take such care as in all the circumstances is reasonable, to see that the visitor will be reasonably safe in using the premises for the purposes permitted by the occupier”. The concept of reasonableness is key. For example, the occupier of a school must be prepared for children to be less risk aware than adults.

The duty can be breached by the poor state of the school premises, by activities carried out on the premises, and by the way the premises are used. However, if the visitor is aware of the risk and willingly accepts it, then this is likely to reduce an occupier’s responsibility for any resulting injury. In two recent cases (James Rhinde –v- Astbury Water Park Limited and John Tomlinson –v- Congleton Borough Council) the occupier avoided liability in this way. Both cases involved visitors diving into shallow lakes and sustaining injuries as a result. On each site there were warning signs by the lakes highlighting the shallow depth of the water, and the bed of the lakes followed the natural lie of the land. The court decided that the occupiers had done enough to bring the risk of injury to the attention of the visitors, and the visitors were then completely responsible for their subsequent decision to dive into the water. However, a notice simply stating that a school “does not accept responsibility for personal injury sustained on the premises” (such notices are seen frequently in all types of premises) is ineffective in law. This notice alone itself does not limit a school’s responsibility.

Under the Occupiers Liability Act 1984,an occupier also owes a duty to uninvited visitors (in legal language “trespassers”). The duty is owed if:

1. an occupier is aware of the danger or has reasonable grounds to believe that it exists. 2. knows or has reasonable grounds to believe that a visitor is in the vicinity of the danger, or may come into its vicinity.

3. the risk is one against which, in all circumstances of the case, the occupier may reasonably be expected to offer the visitor some protection.

The duty is “to take such care as is reasonable in all the circumstances of the case to see that the other person does not suffer injury on the premises by reason of the danger concerned”.

Again, there is an element of reasonableness involved. Preventative steps, such as warnings of a danger, can help occupiers avoid or limit liability. However, a school must be aware that some dangers which would be obvious to an adult are either not obvious to a child, or are a positive enticement to children. In a recent case involving children falling through a skylight on the flat roof of a library, the court found that it was a well known that local children would climb onto the roof of the library building. A child fell through the skylight, sustained injuries and successfully recovered damages. However the court said that if the trespasser had been an adult, he would have recovered nothing.

Security action for schools

A school’ responsibility towards lawful and unlawful visitors to your premises is a question of balance. There are no definite right or wrong answers. A school needs to balance the following duties: 1. Duty to the pupil 2. Duty to visitors

3. Duty to trespassers

Try to make all areas as secure as possible and mark hazards clearly (including those which are in out of bounds areas).

Detaining those who are trespassing or causing concern on school premises

Schools can use reasonable force to detain a person who is trespassing or otherwise causing concern, on or around school premises. However, three further possible claims that may arise out of these security situations at a school are: 1. Assault 2. Battery

3. False imprisonment

The first two are closely linked. Briefly, “assault” is to “put a person in reasonable fear of battery”, and so does not require physical contact. “Battery” is to “intentionally apply force to another in a hostile manner or against his will”, and so requires physical contact. A school may defend an allegation of assault or battery by showing that its actions were reasonable in order to defend a person or its property.

“False imprisonment” is “the unlawful imposition of a constraint of another’s freedom of movement from a particular place”. Private citizens have far less power than the police to detain people. Nevertheless, private citizens (and therefore the staff of the school) do have the right to use such force as is reasonable, including the detention of a person, to:

1. Make or assist the lawful arrest of an offender or suspected offender. Anyone may arrest a person without a warrant who has committed an “arrestable offence”. This includes breaking and entering and trespass on private property.
2. Make an arrest to prevent a breach of the peace.

Therefore a school, should it feel it necessary, is entitled to detain unwanted visitors, provided its actions are reasonable in the circumstances. However, there is an obvious risk of injury to staff who detain trespassers or other wrongdoers. A school must be aware of its duties to prevent injury to its employees if they consider a detention necessary.

Duty to prevent injury of your employees and non-employees

Under both health & safety legislation and case law, there are duties on employers to prevent injury to their employees. Under section 2 of the Health & Safety at Work Act 1974 there is a general duty on an employer to ensure the safety of its employees. The duty extends to: • Provision of a safe system of work • Provision of information, instruction, training and supervision • The provision and maintenance of a working environment that is safe and without risk to health.

These duties cover staff working at a school, but also any contractors carrying out work on the school premises, even if they are not employed directly by the school.

There is also a duty on the employer to ensure that non-employees, (which includes pupils) are not exposed to risks to their health or safety in so far as is reasonably practicable; a duty on the person in control of premises to ensure that they are safe and without risk to health so far as is reasonably ppacticable. The Management of Health and Safety at Work Regulations (1999) require employers to assess the risks to the health and safety of their employees, to record such assessments, and to implement control measures. These should be carried out regularly.

Under the Health & Safety at Work Act 1974 and the Management Regulations, proof of harm to an employee or pupil arising from a failure to meet these legal obligations is not necessary for there to have been a breach. A risk or possibility of harm occurring is sufficient to render an employer liable. Failure to comply with any of the above duties is punishable by a fine of up to £20,000 or an unlimited fine in the Crown Court. Furthermore, while a breach of this regulation alone is not enough to entitle an employee to bring a claim for compensation, it is a strong indicator of generally poor practice, and often a sign that other duties which do give a right to claim damages have also been breached.


Information is collected, stored and used by all schools. Such information is a valuable asset and, like financial and physical assets, needs to be protected against loss and damage. Schools owe duties to the subjects of the information to keep it safe, many of whom may be children. The following questions need to be considered by your school when auditing its approach to information security:

• Has your school implemented “British Standard 7799 – A Code of Practice on Information Security Management”? • What measures does your school have in place to ensure against accidental loss of, damage to, or theft of personal data (in respect of manually and electronically held data)? • What is your policy on the use of school laptops off school premises? • What is your school’s data retention policy and how regularly does your school review files (manual and electronic) containing personal data? • What procedures are in place for the safe disposal of the school’s data and computer equipment?

• Are there regular reviews of access levels and password controls to ensure that only those people entitled to it have access to personal data?

The Data Protection Act 1998

In the context of schools, protection of personal information is especially important. A basic understanding of the legal framework of the Data Protection Act 1998 is the cornerstone of an effective information security policy.

Schools must understand and audit the personal information they hold and will ultimately be responsible if that information is not created and stored in accordance with the Act.

Data Protection Principles

The Act provides that a ‘data controller’ such as your school may only ‘process’ (processing – includes the obtaining, recording, holding, disclosure and destruction of data) the ‘personal data’ (anything held in a record/filing system which identifies a living individual, such as names, addresses and including statements of opinion and paper as well as electronically held data) or ‘sensitive personal data’ (data consisting of information as to: racial or ethnic origin; political opinions; trade union membership; religious or other similar beliefs; physical or mental health; sexual life; and the commission or alleged commission of any offence) of a ‘data subject’ (such as pupils, parents, staff and any other individuals which your school holds data on) in accordance with the Act.

Schools are required to comply with eight Data Protection Principles when processing all personal data. The seventh Data Protection Principle, which relates to appropriate technical and organisational measures, is the one which specifically relates to security, however for more information on the application of all eight principles please visit

The seventh Data Protection Principle states that the school must take all “appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

Schedule 1 of the Act goes further and states that:
“Having regard to the state of technological and the cost of implementing any measures, the measures must ensure a level of security appropriate to: (a) the harm that might result from such…accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected.”

Again the duty is to ensure a level of security appropriate to the harm resulting from loss of data and the nature of the data.

This principle also requires schools to impose security standards on any subcontractors used in connection with processing, such as cleaners and other agencies.  

Specific security issues involving data protection

Websites – Many schools will have their own website, aspects of which might be covered by data protection legislation. If a school collects personal data in any form via its website, it should provide a clear and detailed privacy statement prominently on the site, wherever personal data is collected. Schools may wish to develop a privacy policy for their website as a matter of good practice, even if personal information is not currently collected. The website of the Information Commissioner provides some useful compliance advice with regard to collecting personal data via websites.

Photographs – The Information Commissioner has issued good practice guidance on taking photographs and videos in educational institutions. In brief, the guidance states that in many cases the Data Protection Act is unlikely to apply. However, photographs taken for official school use, which are likely to be stored electronically alongside other personal data may be covered by the Act. As such, pupils and students should be advised why they are being taken.

Safe disposal of computing equipment – Schools have legal responsibilities for the personal data stored on hard disks. Simply deleting old files is not sufficient since widely available software programs can recover some or all of the information once stored. Schools should check that the organisation to which any computer equipment may be given will provide a warranty that they also securely erase all disks. If the disks contain sensitive information then it is the recommendation of the British Educational Communications and Technology Agency (BECTA) that they should be physically destroyed by fire or being smashed.

CCTV (Closed Circuit Television) – The Data Protection Act 1998, Regulation of Investigatory Powers Act 2000 and the CCTV Code of Practice issued by the Information Commissioner, explain how CCTV systems should be used to ensure schools and individuals can enjoy security and safety whilst ensuring that individual rights are upheld. In terms of security the OIC’s code of practice suggests, inter alia, that:

i) Access to the operators room should be restricted to designated/named members of staff, and all operators should sign in at the beginning of their shift and sign out at the end. ii) Visitors to the operators room should sign in and be escorted by an appropriate member of staff. iii)Access to images by third parties should be strictly controlled in accordance with agreed disclosure policies. iv) Any viewing of images should take place in a restricted area to which other employees do not have access while viewing is taking place.

v) Removal of images for viewing should be documented.

Mobile Computing Facilities – In order to comply with the seventh data protection principle in respect of the school’s use/storage of personal and sensitive personal data on laptop computers, the school should have set procedures for uploading such data onto its secure computer network and deleting the data from laptops (which are, by their very size and nature, easy targets for thieves).

British Standard 7799 / ISO 17799 on Information Security Management (“BS7799”) provides a code of practice on the security measures which should be put in place in order to hold personal information securely (whether in relation to manual or computer held records). BS7799 is a critical document that greatly assists data controllers wishing to implement policies in order to comply with their security obligations.

With a basic understanding of the principles of the Data Protection Act 1998 and an appreciation of their application to specific areas of school practice, a school will be well placed to implement appropriate information security measures.


An LEA should have an overall policy for security within its schools. There is also a statutory requirement on the governing body to cover school security in its annual report, which may encourage a school to draw up its own more detailed policy tailored to its own unique circumstances.

Content: A school’s policy needs to be sensitive to the range of issues that arise in the context of security. Following the fatal stabbing of head teacher Phillip Lawrence in December 1995, the government set up a Working Group on School Security (WGSS). The remit of the WGSS was to:

“Identify good practice in maintaining and improving security in and around schools, including effective ways of handling incidents, to advise on dissemination, and to make recommendations. Consideration will include the role of relevant external agencies, raising involving parents in the local community, and the effectiveness of current legislation.”

In May 1996, the WGSS published a report, since when the DfES has published various pieces of guidance on school security. These include: • Managing school facilities: improving school security. • School security: dealing with troublemakers. • A directory of Local Authority practice on school security.

• Personal safety and violence in schools: Search Report 21.

The role of the School Security Manager/Co-ordinator

The WGSS also recommended that schools might find it helpful to give a member of staff the role of School Security Manager or Co-ordinator. The WGSS was clear that this role should not duplicate the role of the school’s Health and Safety Officer, but would focus on the actions schools need to take to achieve adequate security, to help formalise arrangements that already exist, and to promote co-operation with all other bodies involved in that school’s security.

The implementation of this recommendation to date is patchy. It is not a legal requirement to have a School Security Manager. However, in the light of recent high profile incidents where school security has failed, and given the developments of other specific “safety” orientated roles, such as Child Protection Officer and Educational Visits Co-ordinators, the role of a School Security Co-ordinator is an idea whose time has come.

Where a school chooses to appoint a school security manager he can serve to enhance the information, guidance and support available to all of the staff in their individual roles. A successful Security Co-ordinator could: • Provide the senior management team with up-to-date information about the latest risks and developments in good practice • Be the designated school “contact” for the LEA and emergency services, particularly the local police, and develop close and effective links • Analyse security incident trends and other relevant school data in order to advise on the school’s security levels, and highlight any lessons to be learnt

• Identify training needs on security issues, deliver training, and evaluate the impact of a training programme

Avoiding Claims

As mentioned above, there is a specific requirement in Health & Safety legislation for employers to record their assessments of risk, and their control measures. Should any claim be made, such information will be of central importance to a school’s defence. Of course, the best way to avoid claims is through good preventative practice. In this regard, the role of a Security Manager or Co-ordinator will be very important.

There are many agencies and organisations who can help a school enhance its security such as the police, emergency services, and most schools’ insurers. They all bring their own particular expertise and schools should make use of these resources where appropriate.