Question to the Department for Education:

To ask the Secretary of State for Education, what assessment she has made of the level of potential harm to looked-after children if weaknesses in ePEP systems lead to data breaches or inadequate safeguarding of their personal information.

Statutory guidance for Virtual School Heads (VSHs) sets out what Personal Education Plans (PEPs) must cover and the outcomes they should support. The department does not mandate, endorse or have oversight of any specific electronic PEP (ePEP) platforms. Decisions about whether to use an ePEP system, and which system to procure, rest with individual local authorities.

Our ‘Data Protection in Schools’ guidance supports schools and local authorities to understand their legal responsibilities when using third-party software. As data controllers, local authorities are responsible for ensuring that any systems they use to record, store, or share information comply with data protection law and safeguarding standards, including where sensitive information about children in care is processed.

To reinforce this, we have engaged with the National Association of Virtual School Heads to reiterate the importance to their members of working closely with relevant teams across their local authority to ensure robust data security, assurance and compliance when procuring and operating systems that hold children’s data.

We are committed to publishing updated statutory guidance for VSHs prior to the introduction of new duties on VSHs in September 2027. As part of this work, we will restate the above requirements for local authority due diligence on data governance, security and safeguarding when using third party software to support the role of the VSH.