Introduction
Here is a question worth sitting with: does your maktab store student names and contact details in a WhatsApp group? Does a teacher keep a notebook with student progress records at home? Does your fee spreadsheet live in someone’s personal Google Drive? Is your enrolment form collected on paper and kept in a filing cabinet that is not locked?
If the answer to any of these is yes, your maktab is almost certainly in breach of UK GDPR.
This is not said to alarm — it is said to prompt action. The vast majority of UK maktabs and supplementary Islamic schools are operating with personal data practices that were acceptable before 2018 and are not acceptable now. Most are unaware of this. And most could become compliant within a few weeks with a clear plan.
This guide provides that plan. It explains what UK GDPR requires of a supplementary Islamic school, what the most common compliance failures are, what the realistic consequences of non-compliance are, and — most practically — what you need to do to get compliant.
Does GDPR Apply to a Maktab?
Yes. Unambiguously, yes.
UK GDPR (the UK’s retained version of the EU General Data Protection Regulation, as modified by the Data Protection Act 2018) applies to any organisation that processes personal data about individuals in the UK. “Processing” includes collecting, storing, organising, accessing, sharing, and deleting data. A maktab that holds a list of student names, dates of birth, and parent phone numbers is processing personal data. A maktab that records Hifz progress against named students is processing personal data. A maktab that sends messages to parents about their child’s attendance is processing personal data.
There is no size exemption. A maktab with 20 students has the same UK GDPR obligations as one with 200. There is no “supplementary school” exemption. There is no “we’re a charity” exemption. The law applies.
The enforcement body is the Information Commissioner’s Office (ICO). The ICO has enforcement powers including fines of up to £17.5 million or 4% of global turnover (whichever is higher) for the most serious breaches, and up to £8.7 million for less serious but still significant failures. For a community maktab with modest turnover, even a small ICO fine or investigation would be reputationally and financially damaging.
What Personal Data Does a Maktab Hold?
Personal data is any information that can identify a living individual, directly or indirectly. A maktab typically holds:
Student data (highly sensitive):
- Full name, date of birth
- Home address
- Parent/guardian names and contact details
- Emergency contact details
- Medical information (allergies, conditions relevant to care)
- Educational records (Hifz progress, attendance, assessment results)
- Safeguarding records (the most sensitive category)
Special category data:
Under UK GDPR, certain data categories require additional protection. Religious belief is a special category. The very existence of a student record at an Islamic maktab reveals the student’s religious background — this is special category data requiring explicit legal justification to hold.
Financial data:
Fee payment records, bank account details (where direct payments are made), standing order references.
Staff data:
Teacher names, contact details, DBS certificate reference numbers, pay records, contracts.
All of this data is within scope of UK GDPR. The obligations apply to all of it.
The Six UK GDPR Principles — What They Mean for a Maktab
UK GDPR is built around six data protection principles. Every maktab’s data practices must comply with all six.
Principle 1: Lawfulness, Fairness, and Transparency
You must have a lawful reason to hold student data. You must be honest with parents about what data you hold and why. You must not use data in ways parents would not expect.
In practice: Issue a privacy notice at enrolment explaining what data you collect, why, and how you use it. Do not use student data for purposes you haven’t told parents about.
Principle 2: Purpose Limitation
Data collected for one purpose must not be used for another incompatible purpose. Student educational records collected to manage their Hifz education cannot be used for fundraising appeals without separate consent.
In practice: Be clear at the point of collection what the data will be used for, and do not deviate from this.
Principle 3: Data Minimisation
Collect only the data you actually need. If you do not need a student’s NHS number to run a maktab, do not collect it.
In practice: Review your enrolment form and remove any fields you collect out of habit rather than genuine need.
Principle 4: Accuracy
Data must be kept accurate and up to date. An old phone number for a parent is not just operationally inconvenient — it is a data protection compliance issue.
In practice: Run an annual data verification exercise — send parents a simple form asking them to confirm or update their contact details. Update your records immediately when parents report changes.
Principle 5: Storage Limitation
Data must not be kept for longer than necessary. You cannot hold indefinitely the records of a student who left your maktab ten years ago.
In practice: Establish a retention schedule (see below) and actually delete records when the retention period expires.
Principle 6: Integrity and Confidentiality (Security)
Data must be protected against unauthorised access, loss, or destruction. Student records in an unlocked filing cabinet, or in a personal Gmail account, or in a WhatsApp group, fail this principle.
In practice: Store all student data in secure, access-controlled, encrypted systems. Control who has access to what.
The Lawful Basis for Processing Student Data
Under UK GDPR, you need a lawful basis for every type of data processing. For a maktab, the most relevant bases are:
Legitimate interests: You have a legitimate interest in holding the data necessary to run your educational service — student names, contacts, educational progress. This is the most appropriate basis for most maktab data processing. It requires a brief “legitimate interests assessment” (LIA) — a simple document explaining why your interests outweigh any privacy impact on the student.
Legal obligation: Some data processing is required by law — safeguarding records, DBS check records, financial records for charity purposes. These are covered by legal obligation as the lawful basis.
Vital interests: Relevant for emergency contact information — you may need to contact a parent urgently in a medical emergency. Vital interests can be relied on in genuine emergency situations.
Consent: Often misapplied as a lawful basis. Consent must be freely given, specific, informed, and revocable — which means parents must be able to withdraw consent and you must stop processing their data. For most core maktab data processing (student records, educational progress), consent is not the right basis because the processing is necessary regardless of consent. Where you do rely on consent (e.g., for sending marketing emails about fundraising events), it must be properly obtained and recorded.
The Privacy Notice: What You Must Tell Parents
A privacy notice is the document that tells parents (and, where appropriate, students) what personal data you hold about them, why you hold it, and what their rights are. It is a legal requirement — not optional.
What Your Privacy Notice Must Include
Under UK GDPR Article 13, when you collect personal data from individuals, you must tell them:
- Who is collecting the data (your organisation’s name and contact details)
- Why you are collecting it and what legal basis you rely on
- How long you will keep it
- Who (if anyone) you will share it with
- Their rights (access, correction, deletion, objection)
- Their right to complain to the ICO
Format
A privacy notice does not need to be a long legal document. A clear, plain-English one-page notice issued with the enrolment form is entirely appropriate. It must be written in language parents can understand — if your parent community is primarily Urdu-speaking, a Urdu translation is strongly recommended.
Timing
The privacy notice must be provided at the point of data collection — when parents complete the enrolment form. It must also be available at any time on request (e.g., posted on your website or available from the administrator).
Data Security: How Student Data Must Be Stored
UK GDPR requires “appropriate technical and organisational measures” to protect personal data. For a community maktab, this means:
No paper records in unlocked, unsupervised locations. Paper registers, enrolment forms, and fee records containing personal data must be stored in locked filing cabinets when not in active use. Access must be restricted to authorised staff.
No personal data on personal devices without protection. A teacher’s notebook with student Hifz progress is personal data. If it is lost or stolen, this is a data breach. If records must be on paper, they must be held securely.
No student data in personal cloud accounts. A fee spreadsheet in someone’s personal Google Drive is accessible to Google and subject to Google’s terms — not your institution’s data protection controls. Student data must be in organisational accounts with appropriate access controls, or in a dedicated management system.
No student data in WhatsApp groups. This is addressed in detail below.
Encrypted digital storage. Digital records must be in systems with encryption at rest and in transit. Purpose-built school management systems (like Ilmify) are designed with this security as standard.
Access controls. Not every teacher needs access to every student’s complete record. Restrict access to what each person genuinely needs. Ilmify’s role-based access control allows this — teachers see their own students; administrators see all students; fee data is restricted to the treasurer role.
The WhatsApp Problem in Detail
WhatsApp is used by the vast majority of UK maktabs for parent communication. It is convenient, free, and familiar. It is also significantly problematic from a UK GDPR perspective.
Why WhatsApp Fails as an Educational Records Platform
Meta’s data processing. WhatsApp is owned by Meta (Facebook). When you use WhatsApp for educational records, your student data passes through Meta’s servers and is subject to Meta’s privacy policy — not your institution’s data protection controls. You do not have a Data Processing Agreement (DPA) with Meta for educational data. Meta’s business model involves using data for advertising purposes. None of this is compatible with the confidentiality obligations of an educational institution.
No data minimisation. In a parent WhatsApp group, every parent sees every message. When a teacher posts “Ahmed didn’t come today, can someone let his parents know?” — every parent in the group now knows Ahmed was absent. Ahmed’s absence is personal data about Ahmed. This is a disclosure to unauthorised third parties.
No access control. You cannot control who screenshots WhatsApp messages, who joins the group, or who has access to historical messages if someone leaves and is re-added. This fails the security principle.
No audit trail. WhatsApp does not provide an auditable record of data processing that you control. If the ICO asks you to demonstrate how you have protected student data, a WhatsApp group cannot form part of that demonstration.
No data subject access compliance. If a parent requests access to all the data you hold about their child, WhatsApp messages mentioning that child are technically within scope. Producing these as part of a Subject Access Request is extremely difficult.
What You Can Use WhatsApp For
General announcements to parents that do not identify individual students are low-risk. “Class cancelled this Saturday due to snow” does not process any individual’s personal data. This use of WhatsApp is acceptable.
Individual student data must not be shared via WhatsApp — including absence notifications for specific named students, Hifz progress updates, fee payment reminders for specific families, or any safeguarding-related information.
Data Subject Rights: What Parents Can Ask For
Under UK GDPR, parents (and students over 13 in some circumstances) have rights over their personal data. Your maktab must be able to respond to these requests.
Right of access (Subject Access Request — SAR): Any parent can ask for a copy of all personal data you hold about them or their child. You have one month to respond, at no charge.
Right to rectification: If data is inaccurate, parents can require you to correct it.
Right to erasure (“right to be forgotten”): In certain circumstances, parents can ask you to delete their data. Note: this right is not absolute — you may have legal obligations to retain certain records (safeguarding records, financial records) that override a deletion request.
Right to object: Parents can object to certain types of processing, particularly where you rely on legitimate interests as your lawful basis.
Right to data portability: Parents can ask for their data in a structured, machine-readable format (e.g., CSV export).
Practical Implications
Your management system must be able to produce a complete export of all data held about a specific student — quickly, accurately, and comprehensively. A paper register and a fee spreadsheet and a WhatsApp message history cannot do this reliably. A purpose-built management system can.
Data Breach Procedure: What to Do If Something Goes Wrong
A data breach is any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Examples relevant to maktabs:
- A teacher’s phone containing student progress records is stolen
- An enrolment form with student data is posted to the wrong address
- A student’s personal information is accidentally sent to the wrong parent’s WhatsApp
- A fee spreadsheet is accidentally shared with non-authorised recipients
What to Do
Step 1: Contain the breach if possible (retrieve the wrongly-sent email, report the stolen phone immediately, etc.)
Step 2: Assess the severity. Does the breach pose a risk to individuals’ rights and freedoms? If yes — or if you are unsure — you must report to the ICO.
Step 3: Report to the ICO within 72 hours of becoming aware of the breach. This is a legal deadline, not a recommendation.
Step 4: If the breach poses a high risk to individuals (e.g., safeguarding information is disclosed), notify the affected individuals directly.
Step 5: Document everything — what happened, when you discovered it, what you did in response. This documentation demonstrates that you acted appropriately.
ICO investigation focuses primarily on whether the organisation took reasonable steps to prevent the breach and responded appropriately when it occurred. An institution with proper data protection practices that experiences a breach is treated very differently from one that has no practices at all.
Data Retention: How Long to Keep Records
UK GDPR requires you to keep data for no longer than necessary. You must define your retention periods and actually implement them.
Recommended Retention Schedule for UK Maktabs
| Data Type | Retention Period | Basis |
| Student educational records | Duration of enrolment + 7 years | Standard educational records guidance |
| Safeguarding records | Duration of enrolment + until student’s 25th birthday (minimum) | Statutory safeguarding guidance |
| Financial records | 7 years from the end of the financial year | HMRC and charity law requirement |
| DBS check references | Duration of employment + 6 months | DBS guidance |
| Employment records | Duration of employment + 6 years | Employment law guidance |
| Parent contact details (where no longer enrolled) | Delete or anonymise promptly unless safeguarding reason to retain | Data minimisation principle |
| CCTV (if used on premises) | Maximum 31 days unless specific need | ICO guidance |
Implement these by: setting calendar reminders for annual data review; actually deleting records that have passed their retention date; keeping a log of what you have deleted and when.
Your GDPR Compliance Action Plan
This 8-step action plan takes most UK maktabs from non-compliant to substantially compliant within 4–6 weeks.
Step 1 (Week 1): Appoint a Data Protection Lead
Designate a named individual (the principal or a trustee) as the person responsible for data protection. They do not need to be a lawyer — they need to be reliable and to understand the basics this guide covers.
Step 2 (Week 1): Audit your current data
Map what personal data you hold, where it lives, and who has access to it. This is your baseline.
Step 3 (Week 1–2): Write your Privacy Notice
A clear, one-page plain-English privacy notice explaining what data you collect, why, how long you keep it, and parents’ rights. Have it translated into the community’s primary languages.
Step 4 (Week 2): Issue the Privacy Notice
Send to all current parents. Include with all future enrolment packs. Post on any website or noticeboard.
Step 5 (Week 2–3): Secure your data
Move student records into a GDPR-compliant system (like Ilmify). Ensure paper records are locked. Restrict WhatsApp to general announcements only.
Step 6 (Week 3): Write a Data Breach Procedure
A simple one-page document specifying who does what if a breach occurs. Make sure the Data Protection Lead knows it exists.
Step 7 (Week 3–4): Establish retention schedules
Define how long you keep each type of record. Conduct a first review and delete any records that are already past their retention period.
Step 8 (Week 4): Train staff
A 30-minute briefing for all teachers and volunteers covering: what personal data is, what they must not do with it (WhatsApp, personal devices, sharing with unauthorised people), and who to contact if something goes wrong.
How Ilmify Makes GDPR Compliance Straightforward
Ilmify is designed from the ground up to be GDPR-compliant infrastructure for Islamic educational institutions. Every feature is built with the UK GDPR requirements in mind.
Encrypted data storage: All student data is stored in encrypted cloud infrastructure. No data is stored in unencrypted personal accounts or on personal devices.
No third-party data sharing: Ilmify’s privacy declarations on both the Google Play Store and Apple App Store confirm that no student data is shared with third parties, including advertisers. This is confirmed in their data processing documentation.
Role-based access control: Teachers see their own students. Administrators see all. Fee data is restricted to designated roles. Safeguarding notes are accessible only to safeguarding leads and administrators.
Subject Access Request support: Ilmify can export a complete record of all data held about a specific student — name, contact details, educational records, attendance, fee history — in a structured format that satisfies a Subject Access Request.
Data retention tools: Student records can be marked as archived when students leave, and permanently deleted when their retention period expires.
Parent portal with individual access: Each parent has their own secure login — not a shared group. No parent can see another family’s data.
Audit trail: All data access and changes are logged. If the ICO asks who accessed what and when, Ilmify’s audit log provides the answer.
Privacy notice template: Ilmify provides a template privacy notice for institutions to adapt and issue to parents — reducing the drafting burden.
💡 GDPR compliance in a maktab does not have to be complexIlmify provides the secure, GDPR-compliant data infrastructure that UK Islamic schools need — built in, not bolted on.See Ilmify’s Data Protection Features →
Conclusion
UK GDPR compliance for a maktab is not optional, and it is not as complex as it might first appear. The core requirements — a privacy notice, a lawful basis for processing, secure data storage, a data breach procedure, and appropriate data retention — are achievable for any institution in a matter of weeks with a clear plan and the right tools.
The single most impactful change most UK maktabs can make is moving student-specific personal data out of WhatsApp and personal spreadsheets and into a purpose-built, GDPR-compliant management system. This step addresses the three most common compliance failures simultaneously: insecure storage, inadequate access control, and inappropriate third-party processing.
Ilmify provides that compliant infrastructure — built specifically for Islamic educational institutions, designed for exactly the context of a UK maktab managing student data in 2026.
