In our final forum of the 2025 programme, we turned our attention to practical automation and how Trusts can make smarter use of the existing tools embedded within Microsoft and Google ecosystems. These platforms (Google Apps Script within Workspace and Power Automate within Microsoft 365) offer powerful, often underutilised capabilities that can meaningfully reduce the administrative burden tied to information governance and data protection responsibilities.

When it comes to statutory requests such as Subject Access and Freedom of Information, many Trusts still rely on spreadsheet-based logs. By introducing some light-touch automation, you can significantly streamline these processes. A simple form can collect request details directly from staff, parents, or pupils, feeding data straight into your log. From there, automated workflows can assign unique reference numbers, alert the appropriate academy or Trust stakeholders, calculate response deadlines, generate folder structures for evidence collation, and send periodic reminders based on the date of submission. They can even issue the initial acknowledgment email to the requester without manual intervention. To support this, you may wish to configure lookup tabs within your log that direct automation to the correct recipients and folder pathways based on the academy or department involved.

A similar approach applies to data breach management. Beginning with a form ensures consistent data capture, and automation can then assign references, pre-populate core sections of your investigation template, grant editor access to the investigation lead and notify those responsible for oversight. Scheduled reminders help ensure incidents continue to progress and aren’t inadvertently left unresolved.

The examples we explored during the AI & Data Protection forum represent only a fraction of what’s possible. Once you begin applying automation to routine governance tasks, it quickly becomes clear how much time and effort can be reclaimed, both for information governance teams and for colleagues across your wider organisation.

Thank you to everyone who has taken part in the AI & Data Protection forum throughout 2025. It has been a pleasure to learn from your experiences and to see the thoughtful, practical work happening across Trusts. The forum will be taking a hiatus during 2026, but we anticipate returning in some form in the future. Until then, keep up the excellent work, and do reach out to TransforMATive if you need support, whether for a small, immediate objective or a long-term strategic project.

Last week at the forum we discussed the statutory requirements for an Article 30 Record of Processing Activities (ROPA). Every organisation with data protection obligations has its equivalent of the Single Central Record (SCR), and in the world of data protection, that’s your Article 30 Record of Processing Activities. The Information Commissioner’s Office (ICO) considers this a crucial document and will often ask to see it during certain types of investigations.

While there are many complex systems available to help you manage this, in all honesty, a well-structured spreadsheet can often suffice. Beware of any vendor claiming their product is a ‘golden ticket’ as there will always be critical, specific fields that only your team can populate accurately.

The Statutory Requirements: What Article 30 Demands

The bare minimum requirements for your ROPA are clearly set out in Article 30 of GDPR. You must include the following mandatory fields:

1. Controller and DPO Details: The name and contact details for the controller, and where applicable, the joint controller, representative, and Data Protection Officer (DPO).
2. Purposes of Processing: A clear statement on why you are collecting the data.
3. Categories of Data: A description of the categories of data subjects (e.g., Pupils, Parents, Staff) and the categories of personal data collected (e.g., Name, DOB, Health data, NI Number).
4. Recipients and Transfers: The categories of recipients who have or will receive the personal data, including those in third countries or international organisations.
5. International Transfers: Details of any transfers outside of the UK (which should also involve considering your data processors’ storage locations), including the identity of the country/organisation and the documentation of suitable safeguards (such as SCCs, adequacy decisions).
6. Erasure Time Limits: Where possible, the planned time limits for erasure for the different data categories (e.g. 6 years, 12 months, or a link to your full retention policy).

Security Measures: Where possible, a general description of the technical and organisational security measures. Here we should be thinking about access controls like passwords, MFA, granular permissions, and locked cabinets.

Elevating Your ROPA: Best Practice Fields

To make your ROPA a truly useful asset, we recommend capturing the following additional, best-practice fields:

• Information Asset Owner: The senior individual responsible for the specific data set.
• Storage Location: Where the data physically resides, such as MIS, CPOMS, or a specific folder within SharePoint or Google Workspace.
• Lawful Basis: The Article 6 Lawful Basis you are relying on.
• Special Category Exemption: The Article 9 special category exemption, if applicable.
• Privacy Notice Details: The name of the privacy notice covering this processing and when it is supplied to the data subject.
• Consent/LIA Location: A link to or a description of where the consent form or Legitimate Interests Assessment (LIA) is stored.
• Access/Sharing: Who has internal access, whether the data is shared, and whether it is published.
• Disposal Responsibility: Who is responsible for disposal and the method (e.g. secure shredding of paper, electronic system disposal).
• Processor Organisation: Details of any processors involved.
• System Details: Comprehensive details of the system storing the data including name, general description, contract status, vendor contact details, format (electronic/hard copy) and how data is transferred out of the system. These should be set up as different columns for ease of reference.

The Underappreciated Benefits of a Complete Register

A completed ROPA offers far more than simply satisfying a legal requirement. It provides underappreciated operational benefits that can significantly strengthen your data protection posture:

• Faster Data Breach Response: It’s a quick reference document to identify the data types involved in a breach without needing to query colleagues or access the system. It helps you quickly identify and reach out to affected colleagues in other schools or business units.
• Improved Privacy Notices: The ROPA clearly outlines the information that must be reflected in your notices.
• Access Reviews: It facilitates regular checks to ensure access controls are adequate and that staff members only have access where there is a legitimate business need.
• Promotes Data Awareness: The process forces colleagues across the organisation to actively think about what personal data they hold.
• Data Location and Retention: You will know exactly where all your personal data is located and who is responsible for ensuring compliance with retention periods.
• DPIA and Processor Tracking: It can highlight the need for further Data Protection Impact Assessments (DPIAs) and provides a mechanism to track and perform due diligence on processors and sub-processors.
• Knowledge Gap Analysis: It exposes areas where colleagues lack understanding such as not controlling disposal, lack of access controls, or processing without a clear lawful basis.
• Sharing and Risk Assessment: It helps you identify when data is being shared without a Data Processing Agreement (DPA) or Data Sharing Agreement (DSA) and whether the sharing method is considered ‘high risk’.

Finally, if you conduct internal audits, the ROPA serves as a valuable reference document. You can conduct sample checks on rows to ensure the data in the ROPA matches the live system, enabling a process of iterative improvement.

Q&A Session

In many instances completing a ROPA is a retrospective exercise. It relies on unravelling the complex web of data flows and contracts whilst at the same time reacting to new processing activities across a range of areas. How do we make this more manageable?

The initial population of a ROPA can be a daunting and laborious task. Given that the requirement to populate came into force in May 2018 many organisations are now completing this retrospectively. It’s easy to get bogged down with the subprocessors and in turn their own subprocessors which can lead to losing sight of the purpose of the document. Analysis of the subprocessor tree is better suited for documenting within your due diligence vendor assessments and any DPIA’s that you conduct. For the purpose of the register focus on the locations (both electronic and hardcopy) where personal data is held and then work backwards from there documenting the information within those systems. If you are using a spreadsheet then don’t overload each row. For example it’s often easier to split data sets into separate entries on your register when:

• They are stored in multiple locations (have a row for the pupil data in your MIS and another for the same data you might have in Google Workspace / Share Point)
• There are physical copies as well as electronic (you’ll have different storage locations and access controls for each).
• The classes of data subject require different lawful bases for the processing (you might want a row for the employee data in the MIS as well as a separate row for Pupil/Parent data).

Remember to document the main system that the data is stored in and the processor of that data. There’s no need to add extra rows to cover sub-processors which may have access to small subsets of the overall data set. Realistically this should be information on the processor’s information asset register.

To make population and maintenance more manageable:

• Simplify the Process: If you are using a spreadsheet, use data validation features to create drop-down menus for fields with a limited number of possible options.
• Delegate Responsibility: This is an organisational responsibility, not solely the burden of the DPO and their team. Unless your Trust retains complete control over all systems, you should not attempt to do it all yourself.
• Appoint Leads: For medium-sized Trusts and above, we strongly recommend appointing a data protection lead in each academy and business unit. These individuals should be responsible for populating the types and locations of data as a bare minimum.

Provide Guidance: Prepare an example sheet illustrating best practice for both your academies and Central Business Units.

Final Thoughts

Creating and maintaining an effective ROPA isn’t about chasing perfection or compiling every conceivable detail. It’s about establishing a clear, accurate, and functional picture of how personal data moves through your organisation. By focusing on statutory essentials, enhancing your register with practical best practice fields, and keeping the process simple and collaborative, you transform the ROPA from a compliance obligation into a powerful operational tool. With defined responsibilities, sensible structure, and ongoing engagement across teams, your register becomes a living document that strengthens governance, sharpens awareness, and supports confident, proactive data protection practice.

Join us next month where we’ll be looking at how your organisation can use automation to improve your data protection and AI governance processes. To register for the AI & Data Protection form on Friday 5 December please click this link!

I walked into Google’s London office with a simple aim. Could we move the conversation on from tools to value. By the end of the morning it was clear that the answer is yes, but only if we are honest about where we are and deliberate about where we are going.

We started with a tour of what is now possible. Gemini continues to mature at pace, from image and video generation to deep research and code on canvas. New workflow features promise to stitch everyday tasks together. That was exciting, but the best moment came when we looked past the feature list and into the architecture and guardrails that make this safe for schools. Enterprise deployment, data residency, sandboxing and clear human approval points. That is where confidence grows.

The highlight for me was a practical AI agent story. A simple HR assistant that answers routine questions, checks policy and prepares actions has already given real hours back each week. Nothing flashy. Just a clear problem, a small pilot and a measurable outcome. It reminded me that transformation is rarely a single leap. It is a series of well chosen steps that build trust and capability.

Across the room we heard the same pressures. Funding in real terms, staffing churn and the paradox of doing more with less. The easy response is to chase the next shiny tool. The harder and better response is to design our digital estate with the same seriousness we give to our buildings. Name the architect. Decide what good looks like. Integrate systems. Improve data quality. Measure the experience of staff and pupils, not just the cost line.

We used a value compass to ground our choices. Yes, efficiency matters. So does risk reduction, staff and pupil experience and, for some, new revenue models. When leaders frame decisions through that lens, conversations move from technology to strategy, which is where they belong.

If there was a single word that captured the day it was intent. Hope is not passive. It is choosing the next right step and taking it together. Our next steps are clear. Define the data leadership approach. Audit the digital estate. Pilot one safe AI agent with human approval in the loop. Share what works so we all move faster. My thanks to our speakers and to everyone who gave their time and thinking. The energy in the room was real. Now we turn it into outcomes.

We were honoured to work alongside the brilliant Zaitoon Bukhari from ATC Trust to design and deliver this fantastic event.

Artificial Intelligence is no longer a futuristic concept it’s here, reshaping the way schools operate, teachers teach, and learners engage. Our recent AI in Education Conference in collaboration with ATC Trust brought together educators, leaders, and innovators from across the sector to explore how AI can be harnessed responsibly, creatively, and effectively in schools and trusts.

The response was overwhelmingly positive. Delegates left feeling inspired, informed, and empowered to take their next steps toward meaningful AI integration. Here’s what they had to say.

Relevance, Quality, and Organisation: Setting a New Standard

Across the board, delegates rated the conference as Excellent or Very Good in every category from the relevance of topics to the quality of speakers, networking opportunities, and overall organisation.

Attendees particularly valued the event’s balance between strategic vision and practical implementation. The sessions offered both high-level insight and hands-on guidance, equipping leaders to begin applying AI tools safely and effectively in their own contexts.

“The conference was excellent, informative, thought-provoking, and brilliantly organised. It gave us the confidence to move forward with AI in our schools.”

Learning, Sharing, and Taking Action

The conference provided a platform for collaboration and reflection. Delegates highlighted the panel discussions, workshops, and networking sessions as standout elements that encouraged sharing of ideas and strategies.

From ethical considerations to policy development, AI audits, and teacher training, participants left with a renewed sense of purpose and clarity about their next steps.

Many reported that they will now:

• Audit their school’s current AI use
• Develop or refine AI policies
• Appoint digital champions to lead AI initiatives
• Build staff confidence through targeted professional development

“It was so helpful to talk with colleagues about where we are now and where we want to be. The event gave us tools to create a clear strategy for AI in our trust.”

Themes That Resonated Most

While every session received positive feedback, several themes emerged as particularly impactful:

• Practical implementation of AI in the classroom
• Ethical and safeguarding considerations
• AI for administrative efficiency
• Personalised learning through AI
• Teacher training and professional development
• Policy and strategic planning for AI adoption

These themes highlight the education sector’s growing commitment to embedding AI not as a novelty, but as a sustainable, purposeful part of teaching and learning.

Inspiring Confidence and Collaboration

One of the strongest takeaways was the sense of collective optimism that filled the room. Delegates described the event as “a fear-free introduction to AI”; an opportunity to learn, question, and share ideas in a supportive environment.

“The conference created an open space to explore AI with confidence and curiosity. It’s helped us understand how to use AI safely and purposefully.”

By the close of the day, the message was clear: AI in education is not just about technology; it’s about people, pedagogy, and purposeful change.

Looking Ahead

Delegates also shared their hopes for future events, expressing interest in deeper dives into:

• Ethical leadership in AI
• Data protection and governance
• Real-world case studies of successful AI implementation
• Safeguarding and inclusivity in AI systems

The appetite for continued learning is strong, and it’s clear that educators are eager to shape the future of AI in education together.

Final Reflections

“The AI in Education Conference was an inspiring and empowering experience. The sessions were engaging, the discussions were rich, and the takeaways were immediately actionable. It was the perfect balance of strategy and practice a must-attend event for any school leader looking to embrace AI with confidence.”

As AI continues to evolve, so too does the educational landscape. Events like this one play a crucial role in helping schools and trusts navigate that journey; ensuring that innovation is always grounded in ethics, inclusion, and impact.

Last week at the forum we discussed how to construct a privacy notice, considering both statutory required inclusions and other useful information. Whilst we discussed privacy notices generally there was an underlying focus on changes that may be required for organisations adopting AI systems and AI features that have gone live in their current systems.

Setting the Ground Rules: The Importance of Transparency

Privacy notices are how organisations comply with the transparency principle set out in Article 13 & 14 UK GDPR. Being open and upfront about what you do with people’s personal data helps you deal with them in a clear and transparent way. This makes good sense for any organisation and is key to developing trust with individuals

There is no prescriptive legislative description of how a privacy notice should be set out although it does need to include the following types of information:

• The name and contact details of your organisation
• The contact details of your data protection officer
• The purposes of the processing
• The lawful basis for the processing
• Explain which lawful basis you are relying on in order to collect and use people’s personal data and/or special category data.
• The legitimate interests for the processing
• The recipients, or categories of recipients of the personal data
• The details of transfers of the personal data to any third countries or international organisations
• The retention periods for the personal data
• The rights available to individuals in respect of the processing
• The right to withdraw consent and how
• The right to lodge a complaint with a supervisory authority
• Tell people that they can complain to a supervisory authority.
• The details of whether individuals are under a statutory or contractual obligation to provide the personal data
• Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.
• The details of the existence of automated decision-making, including profiling. This is particularly important when AI is being used for placing pupils in capability related classes, exam levels and similar decisions which have a significant effect on a pupil.

AI & Privacy Notices: New Challenges

For any AI systems that process personal data, they must be included in the recipients and international transfers sections at a minimum. If a system is entirely AI, you should explain what the system is used for, who the vendor is, and the name of the system. It may be easier and more user-friendly to add a separate AI section addressing these systems. If AI features have been added to existing systems, you should expand the section of your notice that refers to that system/processor to explain the feature. This might include transcribing tools in Teams/Google Meet or grading in edTech systems for example.

For any systems used for automated decision-making and/or profiling, there are extra legal provisions to comply with. You should confirm your use of AI-enabled decisions, when you use them, and why you choose to do this, including which systems and vendors are involved. It is important to include a “human-in-the-loop” for decisions that have legal or similar effects, as Article 22 gives individuals the right not to be subject to a solely automated decision.

Article 21 of the UK GDPR also gives individuals the right to object to any profiling that you carry out on the basis of legitimate interests or a public task. In these cases, an individual can object on grounds relating to their particular situation. This applies to all systems and not just those which use AI.

If you do not use AI for automated decision making and/or profiling it can be useful to state this within your privacy notice but you would need to be certain that edTech systems aren’t being used in this way in any of your schools. Given that vendors are rushing to introduce AI in their systems it might not be possible to confidently state this in your privacy notice.

Q&A Session

A great debate emerged during our Q&A session about centralised control versus academy-level autonomy when it comes to privacy notices. Privacy notices are the responsibility of the ‘data controller,’ which in a multi-academy trust (MAT) is the Trust itself, not the individual academies. While there’s nothing stopping a Trust privacy notice from having a section relating to processing at each individual academy, this may be redundant.

The question to consider is what school-specific information would be included that couldn’t already be part of the Trust notice. If this relates to the use of systems, it may be worth adding in a paragraph for a specific school under the relevant section.

It’s also worth splitting your privacy notices into separate documents for different classes of data subjects, as a single notice can become quite large. This could include separate notices for pupils, parents/guardians, staff, governors/trustees, and suppliers/contractors. You might also consider a visitor notice, especially if you have CCTV on site.

Final Thoughts

Privacy notices and the implications of AI are complex topics, and these are just some of the key takeaways from our forum discussion. As we move forward, we’ll continue to explore new challenges. Our next session will be on 14 November at 12:45 pm, where we’ll be diving into the latest on Article 30 Record of Processing Activities including what’s required and recommended process for populating

I look forward to seeing you there!

Click here to add it to your Google Calendar or download the attached .ics file at the bottom of this blog post.

Thanks again to everyone who joined the session. See you at the next one.

Please feel free to reach out if you would like to find out more about our range of data protection, information governance & AI governance services.

Earlier this month, I had the pleasure of hosting attendees at our first AI & Data Protection Forum of the academic year. The forum is a practical and open space for professionals in the education sector to come together and discuss real-world questions about AI, governance, and data protection. While we’ve talked a lot about AI recently, this session focused on another critical topic: efficiently handling subject access requests (SARs).

Acknowledge and set expectations

When you receive a SAR, the first step is to acknowledge it. This is also your chance to set expectations and make things easier for your organisation. Here’s what you should include in your acknowledgment correspondence:

• Clarification: If any part of the request is unclear, this is the time to ask for clarification.

• Privacy Information: You should attach a copy of the relevant privacy notice for the data subject (e.g. parent, pupil, or staff). It’s also helpful to include a link to your Data Protection Policy, as it contains additional useful information for the data subject.

• Legal Rights: The acknowledgment should inform the data subject of their right to file a complaint with the ICO. It’s also beneficial to mention their right to enforce their request through the courts via s.167 of the DPA 2018.

• Response Deadline: You should provide a deadline for your response if possible. Keep in mind that the time limit is extended until you receive clarification or ID from the requester.

Pupil Information: It’s important to note that Regulation 5 of The Education (Pupil Information) (England) Regulations 2005 does not apply to multi-academy trusts. If a request is made under this legislation, you should inform the requester that it will be processed as a SAR instead.

Applying Exemptions: A Crucial Step

Once you have gathered all the data, you can begin applying exemptions. It’s crucial to gather all relevant data first and not preemptively exclude information based on potential exemptions.

You may refuse a request entirely if it’s considered manifestly unfounded or manifestly excessive.

• A request is manifestly unfounded if the individual has no intention of exercising their right of access, such as offering to withdraw the request for a benefit. It can also be considered unfounded if the request has a malicious intent, like harassing the organisation.

A request is manifestly excessive when it’s “clearly or obviously unreasonable”. This judgment should be based on whether the request is proportionate to the burden and cost of handling it. This often applies when a request largely repeats previous ones and a reasonable amount of time hasn’t passed since the last request.

Common Exemption to Consider in the Education Sector:

• Third-party data – Schedule 2, Part 3, paragraph 16(1): You will likely need to redact third-party data as it’s rare for data sources in the education sector to not include data relating to other individuals. Remember there is a “presumption of reasonableness” for disclosing the names of teaching staff in pupil data requests but this doesn’t apply to other individuals like parents or staff.
• Child abuse data – Schedule 3, Part 5, paragraph 21(3) of: Child abuse data is personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse. For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18. This exemption only applies if the request comes from someone who has parental responsibility.
• Serious Harm – Schedule 3, Part 4, paragraph 19: The serious harm test can apply to any class of data subject whenever complying with the request would be likely to cause serious harm to the physical or mental health of any individual. This exemption overrides the “presumption of reasonableness” for disclosing the names of teaching staff in pupil data
• Legal privilege – Schedule 2, Part 4, paragraph 19: If legal professional privilege applies to the data then it is exempt from disclosure to a data subject.
• Exam data – Schedule 2, Part 4, paragraph 25: For pupil data, you must redact an individual’s answers from exam scripts but keep the examiner’s marks and comments. This exemption extends the response period to five months from the request date or 40 days from the announcement of exam results, whichever is earlier. You need to inform the requester of this extended deadline in your acknowledgment.
• Staff data: You may need to apply exemptions for confidential references, records of potential negotiations, or management data such as redundancy or restructure considerations.

When responding, you must include details of the exemptions that have been applied, citing the relevant sections of the Data Protection Act 2018. When applying the serious harm test or the child abuse data exemption, you do not need to confirm you even hold the data and it is acceptable to refer to the exemption by the schedule alone. For example you could use the phrase “The Trust does not process the data which has been requested” or that “The data that you have requested is subject to an exemption under Schedule 3, Data Protection Act 2018.

The High Court decision in Ashley v HMRC [2025]

Ashley v HMRC [2025] offers important insights into what constitutes “disproportionate effort” in responding to a SAR. The court found that this isn’t limited to the time spent searching for data but can also include other difficulties in complying with the request. This may include time spent applying exemptions or redacting data

However, the ruling also clarified that time alone isn’t proof of disproportionate effort. In this case, HMRC’s argument of spending 150 hours on a request was challenged, as the time was largely spent on applying erroneous exemptions and dealing with poor data systems.

This decision highlights the need to have efficient systems and to ensure that any time spent on a SAR is necessary and justifiable when arguing that the request is disproportionate.

Final Thoughts

Subject access requests can be complex, and these are just some of the key takeaways from our forum discussion. As we move forward, we’ll continue to explore new challenges. Our next session, on Friday 10 October at 12:45pm will delve into the statutory requirements of your organisation’s privacy notices, particularly as the education sector continues to adopt AI features.

Click here to add it to your Google Calendar or download the attached .ics file.

Thanks again to everyone who joined the session—you made it what it was. See you at the next one.

Please feel free to reach out if you would like to find out more about our range of data protection, information governance & AI governance services.

Matthew

On 18th June, TransforMATive, in partnership with Xentra, brought together a select group of education leaders, digital strategists, and cybersecurity experts from across England’s multi-academy trust (MAT) sector for a powerful roundtable dinner in Birmingham. The focus: Data Resilience in Educational Transformation — a theme growing ever more urgent as trusts scale digital systems, embrace AI, and face an increasingly complex threat landscape.

This was not a session about technology for technology’s sake. It was about responsibility, risk, and readiness. The discussions went far beyond the usual tick-box compliance mindset and instead tackled the deeper cultural and strategic challenges facing the sector. Together, we explored how cyber resilience is no longer a peripheral IT concern but a fundamental pillar of operational, reputational, and educational continuity.

Key Themes and Takeaways

1. Cybersecurity is Strategic
MAT leaders are rightly repositioning cyber risk as a strategic issue that impacts every area—from governance and learning to trust growth and community confidence. It must be owned from the top.

2. Culture Over Compliance
The sector is waking up to the limitations of surface-level schemes such as Cyber Essentials. True resilience demands an embedded culture—one rooted in awareness, ownership, and continuous learning.

3. Leadership is Pivotal
Cyber maturity is not achieved by IT teams in isolation. It requires executive sponsorship, cross-functional collaboration, and empowered technical leadership across the organisation.

4. Simulation Matters
Regular phishing simulations, tabletop exercises, and breach rehearsals were seen as essential tools in developing readiness and building confidence at all levels.

5. Secure by Design
Trusts must move beyond bolted-on security solutions. Instead, resilience must be baked into the design of systems, procurement processes, and digital transformation strategies from the outset.

Recommendations for Trust Leaders

• Secure senior ownership by appointing a board-level sponsor for digital risk.
• Invest based on maturity and threat, not just frameworks.
• Develop internal capability and independent assurance to avoid over-reliance on individuals or vendors.
• Embed cybersecurity as a life skill, not a policy.
• Plan for the inevitable, with a clear incident response playbook and 24/7 monitoring.

Looking Ahead

This roundtable reaffirmed the sector’s growing recognition that resilience isn’t about reacting to threats—it’s about building trust, safeguarding progress, and securing the future. As we continue to support trusts across the country, we remain committed to fostering the leadership, capability, and culture needed to navigate these challenges with confidence.

If your trust is ready to take the next step in its digital and cyber maturity journey, get in touch. We’d love to help.

Earlier this month, I had the opportunity to attend the Google Leaders Series in London, a gathering of education leaders, digital strategists and sector partners focused on one urgent question: what does meaningful AI adoption in education actually look like?

This was not a product showcase or a tech demonstration. It was a timely, thoughtful and energising event that placed people, purpose and pedagogy at the heart of the digital transformation conversation.

From Possibility to Practice

The day opened with a keynote from Jos Dirkx, whose message was as powerful as it was timely. AI is not a future issue, it is a present one, and how we choose to think about it will define how we use it. Whether with a mindset of curiosity, creativity or service, she challenged us to see this moment not only as a technological shift but a deeply human one.

We heard from trusts including Cidari, LEO Academy and Tiffin Girls’ School, each of whom shared practical insights about their own journey with AI. From using Gemini to reduce administrative workload to embedding assistive tools for learners with SEND, the common theme was clear. AI has enormous potential, but only when it is aligned with real priorities and grounded in the realities of the classroom.

Leading With Purpose, Not Panic

Throughout the event, there was a strong focus on ethical leadership. Google’s reaffirmation of its position on data privacy and the UK Government’s guidance on the use of student work in generative AI models were welcome reminders of the responsibilities that sit alongside innovation.

As leaders, we must ensure our approach is governed by thoughtful questions. Are we embedding equity into our systems and decisions? Are we prioritising pedagogy over convenience? Are staff confident, equipped and engaged, or are they overwhelmed by complexity?

At TransforMATive, these are the same questions we explore during our AI workshops with trusts. It was reassuring to see this level of ethical scrutiny mirrored so strongly throughout the event.

From Inspiration to Implementation

The afternoon sessions brought those big ideas back to ground level. Practical workshops guided us through a five-step model for AI implementation, covering strategy development, stakeholder engagement, pilot planning and ongoing governance.

What This Means for Our Sector

At TransforMATive, we continue to champion the idea that AI should not replace human judgement. Instead, it should help reclaim time, reduce friction and enable educators to focus on what really matters. Relationships, creativity, and impact.

The Google Leaders Series was a powerful reminder that the conditions for effective digital change are already emerging. The tools are ready. The ideas are flowing. What matters now is leadership that can turn vision into momentum, and momentum into meaningful change.

For the trusts we support, events like this provide far more than inspiration. They serve as a springboard for action, offering clarity, credibility and confidence.

Final Reflections

As we look ahead to a new academic year, one thing is clear. AI in education is no longer a conversation about the future. It is a conversation for now. It requires maturity, humility and strategic intent.

To everyone involved in the Google Leaders Series, thank you for creating a space where education leaders could listen, reflect and lead with purpose. You have helped us all move from curiosity to capability.

Let us keep this energy going. Let us continue to share, collaborate and build the systems our children deserve.

The future is not something we wait for. It is something we shape, together.

Over the past year, TransforMATive colleagues have had the privilege of supporting a growing number of trusts on their digital transformation journeys. Each one starts in a slightly different place; with its own set of challenges, strengths and ambitions. But at the heart of every conversation is a shared goal: to make technology work meaningfully for staff and students.

For The Howard Academy Trust, this journey has involved a deep dive into strategic discovery, focused on aligning digital investment with long-term improvement. As part of that work, Lisa recently supported senior leaders from the trust to attend a Google Discovery Day at Google HQ in London and it proved to be a genuinely transformative experience.

Seeing the Art of the Possible

The event, hosted by Google and Getech, was designed for education leaders new to the Google ecosystem. It was an opportunity to step out of the everyday and explore what’s possible when strategy, collaboration and innovation come together with the right tools in place.

Interactive sessions gave our clients hands-on experience with Gemini, Google Workspace and ChromeOS. More importantly, the day created space for reflection on how AI and automation might reduce teacher workload, how shared platforms can support more agile working, and how infrastructure choices can either limit or unlock progress.

For leaders navigating difficult terrain, rising pressures, stretched budgets, workforce fatigue, it was an energising reminder of what digital can make possible when approached thoughtfully.

From Curiosity to Clarity

One of the most valuable aspects of the day was the shift in mindset it encouraged. Digital strategy is not just about systems or savings. It’s about creating the conditions for people to thrive.

The Howard Academy Trust came away with greater clarity around:

• The role of cloud collaboration in improving operational flexibility
• How AI-powered tools can support, not replace, professional judgement
• The importance of aligning digital decisions with organisational values and priorities

This event didn’t just add to their digital to-do list. It helped refine their digital why.

Designing for Impact

At TransforMATive, we often talk about the difference between digital activity and digital impact. Strategy is the bridge between the two. That’s why experiences like the Discovery Day matter. They offer leaders the chance to step back, explore possibilities, and return with fresh insight to apply within their own context.

For The Howard Academy Trust, this visit formed one part of a broader discovery and planning process. But it played a key role in surfacing questions, validating priorities, and building confidence around next steps.

It’s a model we’ll continue to use with other trusts, not as a one-size-fits-all solution, but as a way to inspire ambition and bring digital thinking to life.

Final Reflections

In a sector facing constant challenge, it’s easy to become reactive. To focus only on compliance, firefighting, or the next procurement cycle. But real transformation starts when we create time to explore, imagine and question.

Attending a Discovery Day at Google HQ reminded us that digital change is not just about what we use it’s about why and how we use it. It reaffirmed that technology should serve people, not the other way around. And it highlighted the power of stepping outside our daily environments to see the bigger picture.

As we continue supporting trusts on their digital journeys, we’ll keep creating these moments of inspiration. Because sometimes, the best way to move forward is to simply look up and reimagine what’s possible.

As this academic year draws to a close, I have been reflecting on one of its most meaningful developments: the formation of the TransforMATive Tribe. What began as a network of 14 MAT CFOs within reach of Leeds has grown into something far more powerful. It has become a movement rooted in collaboration, insight and shared purpose.

Together, we have faced significant financial pressures, uncertain pay settlements and the ongoing demands of a maturing system. Rather than weather these challenges in isolation, we came together to respond with clarity, confidence and community.

Shared Struggles, Shared Strength

It all started with a dinner table. Breaking bread with colleagues set the tone for what followed: honest conversation, mutual support, and the sharing of practical strategies. Throughout the year, our discussions have covered everything from automation and procurement to income generation and benchmarking.

What has stood out to me is not only the depth of expertise around the table, but the generosity with which it has been shared.

Recipes for Resilience

Our collective learning has now been captured in the CFO Playbook: Recipes for Financial Success. This practical guide shares real examples of action and impact across three core themes:

• Operational Efficiency
• Income Generation and Diversification
• Effective Benchmarking

Whether it is Red Kite’s automation of procure-to-pay (saving 575 hours annually) or Australia MAT’s centralised finance model built on specialist roles, each recipe offers tested ideas for trusts to adapt and implement.

These strategies are not theoretical. They are grounded in real practice and designed to be useful across the sector.

Collaboration That Builds Capacity

One of the key messages that emerged throughout the year is that collaboration builds capacity. Melissa’s reflections from STAR MAT highlighted this beautifully. From procurement alignment to resource sharing and preparation for merger, her trust’s journey is a powerful reminder that meaningful change often begins with shared intent.

James’ leadership on finance benchmarking was equally impactful. His work moved beyond surface-level comparisons to deliver sector-led, detailed analysis of cost per pupil across finance processes. This approach helps trusts make evidence-informed decisions and understand the hidden costs of routine operations.

Taking Control in Uncertain Times

As Stuart McCluskey from Civica noted, many of our discussions were marked by a real sense of urgency. In some sessions, announcements about funding or pay awards were unfolding in real time. But rather than react passively, Tribe members responded with intention.

We heard examples of trusts generating income through gym memberships, wraparound childcare and selling services. These approaches are not just about resilience. They are about trusts taking greater control of their financial futures in order to invest in what matters most.

A Platform for What Comes Next

I am incredibly proud of what the Tribe has achieved this year. The CFO Playbook is a significant output, but the real success lies in the relationships built and the collective ambition it represents.

This model of peer-led collaboration is one we hope to build on, whether through future regional tribes or deeper exploration of key themes. We know that many trusts across the country face similar challenges, and we hope this resource is both relevant and helpful.

Final Reflections

If there is one thing this year has reinforced, it is that financial leadership in education is no longer just about managing risk. It is about creating opportunity. The most effective leaders are not only improving processes, they are strengthening culture and aligning resources to purpose.

To everyone who contributed to the Tribe, thank you. You have demonstrated that even in the most challenging conditions, possibility emerges when we choose to work together.

Let us keep building from here. Together.