Statutory Policies for Schools: The Complete UK Guide for 2026

A new school business manager opens the policy folder on the shared drive. There are forty-six documents. Some are dated 2019. Two are called "FINAL_v3" and "FINAL_v3_REAL". Three are duplicates with slightly different titles. The headteacher asks which ones are statutory.

That question — which policies must a school have, by law — sounds simple. The honest answer is that there is no single clean list. Statutory policy requirements come from different pieces of education legislation, different bits of DfE guidance, the Equality Act, data protection law, and Ofsted publishing rules. The combined list is real but it lives across half a dozen sources.

This guide pulls those sources together for school business managers, MAT clerks, governors, and anyone whose job description quietly includes "make sure the policies are right." It covers what counts as statutory, the policies that must exist, the ones that must be on the school website, and the practical question most lists skip — how to keep forty-plus policies current without it eating a working week every term.

What "Statutory" Actually Means

A policy is statutory when a piece of legislation, statutory regulation, or DfE guidance under statutory powers requires the school to have it. Three categories of source create the requirement:

1. Primary legislation — Acts of Parliament that name the policy or require the school to have one (e.g. the Education Act 2002, Equality Act 2010, Data Protection Act 2018).
2. Statutory regulations — secondary legislation under those Acts that adds detail.
3. Statutory DfE guidance — guidance issued under statutory powers that schools "must have regard to." Schools can deviate only with good reason and a documented rationale.

Non-statutory policies are policies the school chooses to have because they are useful or expected — anti-bullying frameworks, mobile-phone policies, uniform policies — but where no specific law mandates them. Many schools treat non-statutory policies as functionally mandatory anyway, because Ofsted inspectors expect to see them and because they are good practice.

This guide focuses on the statutory list. The DfE's standalone "Statutory Policies for Schools and Academy Trusts" publication was withdrawn on 7 March 2024 — its content now sits inside the governance guides. For the current canonical view, cross-reference the Maintained Schools Governance Guide and the Academy Trust Governance Guide, which set out the statutory-policy expectations and review cycles this guide draws on throughout.

Different School Types, Different Lists

Statutory policy requirements are not identical across school types. The differences matter:

• Maintained schools — the local authority is the employer; statutory requirements come through the Local Government Act, Education Act, and DfE guidance for maintained schools.
• Academies and academy trusts — the trust is the employer; the Academies Act 2010 and the Academy Trust Handbook overlay additional requirements (financial regulations, scheme of delegation, conflict-of-interest declarations).
• Free schools and special schools — additional sector-specific requirements depending on the school's funding agreement and pupil cohort.
• Independent schools — different framework entirely; Independent School Standards Regulations 2014 set the requirements rather than the maintained-schools rules.

This guide focuses on maintained schools and academies, which together cover most state-funded education in England. If you run an independent school, the policy list looks similar but the underlying authority is different — start with the Independent School Standards Regulations, not the DfE governance guides.

The Core Statutory Policies (England, 2026)

The list below is grouped by theme. Each entry names the policy, the source of the requirement, and a one-line note on what it has to cover. Cross-check every entry against the current DfE governance guides — categories occasionally shift, and academy trusts may have additional requirements via the Academy Trust Handbook.

Safeguarding and Child Protection

• Child protection policy — required under Keeping Children Safe in Education (KCSIE). Must be reviewed annually, approved by the governing body, and published on the school website.
• Behaviour policy — required under the Education and Inspections Act 2006 and Education Act 2011. Must cover sanctions, rewards, and a written statement of behaviour principles set by governors.
• Anti-bullying — most schools embed within or alongside the behaviour policy. Section 89 of the Education and Inspections Act 2006 requires "measures to prevent all forms of bullying."
• Online safety policy — required by KCSIE alongside the child protection policy; covers filtering, monitoring, and acceptable-use rules.

Equality and Inclusion

• Equality information and objectives — required by the Equality Act 2010 (specifically the Public Sector Equality Duty). Schools must publish equality information annually and review objectives at least every four years.
• Special Educational Needs and Disability (SEND) policy and information report — required under the Children and Families Act 2014 and SEND Regulations 2014. Must be published on the website and reviewed annually.
• Accessibility plan — required under the Equality Act 2010, Schedule 10. Must show how the school will improve access to the curriculum, the physical environment, and information for disabled pupils. Reviewed at least every three years.
• Supporting pupils with medical conditions — required under Section 100 of the Children and Families Act 2014.

Curriculum and Assessment

• Curriculum policy — required for maintained schools under the Education Act 2002; expected for academies via funding agreement.
• Relationships, Sex and Health Education (RSHE) policy — required under the Children and Social Work Act 2017 and the RSHE Regulations 2019. Must be published on the school website and consulted on with parents.
• Collective worship — maintained schools must provide a daily act of collective worship under the School Standards and Framework Act 1998. Most schools embed in the curriculum policy.
• Charging and remissions policy — required by Section 457 of the Education Act 1996.
• Provider access policy (Baker Clause) — required under Section 42B of the Education Act 1997 (as amended); maintained schools and academies must publish how they enable providers of technical education and apprenticeships to access pupils in years 8 to 13.

Data Protection, Records, and Records Management

• Data protection policy — required under the UK GDPR and Data Protection Act 2018. Schools are data controllers and must have a written policy.
• Information security / records retention — schools must have records-management arrangements that satisfy data protection law. Many schools document this as a separate policy or schedule.
• Freedom of Information publication scheme — required for maintained schools (which are public authorities under the Freedom of Information Act 2000). Academies are also public authorities under FOIA.
• CCTV / surveillance policy — required if the school operates CCTV, under the Data Protection Act 2018 and the Protection of Freedoms Act 2012 surveillance camera code.

Health, Safety, and Premises

• Health and safety policy — required under the Health and Safety at Work etc. Act 1974 (for any employer with five or more employees).
• First aid policy — required under the Health and Safety (First-Aid) Regulations 1981 and the DfE first-aid guidance for schools.
• Fire safety arrangements — required under the Regulatory Reform (Fire Safety) Order 2005. Most schools document this as a fire safety policy plus the fire risk assessment.
• Educational visits / off-site activity policy — expected by DfE guidance and HSE publications on off-site visits; treated as functionally statutory by most schools and trusts.

Staffing and Employment

• Pay policy — required for maintained schools under the School Teachers' Pay and Conditions Document. Academies typically have an equivalent under their funding agreement.
• Capability and disciplinary procedures — required for maintained schools under the Education (School Teachers' Appraisal) Regulations 2012.
• Whistleblowing policy — required by the Public Interest Disclosure Act 1998. Academies must include whistleblowing arrangements under the Academy Trust Handbook.
• Code of conduct for staff — expected via KCSIE and DfE guidance; most trusts treat as mandatory.

Complaints and Governance

• Complaints procedure — required for maintained schools under Section 29 of the Education Act 2002, and for academies under their funding agreement and the Education (Independent School Standards) Regulations 2014.
• Governors' allowances policy — maintained schools must publish allowances arrangements; academies do so through the trust scheme of delegation.
• Scheme of delegation — required for academy trusts under the Academy Trust Handbook. Sets out who decides what across the trust, the local governing body, and individual schools.
• Conflict of interest policy — required for academy trusts under the Academy Trust Handbook.

That list is not exhaustive — it covers the statutory items that affect almost every school. Specialist provision (alternative provision, special schools, sixth-form colleges) adds further requirements; international links and boarding schools add more.

Policies That Must Be on the School Website

Statutory policy requirements are one thing; statutory website-publishing requirements are a separate, narrower list. The DfE's guidance for maintained schools and guidance for academies, free schools and colleges are the canonical sources.

The policies and information that must appear on the school website typically include:

• Admissions arrangements
• Behaviour policy
• Charging and remissions policy
• Complaints procedure
• Curriculum information
• Equality information and objectives
• SEND information report (and SEND policy)
• Pupil premium strategy and use-of-funds report
• PE and sport premium funding statement (primary)
• Year 7 catch-up funding (where applicable)
• RSHE policy
• Safeguarding/child protection policy
• Supporting pupils with medical conditions policy
• Accessibility plan
• Provider access policy

There are also required information items that are not policies but must be published — last Ofsted report, exam and assessment results, governors' details, and so on. The DfE guidance covers the full list. Treat the website list as a hard checklist: missing items create direct compliance gaps that Ofsted, the ESFA (for academies), and the DfE flag specifically.

Statutory Policies for Multi-Academy Trusts

Multi-academy trusts (MATs) layer additional requirements on top of the school-level list. The Academy Trust Handbook (annual edition published by the DfE / ESFA) sets out trust-level statutory requirements:

• Master funding agreement and supplemental funding agreements — the legal contracts under which each academy operates.
• Articles of association — the trust's governing document, agreed with Companies House and the DfE.
• Scheme of delegation — describing decision-making authority across trustees, the executive team, and local governing bodies.
• Reserves and investment policies — required by the Academy Trust Handbook.
• Conflict of interest register — required by the Academy Trust Handbook for trustees, members, and senior leaders.
• Whistleblowing arrangements — required across the trust, with route to trustees.
• Anti-fraud and anti-bribery policy — expected under the Academy Trust Handbook.

In a MAT, the question of which policies live at the trust level (single policy applied across all schools) and which live at school level (each school adapts to local context) is a governance design choice. Most trusts standardise safeguarding, finance, and HR at the trust level and let each school adapt curriculum, behaviour, and SEND policies to local need.

For a practical view of what trust-level governance looks like in practice, the DfE's Academy Trust Governance Guide sets out the principles and the roles. For the maintained-schools equivalent, see the Maintained Schools Governance Guide.

Review Frequencies: How Often to Update Each Policy

Statutory review frequency varies by policy. The most common cycles:

• Annually: child protection, KCSIE-aligned policies (online safety, behaviour, anti-bullying), SEND policy, complaints procedure, health and safety.
• Every two years: RSHE policy (review and consultation cadence is typically biennial).
• Every three years: accessibility plan, equality objectives review.
• Every four years: equality objectives are required to be reviewed at least every four years (Public Sector Equality Duty).
• As needed (event-driven): any policy where legislation, KCSIE, the Academy Trust Handbook, or local safeguarding partnership procedures change. Treat regulatory changes as immediate review triggers, not as a "wait until the annual cycle" event.

The full review-cadence picture is more nuanced — different funding agreements, Local Authority requirements, and trust-level rules can shift the dates. For a multi-regulator view of how cadence varies across CQC, Ofsted, the Charity Commission and councils, see our guide on how often UK policies should be reviewed.

What Goes Wrong (And What Inspectors Find)

Three patterns recur across schools that fail their first Ofsted policy check:

1. Out-of-date child protection policy. KCSIE is updated annually, usually published in the summer term to take effect from 1 September. A child protection policy still referencing the previous year's KCSIE version on inspection day is a flag.
2. Missing website items. Ofsted, ESFA, and the DfE all routinely check the published website list. Missing items (commonly: SEND information report, pupil premium strategy, provider access policy, accessibility plan) trigger immediate follow-up.
3. Policy and practice mismatch. The policy says one thing; staff describe a different practice. Inspectors look for alignment between the documented policy, what staff describe, and the evidence (training records, incident logs).

The first and second are operational. The third is a governance question — and it is the one inspectors weight most heavily. A current, well-aligned policy library is not just compliance; it is evidence of leadership.

A Practical Workflow for Managing the List

Forty-plus policies across multiple cycles, multiple owners, and multiple regulatory updates is not a job for a spreadsheet kept by one person. The practical workflow at school or trust level:

1. Build a policy register. Every statutory policy in one list with policy name, statutory source, owner, last reviewed, review frequency, next review date, and link to the live document. Our step-by-step guide to building a policy register covers the methodology, and the free Policy Register Template provides a starting structure.
2. Set automated reminders. A register without reminders becomes a static list. Reminders need to fire at 90, 60, and 30 days before review date, to the named policy owner, with escalation if the deadline passes.
3. Map to statutory sources. Every policy in the register should link to its source of authority — KCSIE section, Education Act section, Academy Trust Handbook clause, ICO guidance. When the source updates, you can immediately see which policies are affected.
4. Use the Ofsted statutory checklist. Our Ofsted Statutory Policies Checklist walks through the policies inspectors expect to find at a maintained school or academy, with the legislation behind each one. Run it annually as a gap check.
5. Calculate the review schedule. A 40-policy register with mixed cycles produces 40+ review dates per year. The free Policy Review Schedule Generator builds the schedule from your register and exports to your calendar so review deadlines don't get missed.
6. Review at the right governance layer. Some policies (child protection, finance, scheme of delegation) require trust-board or governing-body approval. Others can be approved by a committee or executive. Map the approval route in the register so the right people are signing off.

This is the work that turns a folder of forty-six documents into a working compliance system. Done well, it is invisible. Done poorly, it is the recurring fire your school business manager fights every term.

Frequently Asked Questions

What is a statutory policy in a school?

A statutory policy is one that legislation, statutory regulations, or DfE statutory guidance requires the school to have. The requirement may come from primary legislation (e.g. the Education Act 2002), secondary regulations, or guidance the school "must have regard to" (e.g. KCSIE).

How many statutory policies does a school need?

There is no fixed number. The DfE governance guides set out the statutory policies that apply to most schools — broadly in the region of 25-30 categories — but the precise number depends on the school type (maintained, academy, free school, special, sixth-form), pupil cohort, and the trust-level rules for academies.

Which policies must be on the school website?

The DfE guidance on what schools must publish online lists the policies and information that must appear on the website. The full list varies by school type — academies and maintained schools have slightly different requirements — but commonly includes the behaviour policy, SEND policy and information report, complaints procedure, RSHE policy, accessibility plan, equality information, and child protection policy.

What is the difference between statutory and non-statutory school policies?

Statutory policies are required by law or statutory guidance. Non-statutory policies are policies the school chooses to have because they are useful, expected, or good practice — but no specific law mandates them. Many non-statutory policies (anti-bullying frameworks, uniform, mobile-phone, lettings) are treated as functionally mandatory because Ofsted expects to see them.

How often should statutory school policies be reviewed?

Most statutory policies require annual review. KCSIE-aligned policies (child protection, online safety, behaviour) need annual review at minimum, and immediate review whenever KCSIE is updated. Some policies have longer cycles — accessibility plans run on a three-year cycle, equality objectives on a four-year cycle. Trigger-based reviews override the schedule when legislation or guidance changes.

Who approves statutory school policies?

Approval routes vary by policy and school type. Safeguarding, finance, and major operational policies typically require governing-body or trust-board approval. Curriculum and operational policies can often be approved at headteacher or executive level depending on the scheme of delegation. Academy trusts must follow the approval routes set out in their scheme of delegation.

Sources

• DfE: Keeping Children Safe in Education
• DfE: What Maintained Schools Must Publish Online
• DfE: What Academies, Free Schools and Colleges Should Publish Online
• DfE: Maintained Schools Governance Guide
• DfE: Academy Trust Governance Guide

This guide is designed for UK school business managers, MAT clerks, governors, and trustees who need a practical view of statutory policy requirements. It is not legal advice. Statutory requirements change — verify against current DfE guidance and your funding agreement before treating any policy list as exhaustive.