Academies Plus – October 2025
As we move through 2025, the financial landscape for the UK academy sector is one of both challenge and opportunity. With increased scrutiny on public spending, ever-evolving regulatory frameworks, and the ongoing impact of national and global economic pressures, academy trusts are being forced to reassess their financial strategies and operational models. Yet, this period of uncertainty also presents a unique opportunity for trusts to rethink how they approach funding, financial management, and long-term sustainability.
The start of the year saw a shift in the way funding is allocated, with government priorities reflecting a stronger emphasis on educational equity, the digital transformation of learning, and the drive towards net-zero carbon targets. For academies, this means more than just managing budgets – it requires a keen understanding of the broader economic and political context that is shaping education funding at every level.
Furthermore, mental health and well-being continue to be high on the agenda for UK schools, with increasing pressure on academies to provide adequate support for both students and staff. A report earlier this year from the Children’s Commissioner reported that one in five children in the UK experience mental health difficulties, a statistic which is worsening over time, with many schools struggling to provide the necessary services within their current budgets. In response, the government has allocated additional funding for mental health support in schools, with a focus on early intervention and training for staff.
This issue’s topics
In this edition of A+, we aim to provide key insights and commentary on the latest developments in financial planning for trusts, helping leaders navigate these changes and seize the opportunities they present. From adapting to new funding formulas to effectively dealing with evolving risks and managing capital expenditure, we know that you need all the help you can get to make informed decisions that will ensure the long-term sustainability of your organisation.
As always, our priority is to help you achieve financial resilience in an environment of constant change. We encourage you to stay engaged, share your thoughts, and leverage the resources provided to drive forward your academy’s mission of educational excellence.
We hope this edition serves as a valuable resource in your ongoing journey towards financial sustainability.
Academy Trust Handbook 2025 updates
By Danna Lukic, Director, Moore Kingston Smith
The 2025 edition of the Academy Trust Handbook introduces several updates and clarifications reflecting evolving practice and policy priorities. Changes include a focus on areas which require trusts to consider longer term action planning and where new supplementary guidance has been signposted, including:
The expectation on trusts in respect of digital and technology standards has been strengthened, such that trusts should have an understanding of the extent to which they are meeting the Department for Education’s (DfE) digital and technology standards and be working towards meeting the six core standards by 2030. A link is given to the DfE’s self-assessment tool to help with this. Confirmation has also been made that trusts must not pay any cyber ransomware demands.
A link to the DfE’s updated guidance and support on sustainability has been added to the supplementary guidance that trusts should read, signposted by the handbook. This refers to the DfE’s strategy encouraging all education settings to have nominated a sustainability lead and a climate action plan by 2025. Wherever you are on your sustainability journey, this guidance and support will help you.
Further guidance has been provided on estates management, with a link to the new School Estate Management Standards published in April 2025, setting out suggested actions for different levels of effective estates management. All schools should be at Level 1 as the baseline starting point and progressing to Level 3.
Some other notable changes
- Executive pay: clarification that decisions about executive pay may be challenged by the DfE, and there must be a documented pay policy which sets out the process for determining executive pay including requirement for board
approval. - Procurement: signposting to further guidance and support on procurement, adding that appropriate due diligence must be in place in respect of procurement. Trusts should also consider DfE opportunities when making purchasing decisions for goods and services.
- Recovery of funds: confirmation that the department may recover funds where there is evidence of irregularity or fraud.
The changes do give trusts cause to act. There are a number of areas where policies and processes should be reviewed against updated expectations, and areas where self-assessments should be made against DfE recent guidance and action plans should be created to meet any gaps.
Extra reporting requirements for large companies
By Danna Lukic, Director, Moore Kingston Smith
As multi-academy trusts (MATs) grow in size, there are different thresholds which can be breached, triggering new requirements which can impact your financial statements. A key threshold is when MATs qualify as a large company. This applies if two or more of the following conditions are met in two consecutive financial years or at two consecutive balance sheet dates (note that the thresholds did change during 2025):
To 5 April 2025:
- Gross annual income over £36 million.
- Gross (total) assets over £18m million.
- More than 250 employees (average headcount of contracted staff).
From 6 April 2025:
- Gross annual income over £54 million.
- Gross (total) assets over £27 million.
- More than 250 employees (average headcount of contracted staff).
Large companies need to be aware of the two following requirements:
Payment practices
MATs meeting the large company criteria have a legal requirement to report on payment practices biyearly, for the two six-month periods of the year within 30 days of the end of each six-month period. This is reported and published through an online service provided by the government which is available to the public. Reporting is required on statistics in respect of
time taken to make payments to suppliers, and narrative descriptions of how the trust works with its suppliers.
There have been some changes in the reporting that will be required for September 25 to August 26 academic years, with new requirements to report the following:
- The sum total of payments made during the reporting period; and
- The percentage of payments that were paid during the reporting period which were not paid within agreed terms because of a dispute.
There must also be a statement on whether the payment practices and policies of the trust include, or do not include retention clauses in qualifying construction contracts, and where a business makes a statement that retention clauses are included in their construction contracts – further information must be submitted.
The information submitted here may be helpful for trustees to consider when preparing the Engagement with Suppliers section of the strategic report within the trust’s year-end accounts.
Streamlined Energy and Carbon Reporting (SECR)
Large companies consuming more than 40,000 kWh of energy (in the UK) in a reporting period must include relevant disclosures within the trustees’ report including:
- the organisation’s UK energy use and associated greenhouse gas emissions, as a minimum relating to gas, purchased electricity and transport fuel in the period;
- its energy use and emissions;
- an emissions intensity ratio;
- methodologies used in the calculations; and
- measures taken to improve energy efficiency in the period.
The Department for Education has updated its good practice guide on SECR, which includes worked examples of the disclosures required. It also specifies that trusts should use the 2025 conversion factors for the 2024 to 2025 financial year to help measure energy consumption in common units, as these cover the greatest proportion of the year.
Essential cyber and data updates for academies and multi-academy trusts
By Richard Jackson, Data Protection Officer, Moore ClearComm
In previous editions of Academies Plus (A+) I emphasised the ever-rising cyber risk for academies and multi-academy trusts (MATs). In addition, the trend of accidental data breaches continues to rise – with several high-profile incidents occurring in the first weeks of the new school year.
Along with health and social care, education is consistently at the top of the sectors most likely to experience a cyber attack or data breach.
Why is education at risk?
Several factors make schools prime targets for cybercriminals, while also contributing to a high volume of accidental data breaches:
- Valuable personal and financial data: schools process large amounts of sensitive data, including personal information about students, staff, parents, volunteers, and suppliers.
- Limited resources: for many schools, budget constraints dictate that cyber security and data protection are not at the top of the list of their priorities. As a result, there can be weaknesses in both technical defences and staff awareness – leading to hacks and accidental data breaches.
- Home and remote learning: over the past five years there has been a dramatic increase in the deployment of online learning platforms and cloud-based services, in turn increasing the potential for breaches or attacks.
- Reduced diligence: research carried out by 9ine found that “…over 28% of teachers admitted they share a password…”, which (considering one in three devices in schools contain sensitive personal data) is extremely concerning.
- Schools are an easy target: cybercriminals target sectors they know to have weak technical defences in place, a lack of awareness (leading to a higher-than-average propensity to click a phishing link), and sectors where the personal and financial data being processed is worth the time and effort to obtain. Education is unfortunately at the top of that list, alongside healthcare. Schools also face a rising insider threat from students whether through intentional misuse of systems, or accidental actions that compromise data security.
AI and data protection
The use of Artificial Intelligence and the possibilities of where it might lead us have been some of the most talked about subjects in society and the media over the last few years. In schools, the impact and risks of AI go beyond data protection concerns, with education professionals forced to deal with a wide range of effects in the classroom and within student work.
Schools must recognise that if staff or students enter personal data (defined as any information that relates to or can be used to identify a natural living person) into AI tools, this immediately counts as the processing of personal data within UK legislation.
In addition, data subjects (students, parents, volunteers etc) must be given the opportunity to exercise their rights in relation to any data processing. This includes scenarios where decisions are made about them using automated processing, or where their personal data becomes part of an AI model for future decision-making.
AI is a potential minefield for schools, and its evolution has been so fast that the implications for data protection and security are still to be fully explored or realised.
Data protection and exam results
This is a highly sensitive subject for students, parents, and educators – therefore the following guidance is intended to raise awareness and (possibly) debunk some common myths.
For students who have just received their exam results, it is common and understandable that many are interested to find out more about how they were marked, and the comments made about them and their exam paper, especially when they may have not received a grade they had hoped for or expected. In some instances, they may even want to make an appeal against a mark they have been given.
The UK GDPR gives students the right to see information held about them. This means they can request information about themselves and their exam performance, including:
- their mark;
- comments written by the examiner; and
- minutes of any examination appeals panels.
However, it does not give them the right to copies of their answers to exam questions – which in many cases is the information students seek and request via a Data Subject Access Request (DSAR). Not obtaining that information leads, naturally, to disappointment and frustration.
The school must respond to the DSAR within one calendar month, though if a student requests their results before they have been announced, the response must be:
- within five months of the date of the request; or
- within 40 days from when the results are published (whichever is earlier).
Information Commissioners Office (ICO) report: Insider threat of students leading to increasing number of cyber attacks in schools
The ICO recently published an alarming report, highlighting that:
- most insider cyber attacks in UK schools are caused by students; and
- many breaches are linked to weak passwords or stolen logins exploited by pupils.
Analysing data between January 2022 and August 2024, the ICO reviewed 215 data breach reports from the education sector. It found 57% of incidents were caused by students, and that nearly a third stemmed from stolen or guessed login details, with pupils responsible for 97% of these cases.
The ICO highlighted the following case studies:
- A seven-year-old was involved in a data breach and subsequently referred to the National Crime Agency’s Cyber Choices programme to help them understand the seriousness of their actions.
- Three Year 11 students aged 15 or 16 unlawfully accessed school databases containing the personal information of more than 1,400 students.
- A student illegally logged into their college’s databases using a teacher’s details and changed/deleted personal information belonging to more than 9,000 staff, students and applicants.
Read the full report here: Insider threat of students leading to increasing number of cyber attacks in schools | ICO
The following are examples of recent high-level security breaches
Tudor Grange Academy, Birmingham (September 2025)
A recent data breach affected hundreds of students at a Birmingham secondary school.
In an email sent to parents, the school said that students in year 7, up to and including year 11 (ages 11 to 16), had their names, gender, dates of birth, and their parents’ contact details exposed via a spreadsheet mistakenly shared with other parents.
According to the parents, the school sent an email seeking consent for their children to receive flu jabs, but upon clicking a link in that message, the spreadsheet began downloading. Personal data affected is reported to have included first names, year group, tutor group, contact number for the parents or carers, date of birth and gender.
Shropshire Schools cyber attack (July 2025)
A cyber attack on schools in Shropshire resulted in pupils unable to submit coursework for weeks.
A meeting of the West Mercia Police and Crime Panel was told that the force’s cyber unit had supported several high-impact investigations, including a ransomware attack affecting 11 schools. This included a sensitive case involving AI-generated imagery at two schools – cryptocurrency related matters were also dealt with.
A local councillor in attendance stated that the attack was connected to a MAT chain and suggested the enforced integration across sites had contributed to the success of the attack.
Final thoughts
The cyber and data protection threat to education is as high as ever, and 2025 has brought with it new risks and areas of concern for all educators to manage in the coming year. AI, student hackers and accidental breaches continue to cause headlines in the media.
Leaders and educators must adopt the mindset that it is not a question of if an attack will take place, rather than when, and that this could manifest not only as a direct attack on their school, but also via their critical supply chain and/or trusted stakeholders.
Employment law 2025 and beyond
By Donal Moon, Employment Law Adviser, Moore Kingston Smith HR Consultancy
The Employment Rights Bill introduces the most extensive reform of UK employment law in decades. Its phased implementation imposes significant statutory obligations and protections that will materially affect the operations of academies and multi-academy trusts (MATs).
These changes mean that academies and MATs will need to take a fresh look at their staff policies, contracts, and handbooks. They’ll also need to invest time and resources into training and making sure their systems and practices follow the new rules.
The current position of the Bill
The Bill has completed all stages in the House of Commons. The House of Lords returned it with amendments, including one that replaces the proposed day-one right to claim unfair dismissal with 26 weeks’ qualifying period of continuous service.
The government has rejected all the House of Lords amendments, and the Bill has now returned to the Lords. It appears likely that the Lords will accept the government’s position and approve the Bill, which means it is edging closer to Royal Assent – potentially as early as November 2025, with the first provisions expected to come into force shortly thereafter.
Provisions in force
Employers must now take reasonable steps to prevent sexual harassment, including by third parties. This includes implementing robust anti-harassment policies, mandatory training, risk assessments, and effective complaint handling.
For academies, this duty aligns with safeguarding responsibilities and requires a review of internal procedures and third-party engagement protocols.
The national minimum wage for workers aged 21 and over has increased to £12.21 per hour, with further alignment across age groups expected.
This will impact academies employing support staff and necessitate budgetary adjustments and compliance checks for outsourced services.
Employees are entitled to up to 12 weeks of neonatal leave from day one, with pay available after 26 weeks of service. This right includes protection from detriment or dismissal.
Contracts and policies must be updated, and managers trained accordingly.
The repeal of the Strikes (Minimum Service Levels) Act 2023 and parts of the Trade Union Act 2016 will enhance protection for lawful industrial action.
Academies should anticipate increased union activity and ensure their consultation and dispute resolution procedures are legally robust and compliant.
The maximum protective award for failure to consult in collective redundancy situations will double from 90 to 180 days. Day-one rights to paternity and unpaid parental leave will be introduced. Whistleblowing protections will be strengthened, requiring confidential reporting mechanisms. Statutory sick pay will be extended by removing the lower
earnings limit and waiting period.
A new fair work agency will be established, and trade union recognition processes will be simplified, including electronic and workplace balloting.
Dismissal and re-engagement (fire and rehire) will be deemed automatically unfair in most cases. A fair pay agreement body will be created for adult social care, potentially influencing education. A two-tier procurement code and tighter tipping laws will be introduced. Employers must inform workers of their right to join a union and facilitate union access.
The duty to prevent harassment will be expanded, and tribunal claim time limits extended from three to six months, with enhanced protection for union representatives
2027 and beyond
Here are some of the key matters on the horizon:
- Gender pay gap and menopause action plans, initially voluntary, may become mandatory for larger employers.
- Protection for pregnant workers will be enhanced.
- Regulations will define reasonable steps to prevent harassment.
- Legislation will prohibit blocklisting and modernise industrial relations.
- Oversight of umbrella companies will be introduced, requiring due diligence by schools using agency staff.
- Flexible working and bereavement leave rights will be expanded.
- Employers will be prohibited from exploitative scheduling under zero-hours contracts. Where a regular pattern of hours is established, a contract reflecting those hours must be offered. Workers will also be entitled to compensation for shifts cancelled or changed at short notice. Academies must review rostering systems, update contracts, and ensure third-party compliance.
Day-one protection from unfair dismissal
From 2027, employees will be protected from unfair dismissal from the first day of employment. Probationary periods may still be used, but dismissals must be procedurally fair and substantiated. Employers must provide clear reasons, follow a fair process, and offer the right to respond and appeal. In redundancy situations, selection criteria and consultation must be applied consistently, even for new staff. The increased risk of claims will require rigorous documentation and legal oversight.
Recommended actions
Academies should audit employment contracts and policies, train HR and line managers, engage proactively with trade unions, monitor legislative developments, and allocate resources to meet new statutory obligations.
Academies should also review NDAs for compliance with new harassment and discrimination restrictions and prepare for phased implementation of reforms throughout 2026 to 2027.
The cost of doing nothing
By Marcus Lees-Millais, Manager, Moore Kingston Smith Nonprofit Advisory
Over the years, we have seen a huge variety of financial systems in academies, which we broadly categorise as fit for purpose, outdated, or under-exploited.
The best-case scenario is that you have a finance system that’s not only fit-for-purpose but also enhances control, compliance, and operational ease. It will also save you time on your everyday tasks, gives you good-quality management information in real time, and guarantees increased security.
Surprisingly, most academy finance systems don’t fall into the fit-for-purpose category. Sticking unquestioningly with your incumbent finance system is likely to be denting your bottom line without you even realising.
Ask yourself this: Is your finance system costing you more than you realise?
Which category does your academy’s finance system fall into?
How to tell if your academy’s finance system is outdated
An outdated finance system has clunky processes and obsolete functionality. In many cases, these old systems are no longer updated or patched by the software owner, meaning that they lay prone to attacks by malware and hackers.
They are not equipped to handle the nuances and complexity of modern academy accounting. For example, can your finance system deal with the complexity of deposits and deferred income, accruals, and large volumes of staff costs and changes?
Outdated systems are often accompanied by old-fashioned and manual processes – a “we’ve always done it this way” approach could be costing you dearly.
How to tell if your academy’s finance system is under-exploited
You have invested in a new, state-of-the-art finance system. An external consultant installed the system for you and helped you migrate over to it, expecting you to then work it out for yourself. Short on time, you manage to harness some of its functionality and fall back on your old familiar manual spreadsheet processes.
Do you know how to set up automated real-time reporting? Can you modify the system to suit your academy’s specific requirements? Does it capture the financial waterfall linked to pupil numbers, joiners, and leavers? If your system can do these things, and you’re not using the full functionality, then you may well be missing out on, for example, improved budgeting and clearer coding which would make it simple to see what different parts of your academy are costing. Better financial monitoring enables more agile decision-making at every level in your academy.
Is the rest of your academy’s finance function in order?
Your finance system is one part of your academy’s finance function as a whole. People and processes are also vital pillars of that function. Ultimately, it is the finance staff who are embedding those processes within your finance system.
Your processes should be robust and intuitive, and your finance team proficient to get the best out of your finance system. Then you’ll have a finance system that works for you – not against you. Don’t just ask yourself if you can afford to change your finance system – ask yourself if you can afford not to. The cost of doing nothing may just be greater than you realise.
Videos
We have a number of videos ranging from webinars, panel debates and short discussions to help navigate you through the issues facing the nonprofit sector.
