When a school replaces a printer or multi functional device, it can feel like a straightforward operational job. The old machine is collected, the new one is installed, and staff get back to printing resources and scanning paperwork. I have to be honest, that is only half the story. Modern printers are not just printers. Many are computers with storage, operating systems, network access, user authentication, scan destinations, address books, audit logs, and sometimes local copies of documents that have been printed or scanned. That means printer replacement is also a data handling event.
This article is written for UK school business managers, trust operations teams, IT leads, data protection leads, and senior leaders who want a clear, neutral explanation of what can happen to school data when printers are replaced. The purpose is to help you understand where data can exist on a printer, what risks are realistic, what UK data protection expectations look like in practice, and what steps schools can take to manage replacement safely. In my view, the right approach is calm and methodical. You do not need to be a technical expert to do this well, but you do need to ask the right questions and put the right controls in place.
What people mean by school data in the context of printing and scanning
In schools, the term data can mean almost anything, so it helps to define what matters most in a print environment. School data includes personal data about pupils, parents, carers, and staff. It can include safeguarding records, pastoral notes, behaviour reports, attendance information, special educational needs documentation, and health related information. It can include staff employment information, payroll documents, performance management paperwork, and absence details. It can include governance information and legal correspondence. It can include examination materials and controlled assessment documentation. It can also include operational information such as contracts, invoices, and supplier details.
A printer can touch all of this. Schools print it, copy it, and scan it. Sometimes they scan it to email, sometimes to shared folders, sometimes into document management systems. Sometimes a printer is used for confidential letters and reports, and sometimes for routine classroom materials. The blend is exactly why printers need to be treated as part of the information environment, not as a neutral piece of furniture.
Why modern printers can retain information after a job is finished
Older printers were closer to simple output devices. Many modern devices are multi functional systems with internal memory and often an internal hard drive or solid state storage. That storage is used for spooling print jobs, storing scanned images before they are sent, retaining copies for reprint functions, caching address books, storing user profiles, and keeping logs. Some devices store document images temporarily, some store them for longer depending on settings, and some may store them for features like held print, secure print release, or document box storage.
In my opinion, the most common misconception in schools is that once paper comes out of the tray, the digital copy is gone. Sometimes it is, but not always. The device may have retained an image for operational reasons, and the risk is that if the device is removed from the school without secure wiping, those retained images or logs could be accessible to someone with the right technical capability. That does not mean every replaced printer is a breach waiting to happen. It means the school should assume the device may contain data, and it should treat replacement accordingly.
The different places data can live on a school printer
There are several distinct locations where data can exist. Understanding these helps you ask targeted questions during replacement.
The first is internal storage that holds print job spools and scanned images. This is the area people usually worry about, because it can include actual document content. Whether content remains depends on the model and the configuration.
The second is user authentication data. If the printer uses PIN codes, card authentication, or integration with a directory service, it may store user IDs, authentication tokens, or cached credentials. Good systems limit what is stored and protect it, but schools should not assume that nothing is retained.
The third is address books and scan destinations. Many printers store email addresses, named folders, network paths, and sometimes credentials used to access scan locations. If scanning to email is configured, the device might have SMTP settings and possibly stored account details depending on setup.
The fourth is logs and audit trails. Logs can include who printed, when they printed, which device was used, and sometimes document names depending on settings and print driver behaviour. Logs are not always treated as sensitive, but in my view they can be sensitive in schools because they can reveal patterns related to safeguarding work, staff activity, or confidential processes.
The fifth is local configuration and management settings. These include network details, Wi Fi credentials where used, admin passwords if poorly managed, and remote management connections. A replaced device that still contains network configuration can create risk if those details are exposed.
The sixth is any associated print management system. In many schools, secure release and reporting are handled by a separate server or cloud system. If a printer is replaced, the associated system may retain logs and user records. That is not usually a problem, but it needs to be understood, especially if accounts and integrations are being changed.
Print job storage and the reality of what is retained
It is worth being precise about print job storage. Printers process jobs by receiving data, rasterising it, and then printing it. To do that, they may store the job data temporarily. Some devices clear this automatically after printing. Some do not fully clear it, especially if the device has a feature that allows reprinting the last job, holding jobs for later release, or storing jobs in a document box.
In my view, secure print release is both a benefit and a responsibility. It improves confidentiality because it prevents documents being printed before the user arrives, but it can mean jobs are stored on the printer until they are released. That makes secure deletion and proper configuration important. Schools should understand whether the held jobs are stored on the device or in the print management system, and what happens to uncollected jobs. If uncollected jobs remain for days, they create both a confidentiality risk at the tray and a digital retention risk on the system.
Scanning and the data trail it creates
Scanning is a major source of sensitive data passing through printers. When a school scans a safeguarding document, the image exists on the device for at least long enough to be transmitted to an email or a folder. If scanning to email is used, the device may store metadata about recipients and scan history. If scanning to network folders is used, the device stores destination paths and may store credentials.
I believe scanning is often less tightly controlled than printing in schools because it feels like an internal process. In reality, scanning is data processing and it can involve transmission across networks and sometimes across the internet, depending on configuration. Printer replacement is therefore a moment to review scanning workflows and ensure that destinations are still appropriate, permissions are correct, and credentials are not stored insecurely.
Address books, scan destinations, and why they matter more than people expect
Many school devices have address books that contain staff email addresses and sometimes shared inboxes for offices or departments. They may also contain external email addresses, for example local authority contacts, social care contacts, and external professionals linked to pupil support. In my view, this is an overlooked risk area because even if document content is not retained, contact data might be.
If a printer is replaced and the old device still has an address book, the school has effectively left a directory of people and potentially sensitive relationships on a device that is leaving site. That is not ideal. It can be managed by ensuring address books are not stored locally where possible, or that they are securely wiped as part of decommissioning.
Scan destinations can also include network paths that reveal internal server names and folder structures. This can be useful information to an attacker. The goal is not to be paranoid. It is to recognise that configuration data can still be sensitive.
User authentication and secure release systems
Many schools use PIN codes or staff cards for secure print release. Some use integration with Microsoft accounts or directory services. In these setups, the printer may store a mapping between a user and their authentication method. It might also cache information for performance.
I suggest schools ask two key questions during replacement. First, does the printer store anything that could allow someone to identify staff users or replicate authentication. Second, how is authentication data protected and wiped at end of life. A mature provider or IT team should be able to explain this clearly.
In my view, it is also important to ensure that administrative access to printers is managed properly. Default admin credentials are a known risk. If a device leaves site with weak admin security, it is more likely that someone could access stored logs or configuration data.
Logs and audit trails, the quiet kind of personal data
Printer logs are not always seen as personal data, but in many cases they are. A log that links a user to a print action is information about an identifiable person. In schools, that can reveal sensitive context. For example, a pattern of printing from safeguarding staff can indicate active safeguarding cases, even if the content is not visible.
Logs also matter because they can contain document titles, depending on how printing is configured. Document titles can be surprisingly revealing. Even if the content is not stored, a title like pupil name plus a sensitive phrase could be personal data in its own right.
I have to be honest, schools rarely look at printer logs unless there is a problem. That is understandable, but it does mean that when devices are replaced, logs may still be present and could be extracted if the device is not wiped. A good replacement process treats logs as part of the data that must be protected.
Printers on the school network, and why replacement touches cyber hygiene
Printers are networked devices. They connect to switches, Wi Fi, and sometimes remote management tools. They can be configured to talk to external services for monitoring or cloud printing. When you replace a device, you are also changing something on the network. That means replacement is a good moment to review whether the printer is placed on the right network segment, whether firmware updates are applied, and whether unused services are disabled.
In my view, printer replacement is a rare chance to remove legacy configuration. Schools sometimes carry forward old settings for years because nobody wants to disturb a working system. If the old system was not well secured, you end up repeating weaknesses. A replacement project that includes a basic security review can reduce risk and can also improve reliability.
How replacement typically happens in schools and where the risk points are
Most school printer replacements follow a familiar path. A new device arrives, it is installed, staff start using it, and then the old device is collected. Sometimes the old device is taken away immediately. Sometimes it sits in a cupboard for months. Sometimes it is collected by a leasing company. Sometimes it is collected by the managed print provider. Sometimes it is sold or donated, which can happen in certain cases, although it should be approached carefully.
Risk tends to appear in the gaps. The biggest gap is when an old device is removed without a confirmed data wipe. Another gap is when the school assumes the provider will wipe it, but the contract does not clearly state what is done and how it is evidenced. Another gap is when a device is stored on site awaiting collection and is accessible to unauthorised people. Another gap is when a device is disposed of through an informal route with no documentation.
I believe the safest approach is to treat replacement like a controlled offboarding process. The device should be decommissioned, data should be wiped, and evidence should be retained. It can be simple, but it should be deliberate.
UK data protection expectations and the school’s responsibility
Schools in the UK have obligations under data protection law, including the UK GDPR and the Data Protection Act. The underlying principle is that organisations must process personal data lawfully and securely, and must have appropriate technical and organisational measures in place to protect it. In the context of printers, that translates into making sure personal data is not left exposed on devices, and that when devices are disposed of or replaced, data is securely removed.
I have to be honest, many schools assume that because a printer is a piece of office equipment, it does not fall into the same data security category as a laptop. In my view, it does, especially when it has internal storage and logs. The school, or the trust, is the controller for most of the personal data processed in the school environment, and suppliers are usually processors where they handle personal data on behalf of the school. That means the school needs to ensure suppliers provide adequate guarantees and that contracts cover security, including end of life handling.
A practical way to think about it is this. If a laptop was replaced, you would not want the old hard drive leaving the site without wiping. A modern printer can contain similar data, so it deserves similar discipline.
How managed print providers and leasing arrangements fit into this responsibility
In many schools, printers are provided through managed print services, and the provider may manage maintenance and consumables. The devices may be owned by the provider or leased through a finance company. Sometimes the leasing company owns the device and the provider services it. Sometimes the provider manages collection and return. This can be confusing, and I suggest schools map it out.
From a data responsibility perspective, what matters is who has physical control of the device at each stage and what contractual duties apply. If a provider collects the device, the school needs confidence in their wipe process. If a leasing company collects it directly, the school needs confidence in that process too. If a third party refurbishes devices, the school needs to know how data is handled before refurbishment.
In my opinion, the simplest and safest approach is to ensure the decommissioning and wiping happen under the school’s control or under a clearly contracted and evidenced process. If you cannot evidence that a wipe happened, you cannot be sure it did.
What secure wiping means for printers, in plain terms
Secure wiping is the process of removing data from a storage device in a way that makes recovery extremely unlikely. For printers, this might involve using the device’s built in data overwrite function, resetting the device to factory settings, and in some cases physically removing and destroying the storage component. The appropriate method depends on the device, the type of storage, and the sensitivity of the data processed.
Many modern enterprise printers include features such as automatic data overwrite, encrypted storage, and secure erase. These features are valuable, but I have to be honest, they only help if they are enabled and used correctly. A device can support encryption but still be deployed without it. A device can support secure erase but still be collected without running it.
In my view, schools should ask for a clear statement of what wiping steps are used for their device models, how long the process takes, and what evidence is provided. Evidence might include a service report, a certificate of destruction if parts are destroyed, or an asset disposition report that records serial numbers and wipe actions.
When physical destruction is appropriate
There are cases where physical destruction of storage is the most appropriate choice, particularly where devices have handled highly sensitive safeguarding information and where the school wants maximum assurance. Physical destruction might involve removing the hard drive or storage module and shredding it through an approved route.
I suggest schools approach this pragmatically. Physical destruction can be more expensive and it requires secure chain of custody, but it can provide strong assurance. It may be particularly relevant in larger trusts that want a consistent high assurance standard across sites.
In my view, it is not always necessary to physically destroy storage if encryption is enabled and a secure wipe is performed correctly. The key is that the method chosen must be appropriate to the risk and must be evidenced.
Encryption and why it reduces risk during replacement
If a printer’s storage is encrypted, the data on the drive is protected even if the drive is removed and examined. Encryption is not a substitute for wiping, but it is a valuable protection layer. If encryption is enabled from the start, then the risk from residual data at end of life is reduced.
I believe encryption should be treated as a baseline for devices that handle sensitive school documents, which in practice is most shared printers in admin and teaching areas. It is one of those controls that does not change staff behaviour, but it can materially reduce risk.
The human side of printer replacement, paper output and forgotten trays
Not all data risk is digital. The most common confidentiality failures in schools still involve paper. A confidential document is printed and left in the tray. A copier is used and the copy is forgotten. A document is left on the glass scanner. These are daily risks, and replacement does not automatically fix them.
However, replacement is a moment to improve practices. If a school is moving to secure print release, it can reduce tray risk. If it is moving to devices placed in more controlled areas, it can reduce casual access. If it is training staff to check the scanner glass and collect printing promptly, it can improve daily habits.
In my opinion, digital wiping at end of life is essential, but it should sit alongside an everyday culture of confidentiality.
What happens when old printers are refurbished and resold
Many end of lease printers are refurbished and resold. This is common in the equipment market, and it supports sustainability by extending the life of devices. The data risk is obvious. If a device is resold without proper wiping, a future owner could access stored data. Most reputable refurbishers have processes to prevent this, but schools should not rely on assumptions.
I have to be honest, schools sometimes feel they have no visibility because the device leaves and then disappears into a supply chain. That is exactly why contracts and documentation matter. If your supplier provides an asset disposition report with wipe confirmation, it reduces the uncertainty. If they cannot provide this, I would treat that as a weakness in their approach to education sector requirements.
What schools should expect to see in a contract related to data handling at end of life
Contracts for managed print services should include clear terms on data security. In my view, end of life handling deserves explicit wording, not a vague promise. You want clarity on who is responsible for wiping, which methods are used, whether encryption is enabled, how evidence is provided, and what happens if a device is collected without wiping due to fault or emergency replacement.
You also want clarity on subcontractors. If the provider uses third parties for collection or refurbishment, the school should know and should have assurance that the same standards apply through the chain.
It is also sensible to align this with the school’s broader data protection approach, including any data processing agreement terms where the supplier is acting as a processor. The key point is that printer replacement is not a separate world. It is part of the same personal data governance you apply to laptops, servers, and cloud services.
Chain of custody, the practical concept that reduces anxiety
Chain of custody sounds formal, but it can be simple. It means knowing where the device is, who has it, and what has been done to it, from the moment it is decommissioned to the moment it is wiped and disposed of. In practice, schools can manage this by keeping a record of device serial numbers, collection dates, collection personnel details where appropriate, and the wipe or destruction evidence.
I suggest schools avoid leaving decommissioned devices in unsecured cupboards or corridors. If a device is awaiting collection, store it in a locked area and treat it like any other asset that may contain sensitive information.
In my experience, the anxiety about printer data often reduces when schools implement a straightforward chain of custody routine. It turns a vague risk into a controlled process.
Emergency replacements and how to avoid losing control
Sometimes a printer fails and needs urgent replacement. A provider may swap it quickly to restore service. This is good for continuity, but it can create risk if the old device is removed immediately and wiping is not discussed.
In my view, emergency replacements should still follow a minimum safe process. That might mean the provider leaves the old device in a secure location until wiping can be confirmed, or it might mean the provider runs a secure erase before removal where possible. The specific approach depends on the device and the circumstances, but the principle remains the same. Continuity matters, and so does data protection.
I have to be honest, the risk here is not that providers are careless on purpose. The risk is that under time pressure, people focus on restoring printing and forget the data step. The best solution is to have a documented expectation in the contract and in the school’s own process, so it happens automatically even under pressure.
Misconceptions that often appear in schools
One common misconception is that printers do not have hard drives. Many do, or they have storage that functions similarly.
Another misconception is that a factory reset removes all data securely. A factory reset may remove user settings, but it does not always securely overwrite stored data. Secure erase is different.
Another misconception is that if a device is leased, data security is the leasing company’s problem. In my view, the school still has responsibility to ensure personal data is protected, regardless of ownership.
Another misconception is that only safeguarding documents are sensitive. In reality, many documents in schools contain personal data, including routine attendance letters or SEN paperwork.
Another misconception is that encryption means you do not need to wipe. Encryption reduces risk, but wiping is still a sensible end of life step.
I believe the best approach is to assume the printer may contain data, then to apply proportionate controls that reflect that assumption.
How to approach printer replacement in a calm, repeatable way
Schools and trusts benefit from a repeatable approach. I suggest thinking of printer replacement like equipment offboarding. You identify the device and its serial number. You confirm where it is installed. You confirm what features are enabled, including encryption and secure release. You capture relevant configuration, such as scan destinations, so it can be recreated safely on the new device without copying insecure practices. You plan the collection date. You ensure the device is securely erased. You obtain evidence. You retain records.
This does not need to be bureaucratic. In my opinion, a simple documented checklist process used consistently across devices is enough to reduce risk significantly. It also makes procurement and contract management easier, because you can ask providers to align their processes to your standard.
What to do about scan to email and stored credentials
Scan to email is common in schools because it is convenient. However, it can create credential and configuration risk. Some environments use a dedicated SMTP relay, some use a service account, and some use more modern authentication methods depending on the school’s setup.
When replacing a printer, it is a good moment to review whether scan to email is configured securely and whether credentials are stored on the device. In my view, storing a powerful account password on a device is not ideal. Where possible, schools should prefer approaches that limit credential exposure, such as relay services that restrict device access by IP and enforce secure connections, or other methods supported by their IT environment.
I have to be honest, this can get technical, and it is a reason why IT involvement is valuable. The business benefit is that you reduce the chance of scanning breaking after replacement, and you reduce the risk of credentials being left behind on a departing device.
What to do about address books and external contacts
If the device stores an address book that includes external contacts, I suggest schools treat it carefully. You might decide to avoid storing external addresses on printers at all, or to store them in a controlled central directory if your print management system supports that. If you do store them on the device, ensure they are wiped at end of life.
In my view, the safest pattern is to keep address books minimal and to avoid storing sensitive external contact lists on devices. This reduces the amount of personal data the printer holds, which reduces end of life risk.
What happens to data in print management systems when printers change
Many schools use a print management system for secure release and reporting. In these systems, jobs may be held on a server or in a cloud queue rather than on the printer. Logs and user activity data are often stored in the management system. When a printer is replaced, the system typically continues operating, and the new printer is registered as a device endpoint.
From a data perspective, the management system is often more significant than the printer itself because it may store longer term logs. Schools should ensure that the management system is configured with appropriate retention periods and access controls. They should also ensure that if a vendor is providing the system, contractual terms cover data protection and security.
I believe schools sometimes focus so much on the physical device that they forget the system behind it. Replacement is a good time to review who can access reporting, how long logs are kept, and whether the system is still delivering value.
The role of school policies and staff behaviour
Technical controls are important, but policies and behaviour matter too. A school might have excellent wiping processes, but if staff leave confidential printing on trays daily, the biggest risk remains in plain sight.
Printer replacement can be used as an opportunity to refresh expectations around confidentiality. This can be done gently. Remind staff to collect printing promptly, to use secure release where available, to avoid printing sensitive documents to public area devices, and to check the scanner glass after use.
In my view, the most effective messages are practical. People respond better to a reminder that protects pupils and staff than to abstract warnings. The goal is not to make staff fearful. It is to make safe behaviour the normal behaviour.
Incident response, what if you discover a printer left the site without wiping
Sometimes, despite best efforts, a school may discover that a printer left the site without confirmed wiping. If that happens, I suggest staying calm and treating it like any other potential data security incident. The school should gather facts. What device left, when, where did it go, and who collected it. What data might it have contained based on its features and configuration. Was encryption enabled. Was secure erase enabled. Was secure release used. Was there likely document content retained or only logs.
The school should contact the supplier or leasing company immediately and request confirmation of wipe or destruction, including evidence. If the device is still in transit or at a depot, there may be a chance to run a secure wipe before refurbishment.
In my view, schools should also involve the data protection lead, and where appropriate follow their incident assessment process. Not every situation will be a reportable breach, but it should be assessed properly. The key is that having a documented process and supplier relationship makes these situations easier to resolve.
Pros of treating printer replacement as a data managed process
When schools take printer data seriously, several benefits follow. Risk reduces because devices leave site only after secure wiping or confirmed destruction. Staff confidence improves because the school can explain how it protects confidential information. Procurement improves because contracts include clear expectations and evidence. IT hygiene improves because replacement becomes a chance to modernise configuration and security settings. Long term, the school reduces the chance of a disruptive incident that consumes leadership time.
I believe there is also a cultural benefit. When schools treat all information handling points seriously, including printers, it sends a consistent message that data protection is part of everyday professionalism.
Cons and practical constraints to be honest about
It is fair to acknowledge the constraints. Secure wiping can take time, and replacement projects can already be busy. Some older devices may not have straightforward wipe functions. Some arrangements involve leasing companies with rigid collection processes. Some schools have limited internal IT capacity and rely heavily on providers.
I have to be honest, this is why contracts and planning matter. If you bake wiping and evidence into the normal process, it becomes routine rather than an extra task. The goal is to make the safe process the easiest process.
What I would say school leaders should ask their provider, without turning it into a technical interrogation
In my view, school leaders and business managers do not need to ask complicated questions, but they do need clear answers. I would ask whether devices have internal storage and whether it is encrypted. I would ask what secure erase method is used at end of life. I would ask how the provider evidences wiping or destruction. I would ask who collects devices and whether subcontractors are used. I would ask what happens in emergency swaps. I would ask how address books and scan destinations are handled. I would ask whether the provider can help the school set secure defaults from day one.
What I would say is that the provider’s willingness to answer calmly and clearly is often as important as the technical details. In my experience, a provider who understands education will expect these questions and will have a structured answer.A clear closing view on printer replacement and school data
If I step back, I believe the key point is simple. A modern school printer can hold data, and therefore replacing it should be treated as a data handling moment, not just an equipment swap. When schools know where data can sit, insist on secure wiping or destruction, keep a basic chain of custody record, and refresh secure printing behaviours, the risk becomes manageable and predictable. In my opinion, that is the best outcome. You protect pupils and staff, you stay aligned with UK data protection expectations, and you avoid the unpleasant surprise of discovering later that a device left the site with unknown contents. Printer replacement will always be a practical job, but done properly it can also be a quiet demonstration that the school takes information security seriously in the everyday places where it matters most.