I have been involved in a complaint made by an employee of a school that the school has breached the DPA 2018 and GDPR by disclosing data to their third party HR service provider.
Obviously the HR provider has entered into a contract with the school which includes processing personal data about staff on the school's behalf, therefore they are acting as a data processor on behalf of the school which is the data controller.
What schools should remember to do is to notify staff via their privacy notice who data may be shared with and any organisations that process data on behalf of the school as a data processor. Most schools are already doing this - if you're not, make sure you update your privacy notice without delay!