Data Protection and GDPR
General Data Protection Regulations (GDPR)
The law is changing and the General Data Protection Regulations (GDPR) comes into effect on 25th May 2018.
It will bring higher standards for handling data and greater expectations for improved transparency, enhanced data security and increased accountability for processing personal data. Schools will have a legal duty to comply with the GDPR.
Please take the opportunity to watch the short video clip below:
The new GDPR (General Data Protection Regulation) is replacing the current Data Protection Act (DPA) and is set to strengthen and unify all data held within an organisation. For schools, GDPR brings a new responsibility to inform parents and stakeholders about how they are using pupils’ data and who it is being used by.
What GDPR mean for schools, parents and carers
GDPR will ensure that children’s data used and held in school is protected and will give individuals more control over their data.
It also means that schools will have greater accountability for the data:
- Under GDPR, consent must be explicitly given to anything that isn’t within the normal business of the school, especially if it involves a third party managing the data. Parents (or the pupil themselves depending on their age) must express consent for their child’s data to be used outside of the normal business of the school.
- Schools must appoint a Data Protection Officer and be able to prove that they are GDPR compliant.
- Schools must ensure that their third party suppliers who may process any of their data is GDPR compliant and must have legally binding contracts with any company that processes any personal data. These contracts must cover what data is being processed, who it is being processed by, who has access to it and how it is protected.
- It will be compulsory that all data breaches which are likely to have a detrimental effect on the data subject are reported to the ICO within 72 hours
As it is in the public interest to operate schools successfully, a great deal of the processing of personal data undertaken by schools will fall under a specific legal basis, ‘in the public interest’. This will mean that specific consent will not be needed in the majority of cases in schools.
Data Protection Officer
The Data Protection Officer is responsible for overseeing data protection within the School so if you do have any questions in this regard, please do contact them on the information below:
Data Protection Officer: Craig Stilwell
Company: Judicium Consulting Ltd
Address: 72 Cannon Street, London, EC4N 6AE
Telephone: 0203 326 9174
Privacy Notice for Parents/Carers of children at De Lucy Primary School
De Lucy Primary School is committed to protecting the privacy and security of personal information.
This privacy notice describes how we collect and use personal information about pupils, in accordance with the General Data Protection Regulation (GDPR), section 537A of the Education Act 1996 and section 83 of the Children Act 1989.
Who Collects This Information
De Lucy Primary School is a “data controller.”
This means that we are responsible for deciding how we hold and use personal information about pupils.
The Categories of Pupil Information That We Collect, Process, Hold and Share
We may collect, store and use the following categories of personal information about you: -
- Personal information such as name, pupil number, date of birth, gender and contact information;
- Emergency contact and family lifestyle information such as names, relationship, phone numbers and email addresses;
- Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility);
- Attendance details (such as sessions attended, number of absences and reasons for absence);
- Performance and assessment information;
- Behavioural information (including exclusions);
- Special educational needs information;
- Relevant medical information;
- Safeguarding information;
- Welfare information;
- Details of any support received, including care packages, plans and support providers;
- Images of pupils engaging in school activities, and images captured by the School’s CCTV system;
- Information about the use of our IT, communications and other systems, and other monitoring information and
- Data about pupils received from other organisations, including other schools, local authorities and the Department for Education.
Collecting This Information
Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis.
In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
How We Use Your Personal Information
We hold pupil data and use it for: -
- Pupil selection (and to confirm the identity of prospective pupils and their parents);
- Providing education services and extra-curricular activities to pupils, and monitoring pupils' progress and educational needs;
- Informing decisions such as the funding of schools;
- Assessing performance and to set targets for schools;
- Safeguarding pupils' welfare and providing appropriate pastoral (and where necessary medical) care;
- Support teaching and learning;
- Giving and receive information and references about past, current and prospective pupils, and to provide references to potential employers of past pupils;
- Managing internal policy and procedure;
- Enabling pupils to take part in assessments, to publish the results of examinations and to record pupil achievements;
- To carry out statistical analysis for diversity purposes;
- Legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with legal obligations and duties of care;
- Enabling relevant authorities to monitor the school's performance and to intervene or assist with incidents as appropriate;
- Monitoring use of the school's IT and communications systems in accordance with the school's IT security policy;
- Making use of photographic images of pupils in school publications, on the school website and on social media channels;
- Security purposes, including CCTV;
- Where otherwise reasonably necessary for the school's purposes, including to obtain appropriate professional advice and insurance for the school and
- To provide support to pupils after they leave the school.
The Lawful Basis on Which We Use This Information
We will only use your information when the law allows us to. Most commonly, we will use your information in the following circumstances: -
- Consent: the individual has given clear consent to process their personal data for a specific purpose;
- Contract: the processing is necessary for a contract with the individual;
- Legal obligation: the processing is necessary to comply with the law (not including contractual obligations);
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law; and
- The Education Act 1996: for Departmental Censuses 3 times a year. More information can be found at: www.gov.uk/education/data-collection-and-censuses-for-schools
We need all the categories of information in the list above primarily to allow us to comply with legal obligations. Please note that we may process information without knowledge or consent, where this is required or permitted by law.
How we store this data
We keep personal information about pupils while they are attending our school.
We may also keep it beyond their attendance at our school if this is necessary in order to comply with our legal obligations. Our Records Retention Policy sets out how long we keep information about pupils.
To request a copy of our Records Retention Policy please contact the School Business Manager: email@example.com.
We may need to share your data with third parties where it is necessary.
There are strict controls on who can see your information. We will not share your data if you have advised us that you do not want it shared unless it’s the only way we can make sure you stay safe and healthy or we are legally required to do so.
We share pupil information with: -
- the Department for Education (DfE) - on a statutory basis under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013;
- Other Schools that pupils have attended/will attend;
- Welfare services (such as social services);
- Law enforcement officials such as police, HMRC;
- Local Authority Designated Officer;
- Professional advisors such as lawyers and consultants;
- Support services (including insurance, IT support, information security); and
- The Local Authority
Information will be provided to those agencies securely or anonymised where possible.
The recipient of the information will be bound by confidentiality obligations; we require them to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EU (e.g. if your child leaves De Lucy Primary School and moves to a new school located outside the EU). If we do, you can expect a similar degree of protection in respect of your personal information.
Why We Share This Information
We do not share information about our pupils with anyone without consent unless otherwise required by law.
For example, we share student’s data with the DfE on a statutory basis which underpins school funding and educational attainment. To find out more about the data collection requirements placed on us by the DfE please go to www.gov.uk/education/data-collection-and-censuses-for-schools.
Storing Pupil Data
The School keep information about pupils on computer systems and sometimes on paper.
Except as required by law, the School only retains information about pupils for as long as necessary in accordance with timeframes imposed by law and our internal policy.
If you require further information about our retention periods, please let the school Data Protection Office Craig Stilwell know. He can provide you with a copy of our policy.
Automated Decision Making
Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention.
We are allowed to use automated decision making in limited circumstances.
Pupils will not be subject to automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We have put in place measures to protect the security of your information (i.e. against it being accidentally lost, used or accessed in an unauthorised way).
We also have a data and information audit process to help protect information security.
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England.
It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to:
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data.
Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit:
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: www.gov.uk/contact-dfe
Requesting Access to Your Personal Data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold.
To make a request for your personal information, contact our Data Protection Office Craig Stilwell.
You also have the right to: -
- Object to processing of personal data that is likely to cause, or is causing, damage or distress;
- Prevent processing for the purposes of direct marketing;
- Object to decisions being taken by automated means;
- In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- Claim compensation for damages caused by a breach of the data protection regulations.
If you want to exercise any of the above rights, please contact Craig Stilwell in writing.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to Withdraw Consent
In circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact Craig Stilwell. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
If you would like to discuss anything within this privacy notice or have a concern about the way we are collecting or using your personal data, we request that you raise your concern with the School Business Manager in the first instance on firstname.lastname@example.org.
We have appointed a Data Protection Officer (DPO) to oversee compliance with data protection and this privacy notice. If you have any questions about how we handle your personal information which cannot be resolve by the school business manager, then you can contact the DPO on the details below:
Data Protection Officer: Craig Stilwell
Data Protection Officer Address: Judicium Consulting Ltd, 72 Cannon Street, London, EC4N 6AE
You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues at ico.org.uk/concerns.
Changes to This Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.
We may also notify you in other ways from time to time about the processing of your personal information.