Home Page

Data Protection Policy


1. The GDPR

1.1 What is the point of the GDPR?

1.2 Who does it apply to?

1.3 What is Data?

2. The key principles of the GDPR

2.1 Lawfulness, transparency and fairness

2.2 Collect data for a specific purpose and use it for that purpose

2.3 Limited collection

2.4 Accuracy

2.5 Retention

2.6 Security

3. Data subjects

3.1 Data subjects’ rights

4. Subject Access Requests

5. Who is a ‘data controller’?

6. Who is a ‘data processor’?

7. Processing data

8. Data Sharing

9. Breaches & Non Compliance

10. Consent

11. Consent and Renewal

12. For Pupils and Parents/Carers

13. Pupil Consent Procedure

14. Withdrawal of Consent

15. CCTV Policy

16. Data Protection Officer

17. Physical Security

18. Secure Disposal

19. Complaints & the Information Commissioner Office (ICO)

20. Review


1. The GDPR

The General Data Protection Regulation (GDPR) is a European Directive that was brought into UK law with an updated Data Protection Act in May 2018. Brexit will not change it. The Data Protection Act 1998 was repealed and replaced with the Data Protection Act 2018.


1.1. What is the point of the GDPR?

The GDPR and new DPA exist to look after individual’s data. It is a series of safeguards for every individual. Information about individuals needs to be treated with respect and be secure. The GDPR exists to protect individual rights in an increasingly digital world.


1.2. Who does it apply to?

The GDPR applies to everyone, including schools. As Public Bodies, schools have more obligations than some small businesses. It is mandatory to comply with the GDPR and proposed provisions in the new Act.

We want to make sure information about pupils, parents, staff and volunteers is kept secure and within the law.


1.3. What is Data?

Data is any information that relates to a living person which identifies them. This can be their name, address or phone number for example. It also relates to details about that person, which can include opinions.

Some data is considered to be more sensitive, and therefore more important to protect. This is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic data, and biometric data where processed to uniquely identify a person.

Schools often collect sensitive data for DfE and LA requirements and of course pupil data may contain information about safeguarding, SEN or health needs. Information about other family members may also be on the school file.

2. The key principles of the GDPR

2.1. Lawfulness, transparency and fairness.

School must have a legitimate reason to hold the data; we explain this in the Data Privacy Notices on the website. We often ask for consent to use data about a pupil for a particular purpose. If you wish to withdraw consent we have a form to complete to allow us to process your request. There are sometimes when you cannot withdraw consent as explained in ‘Data Subjects Rights’.

2.2. Collect data for a specific purpose and use it for that purpose

So, data cannot be used for a purpose that it was not originally collected for, or where notice has not been given about how data may be used after collection.

2.3. Limited collection

Data controllers should only collect the minimum amount of data needed for a particular task or reason. If there is a breach or a hack only limited information can be lost.

2.4. Accuracy

Data collected should be accurate, and steps should be taken to check and confirm accuracy. We do this when pupils join the school and check on an annual basis.

If a Data Subject feels that the information held is inaccurate, should no longer be held by the Controller or should not be held by the Controller in any event, a dispute resolution process and complaint process can be accessed, using the suitable forms.

2.5. Retention

Arboretum Primary School has a retention policy that explains how long we store records for. This is available on request.

2.6. Security

We have processes in place to keep data safe. That might be paper files, electronic records or other information.

3. Data subjects

A data subject is someone whose details we keep on file. Some details are more sensitive than others. The GDPR sets out collection of details such as health conditions and ethnicity which are more sensitive than names and phone numbers.


3.1. Data subjects’ rights

Individuals have a right:-

to be informed

of access to data stored about them or their children

to rectification if there is an error on the data stored

to erasure if there is no longer a need for school to keep the data

to restrict processing, i.e. to limit what is done with their data

to object to data being shared or collected

There are other rights that relate to automated decision making and data portability that are not directly relevant in schools.

Data subjects’ rights are also subject to child protection and safeguarding concerns, sharing information for the prevention and detection of crime. Schools also have legal and contractual obligations to share information with organisations such as the Department for Education, Social Care, the Local Authority and HMRC amongst others. In some cases these obligations override individual rights.

4. Subject Access Requests

You can ask for copies of information that we hold about you or about a pupil of Arboretum Primary School for whom you have parental responsibility. This Subject Access Request process is set out separately. You need to fill out the form, and you may need to provide identification evidence for us to process the request.

We have to provide the information within a month, but this can be extended if, for example, the school was closed for holidays. The maximum extension is up to two months.

When we receive a request we may ask you to be more specific about the information that you require. This is to refine any queries to make sure you access what you need, rather than sometimes getting a lot of information that may not be relevant to your query.

In some cases we cannot share all information we hold on file if there are contractual, legal or regulatory reasons.

We cannot release information provided by a third party without their consent, or in some cases you may be better to approach them directly, e.g. school nurses who are employed by the NHS.

We will supply the information in an electronic form.

If you wish to complain about the process, please see our complaints policy and later information in this DPA policy.


5. Who is a ‘data controller’?

Our school governing body is the data controller. They have ultimate responsibility for how school manages data. They delegate this to data processors to act on their behalf.


6. Who is a ‘data processor’?

This is a person or organisation that uses, collects, accesses or amends the data that the controller has collected or authorised to be collected. It can be a member of staff, a third-party company, possibly a governor, a contractor or temporary employee. I t can also be another organisation such as the police or the LA.

Data controllers must make sure that data processors are as careful about the data as the controller themselves. The GDPR places additional obligations on organisations to make sure that Data Controllers require contractual agreements to ensure that this is the case.


7. Processing data

Arboretum Primary School must have a reason to process the data about an individual. Our privacy notices set out how we use data. The GDPR has 6 conditions for lawful processing and any time we process data relating to an individual it is within one of those conditions.

If there is a data breach we have a separate policy and procedure to follow to take immediate action to remedy the situation as quickly as possible.

The legal basis and authority for collecting and processing data in school are:-

  • consent obtained from the data subject or their parent
  • performance of a contract where the data subject is a party
  • compliance with a legal obligation
  • to protect the vital interests of the data subject or other associated person
  • to carry out the processing that is in the public interest and/or official authority
  • it is necessary for the legitimate interests of the data controller or third party
  • in accordance with national law.

In addition, any special categories of personal data are processed on the grounds of

  • explicit consent from the data subject or about their child
  • necessary to comply with employment rights or obligations
  • protection of the vital interests of the data subject or associated person
  • being necessary to comply with the legitimate activities of the school
  • existing personal data that has been made public by the data subject and is no longer confidential
  • bringing or defending legal claims
  • safeguarding
  • national laws in terms of processing genetic, biometric or health data.

Processing data is recorded within the school systems.

8. Data Sharing

Data sharing is done within the limits set by the GDPR. Guidance from the Department for Education, health, the police, local authorities and other specialist organisations may be used to determine whether data is shared.

The basis for sharing or not sharing data is recorded in school.


9. Breaches & Non Compliance

If there is non-compliance with the policy or processes, or there is a DPA breach as described within the GDPR and DPA 2018 then the guidance set out in the Breach & Non Compliance Procedure and Process needs to be followed.

Protecting data and maintaining data subjects’ rights is the purpose of this policy and associated procedures.


10. Consent

As a school we will seek consent from staff, volunteers, young people, parents and carers to collect and process their data. We will be clear about our reasons for requesting the data and how we will use it. There are contractual, statutory and regulatory occasions when consent is not required. However, in other cases data will only be processed if explicit consent has been obtained.

Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

We may seek consent from young people also, and this will be dependent on the child and the reason for processing.


11. Consent and Renewal

On the school website we have ‘Privacy Notices’ that explain how data is collected and used. It is important to read those notices as it explains how data is used in detail.

Obtaining clear consent and ensuring that the consent remains in place is important for school. We also want to ensure the accuracy of that information.


12. For Pupils and Parents/Carers

On arrival at school you will be asked to complete a form giving next of kin details, emergency contact and other essential information. We will also ask you to give consent to use the information for other in school purposes, as set out on the data collection/consent form.

We review the contact and consent form on an annual basis. It is important to inform school if details or your decision about consent changes. A form is available.


13. Pupil Consent Procedure

Where processing relates to a child under 16 years old, school will obtain the consent from a person who has parental responsibility for the child.

Pupils may be asked to give consent or to be consulted about how their data is obtained, shared and used in certain situations.


14. Withdrawal of Consent

Consent can be withdrawn, subject to contractual, statutory or regulatory constraints. Where more than one person has the ability to provide or withdraw consent the school will consider each situation on the merits and within the principles of GDPR and also child welfare, protection and safeguarding principles.

Please complete the appropriate form.

15. CCTV Policy

Please also see the CCTV and IT Security policy.

We use CCTV and store images for a period of time in line with the policy. CCTV may be used for:-

Detection and prevention of crime

School staff disciplinary procedures

Pupil behaviour and exclusion management processes

To assist the school in complying with legal and regulatory obligations.


16. Data Protection Officer

We have a Data Protection Officer whose role is to:-

to inform and advise the controller or the processor and the employees who carry out processing of their obligations under the GDPR

to monitor compliance with the GDPR and DPA

to provide advice where requested about the data protection impact assessment and monitor its performance

to be the point of contact for Data Subjects if there are concerns about data protection

to cooperate with the supervisory authority and manage the breach procedure

to advise about training and CPD for the GDPR.

Our DPO is JA Walker. His contact details are:


Telephone: 0333 772 9763


17. Physical Security

In school, every secure area has individuals who are responsible for ensuring that the space is securely maintained and controlled if unoccupied, i.e. locked. Offices and cupboards that contain personal data should be secured if the processor is not present.

The Senior Leadership Team is responsible for authorising access to secure areas along with the School Business Manager.

All Staff, contractors and third parties who have control over lockable areas must take due care to prevent data breaches.


18. Secure Disposal

When disposal of items is necessary a suitable process must be used. This is to secure the data, to provide a process that does not enable data to be shared in error, by malicious or criminal intent.

These processes, when undertaken by a third party are subject to contractual conditions to ensure GDRP and DPA compliance.

The secure disposal of our IT is managed by our IT providers, Mercury AVS.

Paper copies are shredded using a cross-cut shredder.


19. Complaints & the Information Commissioner Office (ICO)

The school Complaint Policy deals with complaints about Data protection issues.

There is a right to complain if you feel that data has been shared without consent or lawful authority.

You can complain if you have asked to us to erase, rectify, not process data and we have not agreed to your request.

We will always try to resolve issues on an informal basis, and then through our formal complaints procedure. Please complete the form, and we will contact you with more details about the timescale and process.

In the UK it is the ICO who has responsibility for safeguarding and enforcing the DPA obligations.

Email: Helpline: 0303 123 1113 web:


20. Review

A review of the effectiveness of GDPR compliance and processes will be conducted by the Data Protection Officer every 12 months.

As this policy is based on new legislation, it will also be reviewed if and when any new local or national guidance for schools is published.