Data Protection Policy

The UK General Data Protection Regulation (UK GDPR) ensures a balance between an individual’s rights to privacy and the lawful processing of personal data undertaken by organisations in the course of their business. It aims to protect the rights of individuals about whom data is obtained, stored, processed or supplied and requires that organisations take appropriate security measures against unauthorised access, alteration, disclosure or destruction of personal data.

This policy sets out how we handle the personal data of our pupils, parents, suppliers, employees, workers and other third parties. It does not form part of any individual’s terms and conditions of employment and may be amended as legislation evolves. All staff must familiarise themselves with and comply with it; breaches may lead to disciplinary action up to and including summary dismissal.

Key definitions:

• Personal data: Any information relating to an identifiable individual, including special category data.
• Special Category Data: Sensitive personal data such as health, ethnicity, religious beliefs, biometric data, criminal convictions.
• Data Subject: Any individual about whom personal data is held.
• Data Controller: The organisation deciding how and why personal data is processed.
• Processing: Any operation on personal data, from collection to destruction.
• Automated Processing: The use of personal data to evaluate or predict personal aspects, including profiling and automated decision-making, which is prohibited unless exceptional.
• DPIA: Data Protection Impact Assessment to identify and mitigate processing risks.
• Criminal Records Information: Data relating to convictions, offences, proceedings, and security measures.

The school adheres to the UK GDPR’s principles: data must be processed lawfully, fairly, and transparently; collected for specified purposes; adequate and relevant; accurate and up to date; kept only as long as necessary; and secured appropriately.

Lawful basis for processing personal data: consent; contract performance; vital interests; legal compliance; public interest; or legitimate interests (where not overriding rights).

Special category data: requires a lawful basis and one of: explicit consent; employment law obligations; vital interests; legal obligations; public data; substantial public interest; medical purposes; public health; archiving/research.

We document legal grounds for each processing activity, keep consent records where used, and delete or anonymise data when no longer needed. Appropriate security measures (encryption, pseudonymisation, access controls, confidentiality, accuracy checks) are in place, and we share data externally only under strict contractual safeguards and legal requirements. Transfers outside the EEA/UK require adequacy decisions or approved safeguards.

Data subjects have rights to:

• Withdraw consent at any time
• Receive details of processing activities
• Access their personal data
• Object to marketing uses
• Erasure, rectification, restriction of processing
• Object to legitimate-interest or public-interest processing
• Automated decision-making objections
• Breach notifications
• Complain to the ICO
• Data portability (in certain cases)

Requests must be identity-verified. Electronic direct marketing requires prior consent. Employees with access to personal data must follow our security protocols and only use data for authorised purposes.

We implement technical and organisational measures to demonstrate compliance, maintain records of processing activities, and conduct DPIAs for high-risk processing (new technologies, automated decision-making, large-scale special category data, CCTV).

Personal data breaches are reported to the ICO and, when required, to affected data subjects. A designated lead (Headteacher) must be notified immediately of suspected breaches. Privacy notices are provided at or before data collection, clearly explaining processing purposes, legal bases, retention, and data subject rights.

Training is provided to all personnel handling personal data. We keep records of consents, DPIAs, breach responses, and processing inventories including purposes, data categories, storage locations, retention periods, and security measures.

All staff must secure personal data against unauthorised access or damage. Information security covers all media (electronic, paper, removable devices). Key principles:

• Classify data by sensitivity and handle accordingly.
• Lock screens and secure paper/electronic records when unattended.
• Report breaches or security concerns immediately to Headteacher/SLT IT link.
• Obtain approval before installing software or using removable media.
• Use strong passwords and MFA for remote access; follow password protocols (see Appendix A).
• Encrypt personal data in transit; verify recipients before sharing.
• Follow our Acceptable Use of ICT, clear workspace protocol (Appendix B), and related policies.

The SLT IT link oversees IT security standards, staff training, access controls, and incident response, in consultation with school management.

Related policies: Data Retention, Freedom of Information, Data Breach, Acceptable Use of ICT.

We monitor policy effectiveness in practice, conduct scheduled reviews, and update as needed to mitigate emerging risks and ensure ongoing compliance.

Passwords are critical to IT security. All users must:

• Keep passwords secret, never written down or shared.
• Lock workstations when unattended.
• Use unique passwords, minimum length 8 characters for staff.
• Lock out after 5 failed attempts (reset after 20 minutes).
• Use MFA for Office 365 and remote access.
• Raise helpdesk tickets to allow access outside the UK.

Staff must secure sensitive information when leaving a room:

• Lock away paperwork and devices in drawers/cabinets.
• Clear desks of sensitive materials.
• Shred confidential waste—do not use regular bins.
• Lock computer screens when unattended.
• Retrieve printed personal data immediately.
• Report misplaced information to the Headteacher without delay.