The new GDPR (General Data Protection Regulation) has replaced the current Data Protection Act (DPA) and has strengthened and unified all data held within an organisation. For schools, GDPR brought with it a new responsibility to inform parents and stakeholders about how they are using pupils’ data and who it is being used by.
What does GDPR mean for schools?
A great deal of the processing of personal data undertaken by schools will fall under a specific legal basis, ‘in the public interest’. As it is in the public interest to operate schools successfully, it will mean that specific consent will not be needed in the majority of cases in schools.
GDPR will ensure data is protected and will give individuals more control over their data, however, this means schools will have greater accountability for the data.
Under GDPR, consent must be explicitly given to anything that isn’t within the normal business of the school, especially if it involves a third party managing the data. Parents (or the pupil themselves depending on their age) must express consent for their child’s data to be used outside of the normal business of the school.
We collect and use pupil information under the Education Act 1996. The EU general data protection regulation 2016/679 (GDPR) will take effect on May 25, 2018, including Article 6 ‘lawfulness of processing’ and Article 9 ‘Processing of special categories of personal data’
We use the pupil data:
The categories of pupil information that we collect, hold and share include:
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Storing pupil data
We hold pupil data for 6 years following a student’s last entry.
We routinely share pupil information with:
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the pupil information we share with the department, for the purpose of data collections, go to
To find out more about the NPD, go to
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit:
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE:www.gov.uk/contact-dfe
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact Mrs. Debbie Smith via email@example.com.
You also have the right to:
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office.
If you would like to discuss anything in this privacy notice, please contact:
Data Protection Officer – Mrs. Debbie Smith
c/o Jolesfield CE Primary School
Tel: 01403 710546