Data Protection

Looking after the Information Schools Hold

Schools should register with the ICO. Under the multi academy trust arrangements, the MAT is responsible for the activities of all the schools in the MAT, even though some functions may have been delegated to local Heads of School or Local Governing Bodies. Ultimate responsibility lies with the MAT. Providing the schools and academies within the MAT do not have any legal status separate from that of the MAT, the MAT is the legal entity responsible for the processing of personal data by the schools and the academies with the MAT. The MAT would be the data controller for the processing and is the entity subject to DPA registration obligations.

If the schools or academies within the MAT are not separate legal entities, we also recommend the schools or academies within the MAT are shown as trading names on the MAT entry. It is important that parents and children to see who is responsible for processing of personal data.

Privacy Notices

These are the suggested privacy notices for pupils and staff from the DfE for schools to issue to staff, parents and pupils for the collection of data.These are only suggested examples of privacy notice text, and we recommend you seek independent legal advice to understand your full responsibilities and obligations under the Data Protection Act (1998). Privacy notices can be issued in a number of ways, for example:

  • As part of a school brochure or induction pack or in a school diary
  • On the school notice board
  • As part of a staff contract or induction pack
  • On the staff notice board

A child receiving social care services or a looked-after child could receive their privacy notice with information about the services they are being offered.

Subject Access Request

Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered.This right of subject access means that parents/guardians/children may make a request under the Data Protection Act to any organisation processing their personal data.They can ask the organisation they think is holding, using or sharing their personal information to supply them with copies of both paper and computer records and related information.Organisations may charge a fee, there are special rules that apply to fees for paper based health records (the maximum fee is currently £50) and education records (a sliding scale from £1 to £50 depending on the number of pages provided). Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.Before responding to a request for information held about a child, organisations should consider whether the child is mature enough to understand their rights. If the organisation is confident that the child can understand their rights, then it will respond to the child rather than the parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.

Samples below:

Privacy Notice – Workforce

Privacy Notice – Pupils

Subject Access Code of Practice

search Find out more

Nicola Rudge
E-Safety Adviser
Tel. 01922 653000