Thornham St.James’ CE Primary School

Data Protection Policy


About This Policy

 Everyone has rights with regard to the way in which their personal data is handled. During the course of the school’s activities it collects, stores and processes personal data about staff, pupils, their parents, suppliers and other third parties, and it is recognised that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.

Those who are involved in the processing of personal data are obliged to comply with this Policy when doing so. Any breach of this Policy may result in disciplinary action.

This Policy sets out the basis on which the school will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources. It does not form part of any employee’s contract of employment and may be amended at any time.

The policy meets the requirements and expectations of the General Data Protection Register introduced in law as of the 25th May 2018.


General Statement Of Duties

The school is required to process relevant personal data regarding individuals as part of its 

operation and shall take all reasonable steps to do so in accordance with this Policy. Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data.


Data Protection Officer

The school has appointed Mrs Alison Tomlinson as Data Protection Officer(DPO), who will endeavour to ensure that all personal data is processed in compliance with this Policy and the principles of the Act. Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred in the first instance to the DPO.


The Data Protection Principles

Anyone processing personal data must comply with the eight enforceable principles of good 

practice as enshrined within the requirements of the GDPR. 

These provide that personal data must be:

  • Fairly and lawfully processed
  • Processed for a lawful purpose
  • Adequate, relevant and not excessive
  • Accurate and up-to-date
  • Not kept for longer than necessary
  • Processed in accordance with the data subject’s rights
  • Secure
  • Not transferred to other countries without adequate protection


Types Of Personal Data Processed By The School

Personal data covers both facts and opinions about an individual. The school may process a wide range of personal data about individuals including current, past and prospective pupils and their parents as part of its operation, including, by way of example:

  • Names, addresses, telephone numbers, email addresses and other contact details
  • Bank details and other financial information, e.g. about parents who pay fees to the school
  • Past, present and prospective pupils’ academic, disciplinary, admissions and attendance records (including information about any special needs), and examination scripts and marks
  • Where appropriate, information about individuals’ health, and contact details for their next of kin
  • References given or received by the school about pupils, and information provided by previous educational establishments and/or other professionals or organisations working with pupils; and
  • Images of pupils (and occasionally other individuals) engaging in School activities, and images captured by the school’s CCTV system (in accordance with the school’s policy on taking, storing and using images of children)
  • Generally, the school receives personal data from the individual directly (or, in the case of pupils, from parents). However, in some cases personal data may be supplied by third parties (for example another school, or other professionals or authorities working with that individual), or collected from publicly available resources


Sensitive Personal Data

The school may, from time to time, need to process sensitive personal data regarding individuals. Sensitive personal data includes information about an individual’s physical or mental health, race or ethnic origin, political or religious beliefs, sex life, trade union membership or criminal records and proceedings. Sensitive personal data is entitled to special protection under the Act, and will only be processed by the school with the explicit consent of the appropriate individual, or as otherwise permitted by the Act. The consent should be informed, which means it needs to identify the relevant data, why it is being processed and to whom it will be disclosed. Staff should contact the DPO for more information on obtaining consent to process sensitive personal data.


Use Of Personal Data By The School 

The school will use (and where appropriate share with third parties) personal data about individuals for a number of purposes as part of its operations, including as follows:

  • For the purposes of pupil selection and to confirm the identity of prospective pupils and their parents
  • To provide education services (including SEN), career services, and extra-curricular activities to pupils; monitoring pupils’ progress and educational needs; and maintaining relationships with alumni and the school community
  • For the purposes of management planning and forecasting, research and statistical analysis, and to enable the relevant authorities to monitor the school’s performance;
  • To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil has attended or where it is proposed they attend
  • To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the school
  • To safeguard pupils’ welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so, for example for medical advice, insurance purposes or to organisers of school trips;
  • To monitor (as appropriate) use of the school’s IT and communications systems in accordance with the school’s Computing and Acceptable Use and E-safety Policies
  • To make use of photographic images of pupils in school publications, on the school website and (where appropriate) on the school’s social media channels in accordance with the school’s policy on taking, storing and using images of children
  • For security purposes, and for regulatory and legal purposes (for example safeguarding and child protection and health and safety) and to comply with its legal obligations; and
  • Where otherwise reasonably necessary for the school’s purposes, including to obtain appropriate professional advice and insurance for the school


Keeping In Touch And Supporting The School

The school will use the contact details of parents, alumni and other members of the school 

community to keep them updated about the activities of the school, including by sending updates and newsletters, by email and by post. Unless the relevant individual objects, the school may also:

  • Share personal data about parents and/or alumni, as appropriate, with organisations set up to help establish and maintain relationships with the School community.
  • Contact parents and/or alumni by post and email in order to promote and raise funds for the School and, where appropriate, other worthy causes
  • Should you wish to limit or object to any such use, or would like further information about them, please contact the DPO in writing


Rights Of Access To Personal Data (‘Subject Access Request’)

Individuals have the right under the Act to access to personal data about them held by the School, subject to certain exemptions and limitations set out in the Act. Any individual wishing to access their personal data should put their request in writing to the DPO. The School will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within statutory time limits (one month).

It should be noted that certain data is exempt from the right of access under the Act. This may include information which identifies other individuals or information which is subject to legal professional privilege. The school is also not required to disclose any pupil examination scripts (though examiners’ comments may be disclosed), nor any reference given by the school for the purposes of the education, training or employment of any individual.

The GDPR states that pupils under the age of 16 are to be considered as ‘vulnerable’ and therefore are not allowed to amend their own data. As all our pupils are aged 12 and under, all subject access requests from pupils will therefore not be considered. 

Only a person with parental responsibility will generally be expected to make a subject access request on behalf of younger pupils. A pupil of any age may ask a parent or other representative to make a subject access request on their behalf. In line with the GDPR, we recognise the following rights in relation to data: 

  1. Right of Access. 

Individuals have the right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data.

  1. Right to Rectification. 

Individuals have the right to obtain rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data.

  1. Right to Erasure (“Right to be Forgotten”). 

In certain cases, individuals have the right to obtain the erasure of their personal data.

  1. Right to Restriction of Processing. 

Individuals have the right to obtain a restriction of processing, applicable for a certain period and/or for certain situations.

  1. Right to Data Portability. 

Individuals have the right to receive their personal data and they have the right to transmit such personal data to another controller.

  1. Right to Object. 

In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes.

  1. Right to be Not Subject to Automated Individual Decision-Making. 

Individuals have the right to not be subject to a decision based solely on automated processing.

  1. Right to Filing Complaints. 

Individuals have the right to file complaints about the processing of their personal data with the relevant data protection authorities.

  1. Right to Compensation of Damages. 

In case of a breach of the applicable legislation on processing of (their) personal data, individuals have the right to claim damages that such a breach may have caused with them.


Certain data is exempted from the provisions of the Act, including the following:

  • The prevention or detection of crime
  • The assessment of any tax or duty
  • Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the school
  • Information which might cause serious harm to the physical or mental health of the pupil or another individual
  • Cases where the disclosure would reveal a child is at risk of abuse
  • Information contained in adoption and parental order records
  • Information given to a court in proceedings under the Magistrates’ Courts (Children and Young Persons) Rules 1992
  • Copies of examination scripts; and
  • Providing examination marks before they are officially announced


Unstructured Personal Information

The school will generally not be required to provide access to information held mutually and in an unstructured way.

The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the DPO.

Further exemptions may include information which identifies other individuals, information which the school reasonably believes is likely to cause damage or distress, or information which is subject to legal professional privilege. The school will also treat as confidential any reference given by the school for the purpose of the education, training or employment, or prospective education, training or employment of any pupil. The school acknowledges that an individual may have the right to access a reference relating to them received by the school. However, such a reference will only be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent or if disclosure is reasonable in all the circumstances.


Whose Rights?

The rights under the Act are those of the individual to whom the data relate. However, the school will, in most cases rely on parental consent to process data relating to pupils (if consent is required under the Act) unless, given the nature of the processing in question, and the pupil’s age and understanding, it is more appropriate to rely on the pupil’s consent.

Parents should be aware that in such situations they may not be consulted.

In general, the school will assume that pupils consent to disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil’s activities, progress and behaviour, and in the interests of the pupil’s welfare, unless, in the school’s opinion, there is a good reason to do otherwise.

However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the school will maintain confidentiality unless, in the school’s opinion, there is a good reason to do otherwise; for example where the school believes disclosure will be in the best interests of the pupil or other pupils. 

Pupils are required to respect the personal data and privacy of others, and to comply with the school’s Computing and Acceptable Use and E-safety Policies and any school rules.


Disclosure Of Information

The school may receive requests from third parties to disclose personal data it holds about pupils, their parents or guardians. The school confirms that it will not generally disclose information unless the individual has given their consent or one of the specific exemptions under the Act applies. However, the school does intend to disclose such data as is necessary to third parties for the following purposes:

  • To give a confidential reference relating to a pupil to any educational institution which it is proposed that the pupil may attend
  • To give information relating to outstanding fees or payment history to any educational 

institution which it is proposed that the pupil may attend

  • To publish the results of public examinations or other achievements of pupils of the school
  • To disclose details of a pupil’s medical condition where it is in the pupil’s interests to do so, for example for medical advice, insurance purposes or to organisers of school trips

Where the school receives a disclosure request from a third party it will take reasonable steps to verify the identity of that third party before making any disclosure.



The school will endeavour to ensure that all personal data held in relation to an individual is as up-to-date and accurate as possible. Individuals must notify the DPO of any changes to information held about them. An individual has the right to request that inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under the Act) and may do so by contacting the DPO in writing.


Timely Processing

Except as required by the Independent Inquiry into Child Sexual Abuse (see below) the school will not keep personal data longer than is necessary for the purpose or purposes for which they were collected and will take all reasonable steps to destroy, or erase from its systems, all data which is no longer required.



If an individual believes that the School has not complied with this Policy or acted otherwise than in accordance with the Act, they should utilise the School’s complaints procedure and should also notify the DPO.


Data Security

The school will take appropriate technical and organisational steps to ensure the security of personal data about individuals, and to ensure that members of staff will only have access to personal data relating to pupils, their parents or guardians where it is necessary for them to do so. All staff will be made aware of this policy and their duties under the Act.

The school must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of or damage to, personal data. Accordingly, no member of staff is permitted to remove personal data from school premises, whether in paper or electronic form and wherever stored, without prior consent of the Head or Bursar. Where a member of staff is permitted to take data offsite it must be encrypted.


The Independent Inquiry into Child Sexual Abuse

The Independent Inquiry into Child Sexual Abuse (formerly The Goddard Inquiry) was launched at the beginning of July 2015. The Inquiry is investigating whether public bodies and other non-state institutions have taken seriously their duty of care to protect children from sexual abuse in England and Wales. Judge Goddard made it very clear in her opening statement the importance of retaining records. She wrote to institutions including local authorities and religious organisations on the subject of retaining records but confirmed that the content of those letters should be taken to apply to all institutions which have had responsibility for the care of children.

In view of Judge Goddard’s clear direction to institutions not to destroy records, the School will not destroy pupil records after the customary seven year period, as determined by the DPO in accordance with the Data Protection Principles published by the Information Commissioner’s Office, but will retain them and all staff records until the Inquiry has concluded. The Inquiry ‘trumps’ any data protection legislation.


Data Breaches

The school takes seriously any data breach and will, through its policy and practice endeavour to minimise the risk of a breach. However, in the rare circumstances surrounding a data breach a process will be followed.

The GDPR states that breaches should be referred to the Information Commissioners Office (ICO) within 72 hours of disclosure. However, it is appropriate for our school to consider the following factors before referring to the ICO:



Complaints related to the management of data in our school will be handled through our existing Complaints Procedure. Copies of which are available on the school website or from the school office upon request.


Requests for Amendments of Data

The GDPR establishes the right to amend any data held that is inaccurate or may have a negative or detrimental effect on an individual. Amendments may take the form of updates, redactions or removals. As a school, we believe that before any amendment request is granted the first step is to view the data so as to ensure that it may be necessary. However, in the rare circumstances surrounding a data amendment request a process will be followed.


Transparency and Accountability

To ensure that the school is open and transparent about what data it holds and how it will be managed, the school will bear in mind the following prompts in all that it does:

The school will provide every parent with information in relation to their data rights. In addition, it will also provide every new parent with a data statement. This ‘statement’ will outline the aspects of data that the school will gather and use, as well as stating their purpose, their ‘shelf-life’ and where it may be shared. Parents will be asked to acknowledge their understanding of this information and accept the reasoning and processing that may occur.


School Website

The school will establish a page on its website to ensure that its approaches, policies and practices in relation to data are transparent. It will provide parents with information that may be relevant to their data concerns. It will include:

  • Information about the school’s Data Protection Officer (name, contact details etc)
  • Copies of relevant policies
  • Data review and amendment request forms
  • Process flowcharts
  • Step by step guides
  • Complaints policy


Introducing A New Initiative or Project

The GDPR requires schools to undertake an evaluation of the data management impact resulting from new initiatives.


The School’s Rights To Refuse A Request

The school reserves the right to refuse a request to view or amend data held. This would be rare and only on the following basis:

  • Vexatious requests
  • Where information held maybe required by future legal processes e.g. Child Protection
  • The request would lead to inaccurate and misleading information being recorded
  • The request has come from an individual who has no rights of access

Where the school decides not to adhere to a request it will notify the person who requested of:

  • The reason why the request has been refused
  • Their legal rights of appeal or complaint
  • Their legal rights of referral to the ICO



The school will not usually make a charge in relation to data viewing or amendment requests. However, it reserves the right to do so where the request is proven to be:

  • Vexatious
  • Excessive
  • Unfounded

Generic Policies

The school will undertake to review all of its policies (curriculum, safety, statutory etc) to ensure that any potential data management issues are identified and resolved. The review statement will accompany the relevant document.


Transitional Period

The introduction of the GDPR has required the school to undertake a significant review of policy and practice in relation to data. Throughout the implementation period, from May 2018 to August 2019, we will keep the implementation under regular review. This will be undertaken by:

  • Termly Data Protection Audits
  • Termly Reports to Governors by the School’s DPO
  • An Annual Data Statement