Data Protection

This page sets out the information and the school’s legal duties relating to Data Protection (Data Protection Act and General Data Protection Regulations 2018), including the ways in which the school processes information about individuals (pupils, parents, employees, volunteers, visitors) and the rights of individuals with regard to accessing information the school holds about them.

Privacy Notice


All organisations, including schools, that collect, store, process and share (commonly known as ‘processing’) information about individuals must comply with the General Data Protection Regulations (Data Protection Act) 2018.  One of the requirements of these regulations is to publish a privacy notice which must explain what information is collected about individuals, the reasons it is processed and the ways in which it is stored.  Organisations must also publish information about their appointed Data Protection Officer (a new requirement of the 2018 regulations) and the ways in which individuals can contact the school to request a copy of the information held about them or to raise a concern or breach of confidentiality.  Our Privacy notice (below) sets out:

  • the categories of data we collect;
  • why the data is collected (purpose);
  • the lawful basis for processing data (where applicable)
  • how the data is stored (processed);
  • how long we keep (retention) data for;
  • who / which organisations data is shared with and why;
  • what those organisations will do with the data;
  • individuals rights over their data (including right of access);
  • contact details, including those of the school’s Data Protection Officer (DPO);

Data Controller and Data Processor

The Data Controller is the organisation who (either alone or in common with other organisations) determine the purpose for which, and the manner in which data is processed.  The Data Processor is the organisation who processes data on behalf of and on the order of a data controller.  A Data Subject is an individual, e.g. a parent, pupil, staff member, for whom data is processed by an organisation.  A Data Subject can usually be directly or indirectly identified by one or more aspects (e.g. name, date of birth) of the information processed.

Northenden Community School is both the Data Controller and the Data Processor of personal data.

Processing Information

For the purposes of data protection legislation, the terms ‘process’, ‘processed’ or ‘processing’ apply to any activity involving the personal data, such as:

  • collecting, including manually and digitally on computer systems
  • storing, including archiving
  • sharing
  • destroying

Data Protection Principles

In processing data of individuals, we comply with the regulations which state that information must:

  • be fairly and lawfully processed;
  • be processed for specific purposes;
  • be adequate, relevant and not excessive;
  • be accurate and up to date;
  • not kept longer than is necessary;
  • be processed in line with individuals’ rights;
  • be secure;
  • not be transferred to other countries without adequate protection.

Information Categories

As a school, we process information about the following categories of individuals:

  • Pupils
  • Parents
  • Staff, including applicants for jobs and former employees
  • Volunteers
  • Visitors

Pupil Information

We collect and process PUPIL INFORMATION for the following purposes:

  • to plan for teaching and learning, including allocating resources and support
  • to monitor and report on pupil attendance, attainment and progress;
  • to provide and keep records about pastoral care and behaviour;
  • to evaluate the quality of our services;
  • to keep children safe, e.g. medical, allergy and emergency contact information;
  • to meet the statutory duties placed up us.

We process pupil information in accordance with the legal basis of

  • Public Task – processing pupil data is necessary to perform tasks that schools are required to perform as part of their statutory function;
  • Vital Interests – processing and sharing pupil data is necessary to keep children safe
  • Legal Obligation – data is collected and shared with the Local Authority and Department for Education (DfE)

These requirements are set out in law in:

  • Section 537A of the Education Act 1996;
  • the Education Act 1996;
  • the Education (School Performance Information)(England) Regulations 2007;
  • Regulations 5 and 8 School Information (England) Regulations 2008;
  • the Education (Pupil Registration)(England)(Amendment) Regulations 2013.

Categories of Pupil Information

We process the following pupil information:

  • Personal identifiers, e.g. full name, unique pupil number (UPN), address, contact details;
  • Characteristics, e.g. gender, ethnicity, language, religion, free school meal entitlement;
  • Safeguarding information, e.g. child protection records, court orders, involvement of family support and other agencies, referrals from outside agencies, including Children’s Services;
  • Special educational needs, e.g. SEND category, specialist assessments, reports from outside agencies, My Learning Plans;
  • medical information, e.g. medical conditions, allergies, emergency treatment required, medication, doctor’s surgery details, dietary requirements;
  • attendance, e.g. sessions attendance and reasons for absence, penalty notices issued;
  • assessment and attainment data, including records of assessment and results of any statutory or non-statutory tests, mid-year and annual reports;
  • behaviour information, including significant behaviour incidents and exclusions;
  • pupils’ work (usually in exercise books), including ongoing marking and assessment;
  • pupil activities, including extra-curricular activities, participation in sport and music
  • references and profiles transferred to and from other schools
  • photographs
  • CCTV recordings

Collecting Pupil Information

We collect pupil information in a number of ways:

  • from previous education settings and schools;
  • from parents, including admission, data collection, medical and consent forms;
  • electronic common transfer files (CTFs) from previous schools;
  • ongoing assessment data gathered by teacher assessment and testing;
  • from outside agencies, including for medical or safeguarding reasons.

Most of the information we collect is mandatory but some is voluntary.  We aim to make it clear to parents at the point of collection if they have a choice in providing us with some information.

Sharing Pupil Information

We share information about pupils as part of our statutory duties.  We share information with the following organisations and agencies:

  • Department for Education
  • Local Authority
  • School Nurse and other medical practitioners
  • Children’s Services (e.g., in the case of safeguarding or family support plans)
  • other schools (when pupils transfer from or to another school, including secondary schools)


The pupil data that we lawfully share with the DfE through data collections:

  • underpins school funding, which is calculated based upon the numbers of pupils and their characteristics (e.g. SEND, EAL, FSM) in each school;
  • is used to provide school- and LA-level attainment and progress data which is published in the public interest;
  • informs short term education policy monitoring;
  • supports longer-term research and monitoring of educational policy;
  • National Pupil Database (a database of all pupils in the country which is used for statistical purposes, studies of educational performance and by the DfE to determine school funding.

The law allows the DfE to share pupils’ personal data with certain third parties, including:

  • schools
  • local authorities
  • researchers
  • organisations connected with promoting the education or wellbeing of children in England
  • other government departments and agencies
  • organisations fighting or identifying crime


We collect and process the information of parents and pupils’ other significant adults for the following purposes:

  • statutory contact with parents and those with parental responsibility for pupils, e.g. pupil reports;
  • emergency contact information;
  • payments made to school for services and voluntary contributions.

We collect and process the following information

  • Name
  • Address
  • Telephone numbers, including home, work and mobile numbers
  • Relation to pupil
  • Payments via Parent Pay (credit card details not visible to school)

Sharing Parents’ Information

We do not routinely share information about parents with any other individuals or third parties without consent.  The circumstances in which we will share information with third parties without consent include referral to Children’s Services (e.g. safeguarding)


Personal data is stored, processed and exchanged in the following ways:

  • paper files
  • secure computer-based databases, spreadsheets and word-processed documents
  • school computer networks and servers
  • e-mail systems, including secure and encrypted systems
  • password-protected and encrypted laptops and storage devices
  • secure online data transfer systems
  • secure online data backup systems
  • CCTV System (indoors and outdoors)

Specific server- or cloud-based ICT systems include:

  • SIMS (School Information Management System)
  • TAPESTRY : EYFS assessment and recording system (shared with parents)
  • Junior Librarian (online library management system)
  • Parent Pay (direct payments system for parents)
  • CPOMS (Child Protection Online Management system)
  • Swymphony (for pupils swimming records)

Retention of Personal Data

The DfE’s Data Protection Toolkit for Schools defines the periods of time that information about pupils, parent and staff should be kept.  For some purposes, the information we hold about pupils must be kept for a period of 25 years from the date of birth of the pupil.  This particularly applies to information about safeguarding and special educational needs.  

Third Parties

The school uses third-party (external) data processors to store and process information on its behalf.  All third parties will have agreements with the school regarding their GDPR arrangements, data security, data protection officers and arrangements for dealing with a breach of data, including contacting the school in that event.


The GDPR 2018 requires that all organisations appoint a Data Protection Officer.  This person, who may be internally or externally appointed, will:

  • advise the school on processes required to implement the GDPR, including improving data security and minimising the possibility of breaches of data;
  • provide training and advice to school staff on the implementation of the GDPR and data security.

The School has appointed the following person/organisation to act as the School’ Data Protection Officer:

Matthew Keeffe
LLM Laws, Chartered MCIPD, GCGI
HR Director/GDPR Practitioner/Employment Law Specialist
4 Helsman Way
Poolstock, Wigan WN3 5DJ
Tel: 01942 824635
Mob: 07943651386


The Information Commissioner’s Office (ICO) in England is responsible for the upholding the regulations of the Data Protection Act and the General Data Protection Regulations.  All schools must be registered as a data controller with the ICO and pay an annual registration fee.  The details of our registration can be found on the ICO website at  Our Registration Number is Z7490495


Access To Personal Information

Any individual for whom we process information has a right to request access to that information.  To make a request for your personal information, individuals can contact. Parents can request information about their children.  Pupils attending any type of school have a right of access under the Data Protection Act to their own information. This is known as the right of subject access. When a child cannot act for themselves or the child gives permission, parents will be able to access this information on their behalf.  If the child attends a maintained school, parents have an independent right of access to their child’s educational record, under separate education regulations.

The school will require time to gather from various sources the information that it holds and provide this to an individual with the timescale allowed by the regulations which is one calendar month from the date of request.  To make a request for personal information contact Carolyn Davies, School Business Manager, at the school.

Additional Rights

Individuals also have the right to:

  • object to the processing of personal data that is likely to cause, or is causing, damage or distress;
  • prevent processing for the purpose of direct marketing;
  • object to decisions being taken by automated means;
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • a right to seek redress, either through the ICO or through the courts


If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance.  You can also contact the school’s Data Protection Officer or report your concerns, if not resolved by the school, to the Information Commissioner’s Officer.


A data breach  is an incident which leads to the disclosure, loss, alteration, sharing or unauthorised access of personal data which should not occur given the school’s arrangements for data security. Examples of breaches include:

  • sharing of personal or sensitive data with a person with whom it should not be shared;
  • accidental disclosure of personal or sensitive pupil with parents or pupils;
  • theft of computer or storage device on which personal information is stored;
  • sending an email or letter containing personal data to an incorrect recipient
  • sharing personal email addresses with individuals or as a public distribution list

Any data breaches or alleged data breaches must be reported to the school’s Data Protection Officer as soon as it is discovered. The Data Protection Officer then has 72 hours in which to report the breach to the Information Commissioner’s Office.

Translate »