Published using Google Docs
Fox Federation Data Protection Policy
Updated automatically every 5 minutes










Staff member

Ben McMullen


Will Gallagher



Full Governing Body


Last amendment date

Autumn 2023

Renewal date

Autumn 2025









1. Aims        3

2. Legislation and guidance        3

3. Definitions        5

4. The data controller        5

5. Roles and responsibilities        6

6. Data protection principles        7

7. Collecting personal data        7

8. Sharing personal data        8

9. Subject access requests and other rights of individuals        9

10. Parental requests to see the educational record        11

11. CCTV        11

12. Photographs and videos        11

13. Data protection by design and default        12

14. Data security and storage of records        12

15. Disposal of records        13

16. Personal data breaches        13

17. Training        13

18. Monitoring arrangements        13

19. Links with other policies        13

Appendix 1: Personal data breach procedure        15

1. Aims

Our school aims to ensure that all personal data collected about staff, pupils, parents, governors, visitors and other individuals is collected, stored and processed in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA 2018).

This policy applies to all personal data, regardless of whether it is in paper or electronic format.

2. Legislation and guidance

This policy meets the requirements of the GDPR and the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR.

It also reflects the ICO’s code of practice for the use of surveillance cameras and personal information.

In addition, this policy complies with regulation 5 of the Education (Pupil Information) (England) Regulations 2005, which gives parents the right of access to their child’s educational record.

3. Definitions



Personal data

Any information relating to an identified, or identifiable, living individual.

This may include the individual’s:

  • Name (including initials)
  • Identification number
  • Location data
  • Online identifier, such as a username

It may also include factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

Special categories of personal data

Personal data which is more sensitive and so needs more protection, including information about an individual’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetics
  • Biometrics (such as fingerprints, retina and iris patterns), where used for identification purposes
  • Health – physical or mental
  • Sex life or sexual orientation


Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.

Processing can be automated or manual.

Data subject

The identified or identifiable individual whose personal data is held or processed.

Data controller

A person or organisation that determines the purposes and the means of processing of personal data.

Data processor

A person or other body, other than an employee of the data controller, who processes personal data on behalf of the data controller.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

4. The data controller

Our schools process personal data relating to parents, pupils, staff, governors, visitors and others, and therefore is a data controller.

5. Roles and responsibilities

This policy applies to all staff employed by our school, and to external organisations or individuals working on our behalf. Staff who do not comply with this policy may face disciplinary action.

5.1 Governing board

The governing board has overall responsibility for ensuring that our school complies with all relevant data protection obligations.

5.2 Data protection officer

The data protection officer (DPO) is responsible for overseeing the implementation of this policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable.

They will provide an annual report of their activities directly to the governing board and, where relevant, report to the board their advice and recommendations on school data protection issues.

The DPO is also the first point of contact for individuals whose data the school processes, and for the ICO.

Full details of the DPO’s responsibilities are set out in their job description.

Our DPOs:

Fox:                 Ros Morgan   0207-727-7637

Ashburnham:         Sayinie Webb  0207 352 5740

Avonmmore:          Dan Brown  020 7603 9750

Avondale + St Anne’s: Sirje Caprera 0207 727 7727

5.3 Headteacher/ head of school

The headteacher/ head of school acts as the representative of the data controller on a day-to-day basis.

5.4 All staff

Staff are responsible for:

6. Data protection principles

The GDPR is based on data protection principles that our school must comply with.

The principles say that personal data must be:

This policy sets out how the school aims to comply with these principles.

7. Collecting personal data

7.1 Lawfulness, fairness and transparency

We will only process personal data where we have one of 6 ‘lawful bases’ (legal reasons) to do so under data protection law:

For special categories of personal data, we will also meet one of the special category conditions for processing under data protection law:

For criminal offence data, we will meet both a lawful basis and a condition set out under data protection law. Conditions include:

Whenever we first collect personal data directly from individuals, we will provide them with the relevant information required by data protection law.

We will always consider the fairness of our data processing. We will ensure we do not handle personal data in ways that individuals would not reasonably expect, or use personal data in ways which have unjustified adverse effects on them.

7.2 Limitation, minimisation and accuracy

We will only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data.

If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so, and seek consent where necessary.

Staff must only process personal data where it is necessary in order to do their jobs.

We will keep data accurate and, where necessary, up-to-date. Inaccurate data will be rectified or erased when appropriate.

In addition, when staff no longer need the personal data they hold, they must ensure it is deleted or anonymised. This will be done in accordance with the school’s record retention schedule.

8. Sharing personal data

We will not normally share personal data with anyone else without consent, but there are certain circumstances where we may be required to do so. These include, but are not limited to, situations where:

We will also share personal data with law enforcement and government bodies where we are legally required to do so.

We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation that affects any of our pupils or staff.

Where we transfer personal data internationally, we will do so in accordance with data protection law.

9. Subject access requests and other rights of individuals

9.1 Subject access requests

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them. This includes:

Subject access requests can be submitted in any form, but we may be able to respond to requests more quickly if they are made in writing and include:

If staff receive a subject access request in any form they must immediately forward it to the DPO.

9.2 Children and subject access requests

Personal data about a child belongs to that child, and not the child's parents or carers. For a parent or carer to make a subject access request with respect to their child, the child must either be unable to understand their rights and the implications of a subject access request, or have given their consent.

Children below the age of 12 are generally not regarded to be mature enough to understand their rights and the implications of a subject access request. Therefore, most subject access requests from parents or carers of pupils at our school may be granted without the express permission of the pupil. This is not a rule and a pupil’s ability to understand their rights will always be judged on a case-by-case basis.

9.3 Responding to subject access requests

When responding to requests, we:

We may not disclose information for a variety of reasons, such as if it:

If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee to cover administrative costs. We will take into account whether the request is repetitive in nature when making this decision.

When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO or they can seek to enforce their subject access right through the courts.

9.4 Other data protection rights of the individual

In addition to the right to make a subject access request (see above), and to receive information when we are collecting their data about how we use and process it (see section 7), individuals also have the right to:

Individuals should submit any request to exercise these rights to the DPO. If staff receive such a request, they must immediately forward it to the DPO.

10. Parental requests to see the educational record

Parents, or those with parental responsibility, have a legal right to free access to their child’s educational record (which includes most information about a pupil) within 15 school days of receipt of a written request.

If the request is for a copy of the educational record, the school may charge a fee to cover the cost of supplying it.

This right applies as long as the pupil concerned is aged under 18.

There are certain circumstances in which this right can be denied, such as if releasing the information might cause serious harm to the physical or mental health of the pupil or another individual, or if it would mean releasing exam marks before they are officially announced.

11. CCTV

We use CCTV in various locations around the school site to ensure it remains safe. We will adhere to the ICO’s code of practice for the use of CCTV.

We do not need to ask individuals’ permission to use CCTV, but we make it clear where individuals are being recorded. Security cameras are clearly visible and accompanied by prominent signs explaining that CCTV is in use.

Any enquiries about the CCTV system should be directed to the DPO of the relevant school (5.3).

12. Photographs and videos

As part of our school activities, we may take photographs and record images of individuals within our school.

When a pupil joins the Federation, we will obtain written consent from parents/carers for photographs and videos to be taken of their child for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video will be used.

Any photographs and videos taken by parents/carers at school events for their own personal use are not covered by data protection legislation. However, we will ask that photos or videos with other pupils are not shared publicly on social media for safeguarding reasons, unless all the relevant parents/carers have agreed to this.

Where the school takes photographs and videos, uses may include:

Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further.

When using photographs and videos in this way we will not accompany them with any other personal information about the child, to ensure they cannot be identified.

See our Child protection policy and online safety policy for more information on our use of photographs and videos.

13. Data protection by design and default

We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:

14. Data security and storage of records

We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage.

In particular:

15. Disposal of records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.

For example, we will shred paper-based records, and delete electronic files. We may also use a third party to safely dispose of physical and digital records on the school’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.

16. Personal data breaches

The school will make all reasonable endeavours to ensure that there are no personal data breaches.  

In the unlikely event of a suspected data breach, we will follow the procedure set out in appendix 1.

When appropriate, we will report the data breach to the ICO within 72 hours after becoming aware of it.

17. Training

All staff and governors are provided with data protection training as part of their induction process.

Data protection will also form part of continuing professional development, where changes to legislation, guidance or the school’s processes make it necessary.

18. Monitoring arrangements

The DPO is responsible for monitoring and reviewing this policy.

This policy will be reviewed every 2 years and shared with the full governing board.

19. Links with other policies

This data protection policy is linked to our:

Appendix 1: Personal data breach procedure

This procedure is based on guidance on personal data breaches produced by the ICO.

If it’s likely that there will be a risk to people’s rights and freedoms, the DPO must notify the ICO.

As above, any decision on whether to contact individuals will be documented by the DPO.

Records of all breaches will be stored on the school’s network.

Actions to minimise the impact of data breaches

We will take the actions set out below to mitigate the impact of different types of data breach, focusing especially on breaches involving particularly risky or sensitive information. We will review the effectiveness of these actions and amend them as necessary after any data breach.

Set out the relevant actions you will take for different types of risky or sensitive personal data processed by your school. For example:

Special category data (sensitive information) being disclosed via email (including safeguarding records)

Other types of breach that you might want to consider could include: