Our Data Protection Policy is below and you will find our privacy notices at the end of this policy.
The Head teacher and Governing Body of Castlewood School comply with the requirements and principles of the Data Protection Act (DPA) 1998. The DPA covers the collection, storing, editing, retrieving, disclosure, archiving and destruction of personal data. The Act applies to information which is held electronically or in a manual form. Each school is required to register with the Information Commissioner.
The School as a Data Controller undertakes to:
• Notify the Information Commissioners Office (ICO) as detailed below
• Comply with the eight data protection principles which together form a framework for the proper handling of personal data
Registering and Notification under the act
The School has made the initial notification to the ICO on behalf of the governing body and Headteacher.
In addition, the School responds to renewal notices sent out annually by the ICO to ensure that it includes any new category of processing undertaken.
The DPA contains 8 enforceable principles that must be adhered to regarding personal data as well as a number of conditions that apply.
Personal data is data that relates to a living individual who can be identified from that data or that data and other data held by the data controller, for example the School.
The eight principles of data protection that the School abides by are:
1. Personal data shall be processed fairly and lawfully. Individuals should be informed of who is collecting the data, for what purpose and whether there will be any third party disclosures
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
4. Personal data shall be accurate and where necessary, kept up to date
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary
6. Personal data shall be processed in accordance with the rights of data subjects under this Act
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Data subjects rights
Right to know
Data subjects have the right to know what data is held about them, who is collecting it, for what purpose it is collected and who will see it. The school undertakes to provide this information when collecting personal data.
Right to prevent processing causing damage or distress
Subject to certain exemptions, data subjects have the right to serve a notice on data controllers requiring them to stop processing personal data in a way which is likely to cause substantial unwarranted damage or distress to that data subject or another.
Right to correct inaccurate data
Data subjects may also apply for a court order to require the data controller to rectify, block, erase or destroy inaccurate data about the data subject. The School therefore ensures that it has procedures in place to respond to any requests to amend inaccurate data.
Requests for personal data by Pupil/Parent - What rights exist for access to a pupil’s personal information?
Under the Education (Pupil Information) (England) Regulations 2005, a parent has the right to access their child’s Nursery educational record, as their child in not of an age to act on their own behalf.
Information that can be withheld
Under the current legal framework the School reserves the right to withhold:
1. Information about another person (including a parent) without consent of that person.
2. Information about the data subject where:
• Information might cause serious harm to the physical or mental health of the pupil or another individual;
• The disclosure would reveal a child is at risk of abuse;
• Information is contained in adoption and parental order records
• Information is given to a court in proceedings under the Magistrates’ Courts (Children and Young Persons) Rules 1992;
• Information is contained in legal advice which is protected by legal professional privilege.
What are the timescales for dealing with requests?
In compliance with legislation, requests for information from parents, for information that contains, wholly or partly, an educational record will receive a response within 15 school days. However, should a subject access request be made just for personal information outside the educational record, a response will be made promptly and at most within 40 calendar days. The governors may choose to charge a fee for this service.
Requests from police/fraud office
In accordance with Section 29(3) of the Act the School will disclose personal data to the police where it is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or similar. However, the police will need to show that if the School does not disclose the information, the above purposes would be prejudiced. They will be asked to make the request in writing on headed paper and the School will check that the individual making the request is indeed from the police/ fraud office. The sort of information the police usually require is the current address of a child’s parents.
Court orders for disclosure
The School will refer such requests, which may come from the police, the Crown Prosecution Service or the defence team in a court case, to the Legal Services Unit at West Sussex County Council.
Disclosures to Educational Agencies and others
As a general rule the School will not disclose personal data to third parties unless it has the consent of the data subject. For instance, the school would normally pass on the telephone number of the person seeking information to the parent rather than vice versa.
Best Practice on disclosures
The School undertakes to:
• Take care to make no wider disclosures than necessary, and to avoid inadvertently giving out information relating to others
• Take care when processing sensitive data on race, political opinion, religious belief, TU membership, physical or mental health, sexual life, commission of offences, criminal proceedings and sentences
• Keep a record of disclosures
Security of data:
The school undertakes to keep data safe by ensuring that:
• Personal data is not left where it can be accessed by unauthorised persons
• Procedures relating to access to the building and IT security are adhered to
• Personal data which is no longer required is destroyed appropriately, for example, by shredding or, in the case of computer records, secure deletion
• Personal information is securely deleted using appropriate software tools when computers are disposed of in accordance with the Council’s policy for IT Asset Management, and that personal data is destroyed in accordance with the Council’s retention schedule
• Staff working from home are also compliant with this policy
Penalties for non compliance with the Data Protection Act
The School understands that there are various criminal offences created by the Act, which can be committed by the School itself or by a member of staff, including:
- Failure to register/notify
- Procuring and selling offences
For further information, please contact the Legal Services on 01243 777901.
This policy is based on West Sussex County Council Data Protection Information for Schools 2009 and should also be read in conjunction with Castlewood School Acceptable Use Policy and Freedom of Information Policy.
For more information on DPA please refer to