GDPR

The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data.

‘Personal data’ means information that can identify a living individual.

The regulation will apply to all schools from 25 May 2018, and will apply even after the UK leaves the EU.

St Mary’s CE VC Primary School Data Protection Roles

Our Data Protection Officer is (To be appointed)Our Data Protection Administrator is (To be appointed)

School GDPR Documents

Parents/Carers are contacted annually regarding GDPR and in order to gain consent to use pupil images for the following reasons:

  • For use on the school’s website and on display boards around school.
  • We may also include images in our newsletter and articles sent through to the local papers.

We would like your consent to take photos of your child, and use them in the ways described above. If you’re not happy for us to do this, that’s no problem – we will accommodate your preferences.

Main principles

The GDPR sets out the key principles that all personal data must be processed in line with.

  • Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected

There are also stronger rights for individuals regarding their own data.

  • The individual’s rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all

New requirements

The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already comply with), but strengthens many of the DPA’s principles. The main changes are:

  • Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law
  • Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data
  • Schools will only have a month to comply with subject access requests, and in most cases can’t charge
  • Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
  • There are new, special protections for children’s data
  • The Information Commissioner’s Office must be notified within 72 hours of a data breach
  • Organisations will have to demonstrate how they comply with the new law
  • Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils
  • Higher fines for data breaches

Latest News

General Election 2019

Our Key Stage Two children were watching democracy in action today as part of their learning on British Values - here they are at our local polling station on election day.

Just One Tree

On Friday 22nd November, our school took part in the "Just One Tree" initiative and held a non-uniform day. Each child donated £1, which funds the planting of a tree in Haiti, Mozambique, Kenya and Madagascar. The children raised a total of £39 and the Thorncombe...

Auction Night 29th November

Our PFA (Parents and Friends Association) are holding an Auction Night this Friday 29th November at Thorncombe Sports and Social Club at 7.30pm. Items and vouchers have been kindly donated for the PFA to auction to raise money for the school - see list below! All...