Home Page

Data Protection GDPR Policy (DRAFT)








Data Protection GDPR Policy


Hollywater School collects and uses personal information (referred to in the General Data Protection Regulation (GDPR) as personal data) about staff, pupils, parents and other individuals who come into contact with the school.

This information is gathered in order to enable the provision of education and other associated functions. In addition, the school may be required by law to collect, use and share certain information.

The school is the Data Controller, of the personal data that it collects and receives for these purposes. The school has a Data Protection Officer, Miss Sarah Kitching, who may be contacted by telephone via the school office or by email :


The school issues Privacy Notices (also known as a Fair Processing Notices) to all pupils, parents and staff. These summarise the personal information held about pupils and staff, the purpose for which it is held and who it may be shared with. It also provides information about an individual’s rights in respect of their personal data.



This policy sets out how the school deals with personal information correctly and securely and in accordance with the GDPR, and other related legislation.

This policy applies to all personal information however it is collected, used, recorded and stored by the school and whether it is held on paper or electronically.

All staff and governors involved with the collection, use, processing or disclosure of personal data will be aware of their duties and responsibilities and will adhere to this Policy.


What is Personal Information/ data?

Personal information or data means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly by reference to details such as a name, an identification number, location data, an online identifier or by their physical, physiological, genetic, mental, economic, cultural or social identity.

Personal data includes (but is not limited to) an individual’s, name, address, date of birth, photograph, bank details and other information that identifies them.    


Data Protection Principles

The GDPR establishes six principles as well as a number of additional duties that must be adhered to at all times:

1. Personal data shall be processed lawfully, fairly and in a transparent manner


2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (subject to exceptions for specific archiving purposes)


3. Personal data shall be adequate, relevant and limited to what is necessary to the purposes for which they are processed and not excessive;


4. Personal data shall be accurate and where necessary, kept up to date;


5. Personal data shall be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;


6. Personal data shall be processed in a manner that ensures appropriate security of the person.


Data Protection and Safeguarding

UK data protection laws do not prevent or limit us from sharing information to keep children safe. They only require us to share the information appropriately, in line with data protection principles.

Whether we are acting on a disclosure or concern, or responding to requests for information from external agencies, we can share information with the appropriate people if we believe that doing so is likely to support the safeguarding and protection of a child.

Staff must not share information if it may harm a child or put them at risk of harm. Safeguarding information may be 'special category' personal data if it reveals certain characteristics about a person.

We need both a lawful basis and a condition for processing to share special category data. Sharing 'special category' data for the purpose of safeguarding children falls under the 'necessary for reasons of significant public interest on the basis of law' condition. This condition justifies sharing special category personal data about an individual without their consent, either because:

• They cannot give consent

• Obtaining their consent cannot be reasonably expected

• Gaining their consent would place a child at risk


The Data Protection Officer will work alongside the DSLs in school to ensure that any information sharing follows data protection principles, so that it's:

Necessary and proportionate – staff must consider how much information needs to be released.


Processed in a transparent manner – staff need to be transparent with the individual that their information has been shared (whether you seek their consent or not), unless doing so could create or increase the risk of harm. For example, if a pupil makes a report of abuse you wouldn't need their consent to share this information with the appropriate people, but you should help the pupil understand what the next steps will be and who the report will be passed to.


Relevant – staff must consider what's relevant for safeguarding purposes.


Adequate – staff need to make sure the information is of the right quality so it can be understood and relied upon.


Accurate – staff need to make sure the information is up to date, clearly distinguish between fact and opinion, and explain if the information is historical.


Timely – consider the urgency with which you need to share the information, which will usually be as early as possible.


Secure – wherever possible, share the information in an appropriate and secure way as defined by your school's procedure for securely handling personal information.


Recorded – information sharing decisions should be recorded, in line with your school's procedures, whether or not the decision is taken to share. Record the reasons for sharing or not sharing and, where applicable, what's been shared and with whom. This would be recorded with the school system, CPOMS. This is in line with the government guidance on sharing safeguarding information, ng_services.pdf



Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection. Data Controllers have a General Duty of accountability for personal data.



Hollywater School is committed to maintaining the principles and duties in the GDPR at all times. Therefore the school will:

• Inform individuals of the identity and contact details of the data controller


• Inform individuals of the contact details of the Data Protection Officer.


• Inform individuals of the purposes that personal information is being collected and the basis for this.


• Inform individuals when their information is shared, and why and with whom unless the GDPR provides a reason not to do this.


• If the school plans to transfer personal data outside the EEA the school will inform individuals and provide them with details of where they can obtain details of the safeguards for that information.

• Inform individuals of their data subject rights.

• Inform individuals that the individual may withdraw consent (where relevant) and that if consent is withdrawn that the school will cease processing their data although that will not affect the legality of data processed up until that point.

• Provide details of the length of time an individual’s data will be kept.

• Should the school decide to use an individual’s personal data for a different reason to that for which it was originally collected the school shall inform the individual and where necessary seek consent.

• Check the accuracy of the information it holds and review it at regular intervals.

• Ensure that only authorised personnel have access to the personal information whatever medium (paper or electronic) it is stored in.

• Ensure that clear and robust safeguards are in place to ensure personal information is kept securely and to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded.

• Ensure that personal information is not retained longer than it is needed.

• Ensure that when information is destroyed that it is done so appropriately and securely.

• Share personal information with others only when it is legally appropriate to do so.

• Comply with the duty to respond to requests for access to personal information ( known as Subject Access Requests)

• Ensure that personal information is not transferred outside the EEA without the appropriate safeguards.

• Ensure that all staff and governors are aware of and understand these policies and procedures.



Complaints will be dealt with in accordance with the school’s complaints policy. Complaints relating to the handling of personal information may be referred to the Information Commissioner who can be contacted at:

Wycliffe House, Water Lane Wilmslow Cheshire SK9 5AF or at 



This policy will be reviewed annually. The policy review will be undertaken by the Data Protection Officer and / or the Head teacher.



If you have any enquires in relation to this policy, please contact Miss Sarah Kitching, the Data Protection Officer, or the Headteacher who will act as the contact point for any questions, concerns or for more information.


Approved by: Chair of Governors Silas Jones

Headteacher: Steph Clancy

Date: June 2021

Amended November 2021 and reviewed on: November 2021

Next review due by: (Annually) November 2022