Data Protection

Data Protection & the General Data Protection Regulation (GDPR)


We aim to ensure that all personal data collected about staff, pupils, parents, governors, visitors and other individuals is collected, stored and processed in accordance with the UK data protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This policy applies to all personal data, regardless of whether it is in paper or electronic format.

Main principles

Our policy meets the requirements of the UK GDPR following the incorporation of the EU GDPR into UK legislation, with some amendments outlined in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the DPA 2018.

It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR. It meets the requirements of the Protection of Freedoms Act 2012 when referring to our use of biometric data (if any). It also reflects the ICO’s code of practice for the use of surveillance cameras and personal information. In addition, this policy complies with regulation 5 of the Education (Pupil Information) (England) Regulations 2005, which gives parents the right of access to their child’s educational record.


  • Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law
  • Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data
  • Schools will have a month to comply with subject access requests – where individuals can request information what personal data is held by the school
  • Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
  • There are new, special protections for children’s data
  • If appropriate, the Information Commissioner’s Office should be notified within 72 hours of a data breach
  • Organisations will have to demonstrate how they comply with the new law
  • Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils

If you have any questions about how Wykebeck Primary handles personal data, please contact our school office and we will be more than happy to discuss this with you.