Reminder - If you have moved or changed your telephone number, please come to the School office
Home Page

Maytree Nursery andInfants' SchoolCaring, Sharing, Aiming High

Welcome toMaytree Nursery andInfants' SchoolCaring, Sharing, Aiming High

Data Protection Policy



Data protection advice for school –ICO


Maytree Nursery and Infants School collects and uses personal information about staff, pupils, parents and other individuals who come into contact with the school. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the school complies with its statutory obligations.


Personal information is any information that relates to a living individual who can be identified from the information. This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings.


Schools have a duty to be registered, as Data Controllers, with the Information Commissioner’s Office (ICO) detailing the information held and its use. These details are then available on the ICO’s website. Schools also have a duty to issue a Fair Processing Notice to all pupils/parents. This notice summarises the information held on pupils, why it is held and the other parties to whom it may be passed on.




This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 1998, and other related legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically.

All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines.


The Data Controller and the Designated Data Controllers


The School as a body corporate is the Data Controller under the 1998 Act, and the Governors are therefore ultimately responsible for implementation. However, the Designated Data Controllers will deal with day to day matters.

The School has three Designated Data Controllers: They are the Headteacher, the School Business Manager and Headteacher’s personal assistant.


Legal Requirements




The school must be registered as a Data Controller on the Data Protection Register held by the Information Commissioner and each school is responsible for their own registration:


Information for Data Subjects (Parents, Staff)

In order to comply with the fair processing requirements of the DPA, the school will inform parents / carers of all pupils / students and staff of the data they collect, process and hold on the pupils / students, the purposes for which the data is held and the third parties (eg LA, DfE, etc) to whom it may be passed. This privacy notice will be passed to parents / carers through a letter and posted on the school website. More information about the suggested wording of privacy notices can be found on the DfE website:


What is Personal Information?

Personal information or data is defined as data which relates to a living individual who can be identified from that data, or other information held.


Data Protection Principles

The Data Protection Act 1998 establishes eight enforceable principles that must be adhered to at all times:


  • Principle 1 - Personal data shall be processed fairly and lawfully, and, in particular, shall not be processed unless specific conditions for processing are met.
  • Principle 2 - Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Principle 3 - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Principle 4 - Personal data shall be accurate, and, where necessary, kept up to date.
  • Principle 5 - Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Principle 6 - Personal data shall be processed in accordance with the rights of individuals under this Act.
  • Principle 7 - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, or destruction of, or damage to, personal data.
  • Principle 8 - Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.


General Statement

The school is committed to maintaining the above principles at all times. Therefore the school will:


  • Inform individuals why the information is being collected when it is collected
  • Inform individuals when their information is shared, and why and with whom it was shared
  • Check the quality and the accuracy of the information it holds
  • Ensure that information is not retained for longer than is necessary
  • Ensure that when obsolete information is destroyed that it is done so appropriately and securely, by shredding or archiving the information as recommended by the Records Management Society
  • Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded
  • Ensure CCTV systems are used in compliance with the DPA
  • Share information with others only when it is legally appropriate to do so
  • Set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as Subject Access Requests
  • Ensure our staff are aware of and understand our policies and procedures


Authorised disclosures

The school will, in general, only disclose data about individuals with their consent. However there are circumstances under which the school's authorised officer may need to disclose data without explicit consent for that occasion.

These circumstances are strictly limited to:

  • Pupil data disclosed to authorised recipients related to education and administration necessary for the school to perform its statutory duties and obligations. Pupil data disclosed to authorised recipients in respect of their child's health, safety and welfare
  • Pupil data disclosed to parents or guardians in respect of their child's progress, achievements, attendance, attitude or general demeanour within or in the vicinity of the School.
  • Staff data disclosed to relevant authorities e.g. in respect of payroll and administrative matters.
  • Unavoidable disclosures, for example to an engineer during maintenance of the computer system. In such circumstances the engineer would be required to sign a form promising not to disclose the data outside the school.
  • Only authorised and trained staff are allowed to make external disclosures of personal data. Data used within the school by administrative staff, teachers and welfare staff will only be made available where the person requesting the information is a professional legitimately working within the school who need to know the information in order to do their work. The school will not disclose anything on pupils' records which would be likely to cause serious harm to their physical or mental health or that of anyone else.


A "legal disclosure" is the release of personal information from the computer to someone who requires the information to do his or her job within or for the school, provided that the purpose of that information has been registered.


An "illegal disclosure" is the release of information to someone who does not need it, or has no right to it, or one which falls outside the school's registered purposes.


Responsibilities of Staff

All staff are responsible for:


  • Checking that any information that they provide to the School in connection with their employment is accurate and up to date
  • Informing the School of any changes to information that they have provided, e.g. change of address, either at the time of appointment or subsequently

The School cannot be held responsible for any errors unless the staff member has informed the School of such changes.

If and when, as part of their responsibilities, staff collect information about other people(e.g. about a pupil’s course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff set out in the Schools Data Protection Code of Practise.


Data Security


All staff are responsible for ensuring that:

  • Any personal data that they hold is kept securely
  • Personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party

Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

Personal information should:

  • Be kept in a locked filing cabinet, drawer, or safe; or
  • If it is computerised, be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up; and
  • If a copy is kept on a diskette or other removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.


Rights to Access Information

All staff, parents and other users are entitled to:

  • Know what information the School holds and processes about them or their child and why
  • Know how to gain access to it
  • Know how to keep it up to date
  • Know what the School is doing to comply with its obligations under the 1998 Act


his Policy document and the School’s Data Protection Code of Practise address in particular the last three points above. To address the first point, the School will, upon request, provide all staff and parents and other relevant users with a statement regarding the personal data held about them. This will state all the types of data the School holds and processes about them, and the reasons for which they are processed.


All staff, parents and other users have a right under the 1998 Act to access certain personal data being kept about them or their child either on computer or in certain files. Any person who wishes to exercise this right should complete the Subject Access Request Form and submit it to the Designated Data Controller.


The School will make a charge of £10 on each occasion that access is requested, although the School has discretion to waive this.


The School aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days, as required by the 1998 Act.


Subject Consent


In many cases, the School can only process personal data with the consent of the individual.


In some cases, if the data is sensitive, as defined in the 1998 Act, express consent must be obtained. Agreement to the School processing some specified classes of personal data is a condition of acceptance of employment for staff. This included information about previous criminal convictions.


Jobs will bring the applicants into contact with children. The School has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job.


The School has a duty of care to all staff and students and must therefore make sure that employees and those who use School facilities do not pose a threat or danger to other users.


The School may also ask for information about particular health needs, such as allergies to particular forms of medication, or any medical condition such as asthma or diabetes. The School will only use this information in the protection of the health and safety of the individual, but will need consent to process this data in the event of a medical emergency, for example.


Processing Sensitive Information


Sometimes it is necessary to process information about a person’s health, criminal convictions, or race. This may be to ensure that the School is a safe place for everyone, or to operate other School policies, such as the Absence Policy or the Equal Opportunities Policy.

Because this information is considered sensitive under the 1998 Act, staff (and pupils where appropriate) will be asked to give their express consent for the School to process this data. An offer of employment may be withdrawn if an individual refuses to consent to this without good reason.


Publication of School Information

Certain items of information relating to School staff will be made available via searchable directories on the public Web site, in order to meet the legitimate needs of researchers, visitors and enquirers seeking to make contact with the School.


Transporting, Storing and Deleting personal Data

The policy and processes of the school will comply with the guidance issued by the ICO


Information security - Storage and Access to Data


Technical Requirements

  • The school will ensure that ICT systems are set up so that the existence of protected files is hidden from unauthorised users and that users will be assigned a clearance that will determine which files are accessible to them. Access to protected data will be controlled according to the role of the user. Members of staff will not, as a matter of course, be granted access to the whole management information system
  • Personal data may only be accessed on machines that are securely password protected. Any device that can be used to access data must be locked if left (even for very short periods) and set to auto lock if not used for five minutes
  • All storage media must be stored in an appropriately secure and safe environment that avoids physical risk, loss or electronic degradation
  • Personal data can only be stored on school equipment (this includes computers and portable storage media (where allowed). Private equipment (i.e. owned by the users) must not be used for the storage of personal data
  • The school has an on-site server for curriculum data management and a separate server for administration. Backups for the curriculum server are the responsibility of the ICT Technician and the administration server backups are checked remotely by IT Services. In 2017 the school plans to move to cloud based back- ups which comply with current legislation


Portable Devices

When personal data is stored on any portable computer system, USB stick or any other removable media:

  • the data must be encrypted and password protected
  • the device must be password protected (many memory sticks /cards and other mobile devices cannot be password protected)
  • the data must be securely deleted from the device, in line with school policy (below) once it has been transferred or its use is complete.



All users will use strong passwords which must be changed regularly. User passwords must never be shared. It is advisable NOT to record complete passwords, but prompts could be recorded.



  • Images of pupils will only be taken or stored on school equipment. These will only be used in line with the signed authority of parents or carers.
  • Images will be protected and stored in a secure area.


Cloud Based Storage

The school has clear policy and procedures for the use of “Cloud Based Storage Systems” (for example dropbox, google apps and google docs) and is aware that data held in remote and cloud storage is still required to be protected in line with the Data Protection Act. The school will ensure that it is satisfied with controls put in place by remote / cloud based data services providers to protect the data.


Third Party data transfers

As a Data Controller, the school is responsible for the security of any data passed to a “third party”. Data Protection clauses will be included in all contracts where data is likely to be passed to a third party.


School Websites

Uploads to the school website will be checked prior to publication ensure that personal data will not be accidently disclosed and that images uploaded only show pupils where prior permission has been obtained.



Emails cannot be regarded on its own as a secure means of transferring personal data.

E-mails containing sensitive information will be sent by password protected document.


Retention of Data

The School has a duty to retain some staff and pupil personal data for a period of time following their departure from the School, mainly for legal reasons, but also for other purposes such as being able to provide references or academic transcripts.

Different categories of data will be retained for different periods of time.



Complaints about the above procedure should be made to the school under its Complaints Policy. If the complaint is not resolved satisfactorily once this procedure has been followed the complaint may then be dealt with by the Information Commissioner. Contact details of both will be provided with the disclosure information.



If you have any enquires in relation to this policy, please contact the Business Manager who will also act as the contact point for any subject access requests.

Further advice and information is available from the Information Commissioner’s Office at:



Compliance with the 1998 Act is the responsibility of all members of the School. Any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or even to a criminal prosecution