Changes to Data Protection Legislation


The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which determines how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. This Privacy Notice explains how the school will use (or “process”) personal data about individuals, including current, past and prospective pupils and their parents, carers or guardians (referred to in this policy as “parents”). Thomas’s Academy is the ‘data controller’ for the purposes of Data Protection Law which means it determines how an individual’s personal data is processed and for what purposes. Thomas’s Academy has allocated the role of Data Protection Officer to Clare James, our Deputy Head, who, in conjunction with the Head Teacher and the Academy Governors, will deal with all requests and enquiries and aim to ensure that all personal data is processed in compliance with this policy and Data Protection Law.


The GDPR sets out the key principles that all personal data must be::


• Processed lawfully, fairly and transparently,
• Collected for specific, explicit and legitimate purposes
• Limited to what is necessary for the purposes for which it is processed
• Accurate and kept up to date
• Held securely
• Only retained for as long as it necessary for the reasons it was collected


The personal data the School holds:


Personal data about pupils and parents that maybe collected, used, stored and shared (when appropriate) includes, but is not restricted to:


• Contact details, contact preferences, date of birth, identification documents
• Results of internal assessments and national assessments (EYFS and SATs)
• Pupil and curricular records
• Characteristics, such as ethnicity, language, nationality, country of birth, free school meal eligibility and/or special educational needs
• Exclusion information
• Details of any medical conditions, including physical and mental health
• Attendance information
• Safeguarding information
• Details of any support received, including care packages, plans and support providers
• Photographs
• CCTV images captured in school
• Bank details and other financial information (eg about those who pay top-up fees to the school in Nursery)


We may also hold data about pupils that we have received from other organisations, including other schools, local authorities and the Department for Education.


Why we use this data


• To confirm the identity of prospective pupils and their parents
• To provide educational services and support pupil learning
• To monitor and report on pupil progress
• To safeguard pupils’ welfare and provide appropriate pastoral care
• To celebrate achievements and events
• To monitor (as appropriate) use of the school’s IT and communication systems in accordance with the school’s IT acceptable use and online safety policies
• For security purposes
• To assess the quality of our services
• To carry out research and statistical analysis
• To give and receive information and references about past, current and prospective pupils to/from any educational institution that the pupil attended or where it is proposed they attend.
• To comply with the law regarding data sharing




Our legal basis for using this data


We only collect and use pupils’ personal data when the law allows us to. Most commonly, we process it where:


• we need to comply with a legal obligation
• we need to process it for the legitimate interests of the school
• we need it to perform an official task in the public interest


Less commonly, we may also process pupils’ personal data in situations where:


• we have obtained consent to use it in a certain way
• we need to protect the individual’s vital interests (or someone else’s interests)


Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn. Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.


Some of the reasons listed above for collecting and using pupils’ and parents’ personal data overlap, and there may be several grounds which justify our use of this data.


How we store this data


We keep personal information about pupils while they are attending our school. We may also keep it beyond their attendance at our school if this is necessary in order to comply with our legal obligations.


Data sharing


We do not share information about pupils with any third party without consent unless the law and our policies allow us to do so.


We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.


Where it is legally required or necessary (and it complies with data protection law) we may share personal information about pupils with:


• Our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions
• The Department for Education
• The pupil’s family and representatives
• Educators and examining bodies
• Our regulator – Ofsted or HMI inspection teams
• Suppliers and service providers – to enable them to provide the service we have contracted them for
• Central and local government
• Our auditors
• Survey and research organisations
• Health authorities
• Security organisations
• Health and social welfare organisations
• Professional advisers and consultants
• Charities and voluntary organisations, including Thomas’s Schools’ Foundation and the CAIRN Trust
• Police forces, courts, tribunals
• Professional bodies


National Pupil Database


The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.


We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.


To find out more about the NPD, go to The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:


• conducting research or analysis
• producing statistics
• providing information, advice or guidance


The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:


• who is requesting the data
• the purpose for which it is required
• the level and sensitivity of data requested: and
• the arrangements in place to store and handle the data


To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.


For more information about the department’s data sharing process, please visit:


For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:


To contact DfE:


Transferring data internationally


Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.


Parents and pupils rights regarding personal data


Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, please contact the Head Teacher


You also have the right to:


• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations


If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at


Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.


Pupils can make subject access request for their own personal data provided that, in the reasonable opinion of the school, they have sufficient maturity to understand the request they are making. This is generally considered to be age 13 and above although this will depend on both the child and the personal data requested, including any relevant circumstances at home. Slightly younger children may also be sufficiently mature to have a say in this decision. Parents can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data.


A pupil of any age may ask a parent or other representative to make a subject access request on his/her behalf. Moreover (if of sufficient age) their consent or authority may need to be sought by the parent making such a request. All information requests from, or on behalf of, pupils – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.


While a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger pupils, the information in question is always considered to be the child’s at law.


Parents also have the right to make a subject access request with respect to any personal data the school holds about them.


If you make a subject access request, and if we do hold information about you or your child, we will:


• Give you a description of it
• Tell you why we are holding and processing it, and how long we will keep it for
• Explain where we got it from, if not from you or your child
• Tell you who it has been, or will be, shared with
• Let you know whether any automated decision-making is being applied to the data, and any consequences of this
• Give you a copy of the information in an intelligible form within a month of the request being made


If you would like to make a request, please contact the Head Teacher.


Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.


Requests for access to a child’s educational record should be made in writing to the Head Teacher.


In addition to the right to make a subject access request (see above) individuals also have the right to:

• Withdraw their consent to processing at any time (where consent is the lawful reason for processing
• Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances)
• Prevent use of their personal data for direct marketing
• Challenge processing which has been justified on the basis of public interest
• Request a copy of agreements under which their personal data is transferred outside of the European Economic Area
• Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them)
• Prevent processing that is likely to cause damage or distress
• Be notified of a data breach in certain circumstances
• Make a complaint to the ICO
• Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances)
• To claim compensation for damages caused by a breach of the data protection regulations


To exercise any of these rights, please contact the Head Teacher.


Contact us


Any Subject Access Request or enquiry about the use of personal data or about anything mentioned in this privacy notice should be made to the Head Teacher.


• 0207 736 2318




Any complaints about our collection and use of personal information are taken very seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance at the above address.


Alternatively, you can make a complaint to the Information Commissioner’s Office:


• Report a concern online at:
• Call 0303 123 1113
• Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF




This Privacy Notice has been informed by:
DfE Model Privacy Notice for pupils
ISBA GDPR Template Privacy Notice (December 2017)