GDPR in Our Primary School

We take data protection extremely seriously. Our school follows the UK GDPR and the Data Protection Act 2018, as well as the most recent updates introduced through the Data (Use and Access) Act 2025. These laws set out how we collect, use, store and share personal data to keep pupils, families and staff safe.

What GDPR Means for Primary Schools

The Department for Education states that schools must have clear policies and procedures to protect personal data, respond to breaches and process information securely.
This includes pupil records, safeguarding information, assessment data, staff details and digital learning accounts. [gov.uk]

The ICO also notes that schools must take special care when processing children’s personal data and ensure information is written in language they can understand. [ico.org.uk]

How We Protect Personal Data

We follow national guidance for schools, including:

1. Lawful and Fair Use of Data

We only collect information that we need for education, safeguarding, attendance and school operations. Schools are permitted to process data under lawful bases including public task (for core educational duties). [schoolpro.uk]

2. Secure Storage and Systems

The DfE requires schools to follow good practices to prevent personal data breaches and maintain strong security measures. [gov.uk]

3. Training for Staff

Staff receive regular training to ensure they understand GDPR responsibilities and know how to handle data safely, as recommended by government guidance. [gov.uk]

4. Clear Policies and Procedures

We maintain a Data Protection Policy, Privacy Notices and Acceptable Use Agreements, all aligned with UK GDPR and DfE expectations.

Subject Access Requests (SARs)

Parents and (where appropriate) pupils have the right to request a copy of the personal data we hold. Recent updates to the law allow schools to pause the 1‑month response timeframe while waiting for clarification about the request.
Searches must now be “reasonable and proportionate” rather than exhaustive. [

Sharing Data

We only share data with other organisations when:

• There is a lawful basis (e.g., local authority duties, safeguarding, DfE census).
• It is necessary for education or wellbeing.
• Proper security measures are in place.

Government guidance outlines who schools can share with and what consent is needed (e.g., for photos or publishing information). [gov.uk]

Data Breaches

If personal data is lost, accessed without permission or disclosed incorrectly, we follow the DfE and ICO process to:

1. Contain the breach
2. Assess risk
3. Notify affected individuals where required
4. Report to the ICO when legally necessary
   [gov.uk]

Children's Data Rights

The ICO states that children must be given clear explanations about how their data is used, and schools must provide higher levels of protection for under‑18s. [ico.org.uk]

Children have the right to:

• Understand how their data is used
• Access their own personal data (if mature enough)
• Request corrections
• Object to certain uses (where applicable)
• Expect their data to be kept secure

Our Data Protection Officer

 If you have any questions, concerns or would like more information about the content of the School's Pupil and Parent Privacy Notice please contact the School Business Manager in the first instance via the school office on 020 8 888 2780 or email admin@earlham.haringey.sch.uk

We have appointed a data protection office (DPO) to oversee compliance with data protection and our Privacy Notice. If you have any questions about how we handle your personal information which cannot be resolved by the School Business Manager then you can contact the DPO using the details provided below.

The Data Protection Officer (DPO) is responsible for overseeing data protection for the school. If you have any further questions regarding this please contact Judicium.