Approved Date: December 2018
Approved By: Governors

Review Date: December 2019

1.      Our Commitment

 Iqra High School is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act (DPA). principles/

 Changes to data protection legislation (GDPR May 2018) shall be monitored and implemented in order to remain compliant with all requirements.

 The legal bases for processing data are as follows –

 (a)     Consent: the member of staff/student/parent has given clear consent for the school to process their personal data for a specific purpose.

 (b)     Contract: the processing is necessary for the member of staff’s employment

contract or student placement contract.

 (c)     Legal obligation: the processing is necessary for the school to comply with the law (not including contractual obligations)

 The members of staff responsible for data protection are mainly Tahira Parveen (Deputy Head), Kim Van Belois (Senior Management Team) and Ammarah Hakim (Office Manager).  However, all staff must treat all student information in a confidential manner and follow the guidelines as set out in this document.

 The school is also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided to them through regular training programmes.

 The requirements of this policy are mandatory for all staff employed by the school and any third party contracted to provide services within the school.

 2.      Notification

 Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:

 Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.

 Breaches of personal or sensitive data shall be notified within 72 hours to the individual(s) concerned and the ICO.


3.      Personal and Sensitive Data

 All data within the school’s control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.

 The definitions of personal and sensitive data shall be as those published by the ICO for guidance: definitions/

 The principles of the Data Protection Act shall be applied to all data processed:

  • ensure that data is fairly and lawfully processed
  • process data only for limited purposes
  • ensure that all data processed is adequate, relevant and not excessive
  • ensure that data processed is accurate
  • not keep data longer than is necessary
  • process the data in accordance with the data subject’s rights
  • ensure that data is secure
  • ensure that data is not transferred to other countries without

adequate protection.

4.      Fair Processing / Privacy Notice

 We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, parents and pupils prior to the processing of individual’s data.

Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation. transparency-and-control/

There may be circumstances where the school is required either by law or in the best interests of our students or staff to pass information onto external authorities, for example Local Authorities, Department for Education, Exam Boards, Ofsted, or the Department of Health. These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect.

The intention to share data relating to individuals to an organisation outside of our school shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.

Any proposed change to the processing of individual’s data shall first be notified to them.

Under no circumstances will the school disclose information or data:

  • that would cause serious harm to the child or anyone else’s physical or
  • mental health or condition
  • indicating that the child is or has been subject to child abuse or may be at
  • risk of it, where the disclosure would not be in the best interests of the child
  • recorded by the pupil in an examination
  • that would allow another person to be identified or identifies another
  • person as the source, unless the person is an employee of the school or a local authority or has given consent, or it is reasonable in the circumstances to disclose the information without consent. The exemption from disclosure does not apply if the information can be edited so that the person’s name or identifying details are removed
  • in the form of a reference given to another school or any other place of
  • education and training, the child’s potential employer, or any national body concerned with student admissions.

 5.      Data Security

 In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.

Risk and impact assessments shall be conducted in accordance with guidance given by the ICO: impact-assessments-code-published/

Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.

The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data.

6.      Data Access Requests (Subject Access Requests)

 All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing to:


Kim Van Belois

Data Protection Officer

Iqra High School

319 Waterloo Street

Oldham OL4 1ER

No charge will be applied to process the request.

Personal data about pupils will not be disclosed to third parties without the consent of the child’s parent or carer, unless it is obliged by law or in the best interest of the child.

Data may be disclosed to the following third parties without consent:

  • Other schools

If a pupil transfers from Iqra High School to another school, their academic records and other data that relates to their health and welfare will be forwarded onto the new school. This will support a smooth transition from one school to the next and ensure that the child is provided for as is necessary. It will aid continuation which should ensure that there is minimal impact on the child’s academic progress as a result of the move.

  • Examination authorities

This may be for registration purposes, to allow the pupils at our school to sit examinations set by external exam bodies.

  • Health authorities

As obliged under health legislation, the school may pass on information regarding the health of children in the school to monitor and avoid the spread of contagious diseases in the interest of public health.

  • Police and courts

If a situation arises where a criminal investigation is being carried out we may have to forward information on to the police to aid their investigation. We will pass information onto courts as and when it is ordered.

  • Social workers and support agencies

In order to protect or maintain the welfare of our pupils, and in cases of child abuse, it may be necessary to pass personal data on to social workers or support agencies.

  • Educational division

Schools may be required to pass data on in order to help the government to monitor the national educational system and enforce laws relating to education.

  • Right to be Forgotten:

Where any personal data is no longer required for its original purpose, an individual can demand that the processing is stopped and all their personal data is erased by the school including any data held by contracted processors.

7.      Photographs and Video

Images of staff and pupils may be captured at appropriate times and as part of educational activities for use in school only.

Unless prior consent from parents/pupils/staff has been given, the school shall not utilise such images for publication or communication to external sources.

It is the school’s policy that external parties (including parents) may not capture images of staff or pupils during such activities without prior consent.

8.      Location of information and data:

Hard copy data, records, and personal information are stored out of sight and in a locked cupboard. The only exception to this is medical information that may require immediate access during the school day. This will be stored with the school medical coordinator.

Sensitive or personal information and data should not be removed from the school site, however the school acknowledges that some staff may need to transport data between the school and their home in order to access it for work in the evenings and at weekends. This may also apply in cases where staff have offsite meetings, or are on school visits with pupils.

9.     Guidelines for Staff

 The following guidelines are in place for staff in order to reduce the risk of personal data being compromised:

  • Paper copies of data or personal information should not be taken off the

school site. If these are misplaced they are easily accessed. If there is no way to avoid taking a paper copy of data off the school site, the information should not be on view in public places, or left unattended under any circumstances.

  • Unwanted paper copies of data, sensitive information or pupil files should

be shredded. This also applies to handwritten notes if the notes reference any other staff member or pupil by name.

  • Care must be taken to ensure that printouts of any personal or sensitive

information are not left in printer trays or photocopiers.

  • If information is being viewed on a PC, staff must ensure that the window

and documents are properly shut down before leaving the computer unattended. Sensitive information should not be viewed on public computers.

  • If it is necessary to transport data away from the school, it should be

downloaded onto a USB stick. The data should not be transferred from this stick onto any home or public computers. Work should be edited from the USB, and saved onto the USB only.

  • USB sticks that staff use must be password protected.

These guidelines are clearly communicated to all school staff, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.

10. Data Disposal

The school recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.

All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services.

All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.

Disposal of IT assets holding data shall be in compliance with ICO guidance: organisations/documents/1570/it_asset_disposal_for_organisations.pdf


The school has identified a qualified source for disposal of IT assets and collections. The school will ensure that all sensitive data is put through a cross shredder if it is no longer required.


Appendix 1

Collection of Data

 What data is collected?

The categories of pupil information that the school collects, holds and shares include the following:

  • Personal information – e.g. names, pupil numbers and addresses
  • Characteristics – e.g. ethnicity, language, nationality, country of birth and free school meal eligibility
  • Attendance information – e.g. number of absences and absence reasons
  • Assessment information – e.g. national curriculum assessment results
  • Relevant medical information
  • Information relating to SEND
  • Behavioural information – e.g. number of temporary exclusions

Whilst the majority of the personal data you provide to the school is mandatory, some is provided on a voluntary basis. When collecting data, the school will inform you whether you are required to provide this data or if your consent is needed. Where consent is required, the school will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.

How long is your data stored for?

Personal data relating to pupils at Iqra High School and their families is stored in line with the school’s GDPR Data Protection Policy.

In accordance with the GDPR, the school does not store personal data indefinitely; data is only stored for as long as is necessary to complete the task for which it was originally collected.

Will my information be shared?

The school is required to share pupils’ data with the DfE on a statutory basis.

The National Pupil Database (NPD) is managed by the DfE and contains information about pupils in schools in England. Iqra High School is required by law to provide information about our pupils to the DfE as part of statutory data collections, such as the school census; some of this information is then stored in the NPD. The DfE may share information about our pupils from the NDP with third parties who promote the education or wellbeing of children in England by:

  • Conducting research or analysis.
  • Producing statistics.
  • Providing information, advice or guidance.

The DfE has robust processes in place to ensure the confidentiality of any data shared from the NDP is maintained.

Iqra High School will not share your personal information with any third parties without your consent, unless the law allows us to do so. The school routinely shares pupils’ information with:

  • Pupils’ destinations upon leaving the school
  • The LA
  • The NHS
  • The DfE

What are your rights?

Parents and pupils have the following rights in relation to the processing of their personal data. You have the right to:

  • Be informed about how Iqra High School uses your personal data.
  • Request access to the personal data that Iqra High School holds.
  • Request that your personal data is amended if it is inaccurate or incomplete.
  • Request that your personal data is erased where there is no compelling reason for its continued processing.
  • Request that the processing of your data is restricted.
  • Object to your personal data being processed.
  • Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.

If you have a concern about the way Iqra High School and/or the DfE is collecting or using your personal data, you can raise a concern with the Information Commissioner’s Office (ICO). The ICO can be contacted on 0303 123 1113, Monday-Friday 9am-5pm.

Where can you find out more information?

If you would like to find out more information about how we and/or the DfE collect, use and store your personal data, please visit our website and visit our GDPR Data Protection Policy.


I,                                              , declare that I understand the reason why data for my child                                        (name of child) is being collected:


  • Iqra High School has a legal and legitimate interest to collect and process my personal data in order to meet statutory requirements.
  • How my data is used.
  • Iqra High School may share my data with the DfE, and subsequently the LA.
  • Iqra High School will not share my data to any other third parties without my consent, unless the law requires the school to do so.
  • Iqra High School will always ask for explicit consent where this is required, and I must provide this consent if I agree to the data being processed.
  • My data is retained in line with the school’s GDPR Data Protection Policy.
  • My rights to the processing of my personal data.
  • Where I can find out more information about the processing of my personal data.


Date:                                                             Date:                                     


Signature:                                                       Signature:                                         


Name of Parent/Carer:                                Name of Child:                               


 Appendix 2

Privacy Impact Assessment


What is the aim of the activity?





What data will be collected?






How will the data be collected?






Where will the data be stored






How will the data be shared






How will the data be amended or deleted






Identified risks that include issues, risks to individuals, compliance risks, school risk and possible solutions





Privacy Impact Statement prepared by:




Appendix 3

Subject Access Request Form 

You should complete this form if you want us to supply you with a copy of any personal data we hold about you. You are currently entitled to receive this information under the Data Protection Act 1998 (DPA) and will continue to be under the EU General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018.

We will also provide you with information about any processing of your personal data that is being carried out,  the  retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.

We will endeavour to respond promptly and in any event within one  month  of the latest of the following:

Our receipt of your written request; or

Our receipt of any further information we may ask you to provide to

enable us to comply with your request.

The information you supply in this form will only be used for the purposes of identifying the personal data you are requesting and responding  to your request. You are not obliged to complete this form to make a request,  but doing so will make it easier for us to process your request quickly.

SECTION 1: Details of the person requesting information 

Full name:




Contact telephone number:


Email address:


SECTION 2: Are you the data subject?

Please tick the appropriate box and read the instructions which follow it.



YES:                   I am the data subject. I enclose proof of my identity (see below).

(please go to section 4)



NO:                    I am acting on behalf of the data subject. I have enclosed the data subject’s written authority and  proof of  the  data subject’s  identity  and my own identity (see below).

(please go to section 3) 

To ensure we are releasing data to the right person we require you to  provide us with proof of your identity and of your address. Please supply us with a photocopy or scanned image (do not send the originals) of one of both of the following:

Proof of Identity

Passport, photo driving licence, national identity card, birth certificate.

Proof of Address

Utility bill, bank statement, credit card statement (no more than 3 months old); current driving licence; current TV licence; local authority tax bill, HMRC tax document (no more than 1 year old).

If we are not satisfied you are who you claim to be, we reserve the right to refuse to grant your request.


Details of the data subject (if different from section 1)

Full name:




Contact telephone number:


Email address:


SECTION 4: What information are you seeking?


Please describe the information you are seeking. Please provide any relevant details you think will help us to identify the information you require.

Please note that if the information you request reveals  details directly or indirectly about another person we  will  have  to  seek the  consent  of  that person before we can let you see that information. In certain circumstances, where disclosure would adversely affect the rights and freedoms of others, we may not be able to disclose the information to you, in which case you will be informed promptly and given full reasons for that decision.

While in most cases we will be happy to provide you with copies of the information you request, we nevertheless reserve the right, in accordance with section 8(2) of the DPA, not to provide you  with  copies of information requested if to  do so  would  take “disproportionate  effort”,  or in accordance with Article 12 of the GDPR to charge a fee or refuse the request if it is considered to be “manifestly unfounded or excessive”. However, we will make every effort to provide you with a satisfactory form of access or summary of information if suitable.

SECTION 5: Information about the collection and processing of data

If you want information about any of the following, please tick the boxes:

Why  we  are processing your  personal data

To  whom  your  personal  data are disclosed

The source of your personal data

SECTION 6: Disclosure of CCTV images

If the information you seek is in the form of video images captured by our CCTV security cameras, would you be satisfied with viewing these images?

YES                                                                    NO


SECTION 7: Declaration

Please note that any attempt to mislead may result in prosecution.

I confirm that I have read and understood the terms  of this  subject  access form and certify that the information given in this application to Oak Tree High School is true. I understand that it is necessary for Oak Tree High School to confirm my / the data subject’s identity and it may be necessary to obtain more detailed information in order to locate the correct personal data.


Signed…………………………………………                                             Date ……………..


Documents which must accompany this application:

 Evidence of your identity (see section 2)

 Evidence of the data subject’s identity (if different from above)

 Authorisation from the data subject to act on their behalf (if applicable)

Please return the completed form to: Data Protection Officer, Kim Van Belois.

Correcting Information

 If after you have received the information you have requested you believe that:

  • the information is inaccurate or out of date; or
  • we should no longer be holding that information; or
  • we are using your information for a purpose of which you were unaware;
  • we may have passed inaccurate information about you to someone else;

then you should notify our Data Protection Officer at once.


Appendix 4

Data Breach Reporting Template


Report prepared by: Date:

On behalf of:

Name Date



Summary of the event and circumstances

When, what, who, summary of incident etc.


Type and amount of personal data

Title or name of the document/s; What personal information is included – Name; Address; DoB; Bank account details; description of information about an individual (health issues; case hearing notes/decisions etc)


Actions taken by recipient when they inadvertently received the information



Actions taken to retrieve information and respond to the breach

Has information been retrieved? When? Has loss been contained? e.g. all emails deleted


Procedures / instructions in place to minimise risks to security of data

(communication, secure storage, sharing and exchange)


Breach of procedure/policy by staff member

Has there been a breach of policy?

Has appropriate management action been taken?


Details of notification to affected data subject

Has a complaint received from Data Subject?

Has the data subject been notified? If not, explain why not? What advice given to affected data subjects?


Details of Data Protection training provided:

Include date of last training prior to the incident by the staff member breaching security


Procedure changes to reduce risks of future data loss




Serious/minor breach, likelihood of happening again