Risley Lower Grammar


A brief summary of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.


About Data Protection


The General Data Protection Regulation (GDPR) and the Data Protection Act 2018, replace the Data Protection Act 1998. The core principles of the new Acts remain largely the same as the previous Act with a few key updates designed to reflect the changes in how we use personal data since the original DPA was written.

With these updates to the law come new requirements for data controllers and processors in terms of protecting people’s personal data and respecting their rights. The various updates and changes brought by GDPR can be categorised into three main step changes;


1.    Transparency - means telling people more about what we are doing with their personal data. This will largely happen in your updated Privacy Notice, which is the most outwardly visible sign of your compliance with the GDPR.

2.    Control - means giving people more control over what we do with their data. The GDPR gives people new rights, such as the right to erasure and the right to rectification. This should not impact too much on schools as they are not absolute rights. If you have a compelling reason to keep the records (such as a legal obligation) you are not required to erase all records relating to an individual.

3.    Accountability - while we have always been required to comply with the principles set out in the Data Protection Act, we must now comply and also be able to demonstrate how we comply with the principles set out In the GDPR. This means we must have a heightened awareness of the data processing activities we are involved in, know clearly what the legal basis for it is, and keep detailed records of it all to prove it.


Data Protection Framework for Schools (Reviewed June 2023)


1. Data Protection Policy - June 2023

2. Privacy Notice (Pupils) - June 2023

3. Privacy Notice (Workforce) - June 2023

4. School Guidelines on Records Retention Periods - June 2023

5. Social Media Policy - July 2023

6. Bring Your Own Device Procedure - June 2023

7. IT Security and Acceptable Use Policy - July 2023

8. Off Site Working Procedure - June 2023

9. CCTV Policy - not applicable

10. Privacy Notice (Governors) - June 2023

11. Special Category Data Policy - July 2023

13. Remote Learning Policy - June 2023

DP Framework


Privacy Notice - DfE School Attendance Data Collection