Data Protection

General Data Protection Regulation 2018

The General Data Protection Regulation 2018 controls how your personal and sensitive information is used by organisations, businesses and the government. It applies to all countries covered by EU law.

Everyone responsible for processing data (i.e. anything done to or with the data including collecting, storing or deleting it) has to follow strict guidelines called ‘data protection principles. They must make sure the information is

  • Used fairly, lawfully and in a transparent way
  • Used for specific, explicit and legitimate purposes
  • Used in a way that is adequate, relevant and limited to what is necessary
  • Accurate
  • Kept for no longer than is absolutely necessary
  • Handled according to people’s data protection rights
  • Handled in a safe and secure way
  • Not transferred outside the European Economic Area without adequate protection

The Freedom of Information Act 2000

The Freedom of Information Act 2000 provides public access to information held by public authorities.

It does this in two ways:

  • public authorities are obliged to publish certain information about their activities; and
  • members of the public are entitled to request information from public authorities.

The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.

Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the General Data Protection Regulation 2018.

Privacy Notice

Privacy Notice (How we use pupil information)

The categories of pupil information that we collect, hold and share include:

  • Personal information (such as name, unique pupil number and address)
  • Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
  • Attendance information (such as sessions attended, number of absences and absence reasons)
  • Special Educational Needs information (such as category of need, EHCPs)
  • Medical information (such as medical needs, notes from doctors)
  • Behavioural information (such as exclusions)
  • Assessment information (academic, vocational and social assessments)

Why we collect and use this information

We use the pupil data:

  • to support pupil learning
  • to monitor and report on pupil progress
  • to provide appropriate pastoral care
  • to assess the quality of our services
  • to comply with the law regarding data sharing

The lawful basis on which we use this information

We need to collect and use pupil information in order to comply with the relevant legislation for providing education to a child, including the Education Act 2006, the Education and Inspections Act 2006, and the Children’s Acts 1989 and 2004. Our lawful basis for processing is therefore as we have a statutory obligation as defined by Article 6(1)(c) of the General Data Protection Regulation (GDPR).

Some of the information we need to hold is classed as special category information – primarily ethnicity, gender and any health conditions. Our legal basis for processing this data is provided by Article 9(2)(b) of GDPR.

Collecting pupil information

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis – for example the use of permission slips for days out, and photographs or digital media to record such events. We will inform you whether you are required to provide certain pupil information to us or, if you have a choice in this, will respect your right to refuse to provide information.

Storing pupil data

We hold pupil data for the time that they remain in school. For pupils who transfer to another school or academy we transfer the information to the new establishment. For secondary aged pupils who leave at the end of their school life we retain the information until the pupil reaches their 25th birthday.

All information is held securely with physical, organisational and electronic access controls to safeguard the information both at rest and when in transit.

Who we share pupil information with

We routinely share pupil information with:

  • schools/academies that the pupils attend after leaving us
  • the Local Authorities covering our Trust area
  • the Department for Education (DfE)
  • NHS
  • External providers of medical and safeguarding services

Why we share pupil information

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. We will always seek your positive consent to share information if there is no legal basis to share.

We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Data collection requirements:

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to

Youth support services

Pupils aged 13+

Once our pupils reach the age of 13, we also pass pupil information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide services as follows:

  • youth support services
  • careers advisers

A parent or guardian can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child / pupil once he/she reaches the age 16.

Pupils aged 16+

We will also share certain information about pupils aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide services as follows:

  • post-16 education and training providers
  • youth support services
  • careers advisers

For more information about services for young people, please visit our local authorities websites.

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the NPD, go to

The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested: and
  • the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:

To contact DfE:

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact Karen Raine, Corporate Business Manager (

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at


If you would like to discuss anything in this privacy notice, please contact:

Karen Raine, Corporate Business Manager (


The Trust’s Data Protection officer can be contacted via any of the following methods:


Telephone: 0191 520 5555,

or Post: Data Protection Officer, Governance Services, Civic Centre, PO Box 100, Sunderland SR2 7DN