Privacy Notice – Parent/Pupil Information

The General Data Protection Regulation (GDPR) 2018 and Data Protection Act 2018 (DPA) sets out the law relating to data protection and this privacy notice and the way we handle your personal data is all carried out in accordance with that law.

Under the GDPR and DPA anyone who holds and controls the way in which data is used is known as a data controller. We, Highbury School, are a ‘data controller’ for the purposes of the data protection law.

This privacy notice relates to the pupil and parent information that we collect and process when a child attends our school.

This privacy notice sets out the following information:

The personal data we collect

Why we use this data

Special Category Data

Our legal basis for using this data

Collecting this personal data

How we store this data

Data Sharing – Who we share any personal data with and why

Transferring data internationally

Parents and Pupils’ rights regarding personal data

Other Rights


Contact us

How Government uses your data

The personal data we collect

Personal data that we may collect, use, store and share (when appropriate) about pupils includes, but is not restricted to:        

  • Name, address, date of birth
  • Contact details, contact preferences, identification documents
  • Emergency contact details of parents/carers/relatives
  • Characteristics, such as ethnic background, religious beliefs, eligibility for free school meals, or special educational needs
  • Details of any medical conditions, including physical and mental health conditions
  • Results of internal assessments and externally set tests
  • Pupil and curricular records
  • Exclusion information
  • Attendance information
  • Safeguarding information
  • Details of any support received, including care packages, plans and support providers
  • Photographs
  • CCTV

We may also hold data about pupils that we have received from other organisations, including other schools, local authorities and the Department for Education.

Back to the top

Why we use this data

We use this data to:

  • Support pupil learning
  • Monitor and report on pupil progress
  • Provide appropriate pastoral care
  • Protect pupil welfare
  • Assess the quality of our services
  • Administer admissions waiting lists
  • Carry out research
  • Comply with the law regarding data sharing
  • Safeguarding

The personal information is initially used to create the pupil record then information will be taken from that record to create attendance records, class lists, reading groups and other educational records. The personal information is used to track attainment and performance and put any support in place for your child throughout their time in our school.

Some personal information may be input into communication-based apps to allow school to communicate with you about important matters relating to your child and school events, consent will be sought for this separately.

Some information, mainly your child’s name and class/age, may be used in software/applications which your children will use as resources to facilitate their learning. A Data Protection Impact Assessment (DPIA) or other compliance review measures will be conducted, where necessary, before the school uses any new software or applications and your child will be supervised in line with ICT acceptable use policy whilst using the software/application. Where necessary, we will obtain your consent before using software.

Back to the top

Special Category Data

The school collects and processes some personal information that is classed as special category data under the DPA and GDPR. Special category data is personal data that is classed as more sensitive than other personal information and therefore requires greater protection.

The special category data which we may process includes race, ethnic origin, religion and health information.

To lawfully process special category data, we must have a lawful basis under Article 6 GDPR and a separate condition for processing the data under Article 9 GDPR.

Under Article 6 GDPR, the lawful basis for processing health information is that there is a legal obligation on the school to hold, process and, in some instances, share this information to safeguard your child. Article 9(2)(b) is the separate condition for processing the health and medical information of your child for safeguarding purposes.

We may ask you for information about your child’s race, ethnic origin and religion but in most instances, this is optional and therefore by providing this information you are giving your consent for the information being processed by the school. Usually, the only use for this information is that we provide this to the Department for Education on the annual census to understand the demographic of children within the academy/school/local authority area. Further information about personal data that is shared with the DfE and how they use it is set out at the end of this privacy notice.

The legal basis for processing your child’s race, or religion is consent and the separate condition for processing under Article 9(2)(a) is consent.

Back to the top

Our legal basis for using this data

We only collect and use pupils’ personal data when the law allows us to. Most commonly, we process it where:

  • We need to comply with a legal obligation
  • We have obtained your consent to use it in a certain way

Less commonly, we may also process pupils’ personal data in situations where:

  • We need it to perform an official task in the public interest

Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent and explain how consent can be withdrawn.

Some of the reasons listed above for collecting and using pupils’ personal data overlap, and there may be several grounds which justify our use of this data.

This legal basis for collecting and using personal data is set out in Article 6 and Article 9 of the GDPR.

Back to the top

Collecting this personal data

We collect pupil information via the admissions form we ask you to complete before your child starts with us at school or on a Common Transfer File (CTF) from your child’s previous school.  We may collect some of the information via other written methods and, if applicable, will communicate this with you at the time of collection.

Pupil data is essential for us to provide educational services and for operational use. Whilst most of the pupil information you provide to us is mandatory, some of it requested on a voluntary basis. To comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this and we will tell you what you need to do if you do not want to share this information with us.

We use cookies on our website that track user technical information and preferences – please see further details on our website.

Back to the top

How we store this data

We keep personal information about pupils while they are attending our school. We may also keep it beyond their attendance at our school if this is necessary to comply with our legal obligations. The schedule set out in the Information and Records Management Society’s toolkit for schools sets out how long we keep information about pupils, what we retain and what we dispose of and when. We also have our Records Management and Retention Policy which sets out more information about how long we keep personal information, how we store your information whilst we are processing it and how we dispose of the information when we no longer need it.

Back to the top

Data sharing – who we share any personal data with and why

  • We do not share information about pupils with any third party without consent unless the law and our policies allow us to do so.

Where it is legally required, or necessary (and it complies with data protection law) we may share personal information about pupils with:

  • Our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions
  • The Department for Education – to meet our legal obligation to provide census information (see further information below) and information on attainment and progress.
  • The pupil’s family and representatives – to provide the child’s parents/carers with information about performance, attainment, attendance and behaviour.
  • Educators and examining bodies – externally marked test papers contain pupil names and dates of birth.
  • Our regulator e.g. Ofsted – requires data to analyse performance of the school. On visiting the school, the inspector will ask to see staff applications/references, pupil information, reports and referrals.
  • Suppliers and service providers – to enable them to provide the service we have contracted them for, such as online digital learning environments and our online tracking system.
  • Financial organisations – such as moneyless payment systems, giving parents the facility to pay for dinner money and school trips digitally.
  • Central and local government – termly census data.
  • Our auditors – financial auditors who inspect our school every 3 years.
  • Survey and research organisations – publishing companies and local universities, carrying out case studies on the performance of our pupils. This will usually be pseudonymised data.
  • Health authorities – school nursing team, national NHS data collection of heights and weights initiative for Reception and Year 6 children.
  • Children’s Social Care
  • Security organisations
  • Health and social welfare organisations – if there are medical needs or arrangements for a particular child or if it is in the interests of safeguarding of the child.
  • Professional advisers and consultants – e.g. – Writing moderators for Standards and Testing Agency – who select pupils work to moderate.
  • Police forces, courts, tribunals – these services require access to data should an incident occur to one of our pupils, staff or families.
  • Universities/academies who are working with us to conduct research for purposes that would enhance the provision of education in our setting or provide a better educational experience for children across the country.

Back to the top

Transferring data internationally

Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law and ensure that the organization outside the EEA is compliant with the GDPR. We do not currently transfer personal data to a country outside the EEA and don’t propose to in the future but will liaise directly with any individuals who may move to a country outside the EEA.

Back to the top

Parents and pupils’ rights regarding personal data

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.

Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 13), or where the child has provided consent.

Parents also have the right to make a subject access request with respect to any personal data the school holds about them.

If you make a subject access request, and if we do hold information about you or your child, we will:

  • Give you a description of the data we hold,
  • Tell you why we are holding and processing it, and how long we will keep it for,
  • Explain where we got it from, if not from you or your child,
  • Tell you who it has been, or will be, shared with,
  • Let you know whether any automated decision-making is being applied to the data, and any consequences of this, and
  • Give you a copy of the information in an intelligible form.

Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.

If you would like to make a request please contact our Data Protection Officer (see details below in the ‘Contact us’ section).

Maintained Schools – Parents/carers also have a legal right to access to their child’s educational record. To request access, please contact the school office

Back to the top

Other rights

Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:

Your right to rectification – you may have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information that you think is incomplete.

Your right to erasure – you have the right to ask us to erase your personal information in certain circumstances. We will only be able to do this in circumstances when the law and/or our policies allow.

Your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – you have the right to object to the processing of your personal information in certain circumstances. For example:

  • To prevent it being used to send direct marketing.
  • Object to decisions being taken by automated means (by a computer or machine, rather than by a person).
  • In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing.
  • Claim compensation for damages caused by a breach of the data protection regulations.

Your right to data portability – you have the right to ask that we transfer the personal information we hold about you to another educational provider. This will only be done once we have official confirmation of a transfer and will be done directly to the school or academy via the Common Transfer Form.

To exercise any of these rights, please contact our Data Protection Officer.

Back to the top


We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.

To make a complaint, please contact our Data Protection Officer – see ‘contact us’ section.

Alternatively, you can make a complaint to the Information Commissioner’s Office:

  • Report a concern online at
  • Call 0303 123 1113
  • Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Back to the top

Contact us  

If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our Data Protection Officer:

Debbie Pettiford from The DP Advice Service Ltd

Back to the top

How Government uses your data 

The pupil data that we lawfully share with the DfE through data collections:

  • underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
  • informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
  • supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to

The National Pupil Database (NPD)

Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the department.

It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

To find out more about the NPD, go to:

Sharing by the Department for Education

The law allows the Department to share pupils’ personal data with certain third parties, including:

  • schools
  • local authorities
  • researchers
  • organisations connected with promoting the education or wellbeing of children in England
  • other government departments and agencies
  • organisations fighting or identifying crime

For more information about the DfE’s NPD data sharing process, please visit:

Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically suppliesdata on around 600 pupils per yearto the Home Office and roughly 1 per year to the Police.

For information about which organisations the DfE has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website:

How to find out what personal information the DfE holds about you

Under the terms of the Data Protection Act 2018, you are entitled to ask the DfE:

  • if they are processing your personal data
  • for a description of the data they hold about you
  • the reasons they’re holding it and any recipient it may be disclosed to
  • for a copy of your personal data and any details of its source

If you want to see the personal data held about you by the DfE, you should make a ‘subject access request’.  Further information on how to do this can be found within the DfE’s personal information charter that is published at the address below:

To contact DfE:

Back to the top

This notice is based on the Department for Education’s model privacy notice for pupils, amended for parents and to reflect the way we use data in this school.