The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to those whose data is held by an organisation (data subjects). These are more detailed and specific than in the previous Data Protection Act 1988 and place an emphasis on making privacy notices understandable and accessible. Data controllers are expected to take ‘appropriate measures’ to ensure that this is the case. The school interprets this as using very clear language to outline each of the responsibilities for each of the data subject groups. The GDPR say that the information provided to data subjects about how the school processes their personal data must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge

These requirements are about ensuring that privacy information is clear and understandable for data subjects. This privacy notice deals with the overall privacy responsibilities of the school but includes, as annexes the particular notices that apply to parents, pupils under the age of 13, pupils over the age of 13, staff, Governors and alumni. The appropriate annex should be read by the appropriate data subject along with the overarching notice.
Each annex deals with two sources of data, that obtained directly from the subject and, data not obtained directly from the subject. For both sources the Identity and contact details of the data handler (and where applicable, the handler’s representative) and the data protection officer (or privacy officer) are provided.

To read the full document please click here.