During the course of our activities Yew Tree Primary, will process personal data (which may be held on paper, electronically, or otherwise) about our staff, children and parents. We recognise the need to treat it in an appropriate and lawful manner, in accordance with the Data Protection Act 1998 (DPA). The purpose of this policy is to make everyone aware of how we will handle personal data. This policy does not form part of any employee's contract of employment and we may amend it at any time. Data protection principles
We will comply with the eight data protection principles in the DPA, which say that personal data must be:
- Processed fairly and lawfully
- Processed for limited purposes and in an appropriate way
- Adequate, relevant and not excessive for the purpose
- Not kept longer than necessary for the purpose
- Processed in line with individuals' rights
- Not transferred to people or organisations situated in countries without adequate protection
"Personal data" means recorded information we hold from which a person can be identified. It may include
contact details, other personal information, photographs, expressions of opinion about a person or indications
as to our intentions about an individual. "Processing" means doing anything with the data, such as accessing,
disclosing, destroying or using the data in any way.
Fair and lawful processing
We will usually only process personal data where we have consent or where the processing is necessary to
comply with our legal obligations. In other cases, processing may be necessary for the protection of vital
interests, for our legitimate interests or the legitimate interests of others. The full list of conditions is set out
in the DPA.
We will only process "sensitive personal data" about ethnic origin, political opinions, religious or similar beliefs,
trade union membership, health, sexual orientation, criminal proceedings or convictions, where a further
condition is also met. Usually this will mean that an employee or child’s parent has given your explicit consent,
or that the processing is legally required. The full list of conditions is set out in the DPA.
How we are likely to use an employees personal data
We will process data about staff for legal, personnel, administrative and management purposes in order to
enable us to meet our legal obligations as an employer, for example to compensate, monitor performance
and to confer benefits in connection with their employment.
We may process sensitive personal data relating to staff including, as appropriate:
- Information about an employee's physical or mental health or condition in order to monitor sick leave
and take decisions related to the employee's fitness for work;
- The employee's racial or ethnic origin or religion or similar information in order to monitor compliance
with equal opportunities legislation;
- In order to comply with legal requirements and obligations to third parties.
Processing for limited purposes
We will only process personal data for the specific purpose or purposes notified to staff/parents or for any
other purposes specifically permitted by the DPA.
Adequate, relevant and non-excessive processing
Personal data will only be processed to the extent that it is necessary for specific purposes.
We will keep the personal data we store accurate and up-to-date. Data that is inaccurate or out-of-date will
We will not keep personal data for longer than is necessary for the purpose. This means that data will be
destroyed or erased from our systems when it is no longer required. For guidance on how long certain data
is likely to be kept before being destroyed, contact the Head Teacher.
Processing in line with a persons rights
Employees and parents have the right to:
- Request access to any personal data we hold about them or their child.
- Prevent the processing of their data for direct-marketing purposes.
- Ask to have inaccurate data held about them amended.
- Prevent processing that is likely to cause unwarranted substantial damage or distress.
- Object to any decision that significantly affects them, being taken solely by a computer or other
We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal
data, and against the accidental loss of, or damage to, personal data.
We have in place procedures and technologies to maintain the security of all personal data from the point of
collection to the point of destruction. We will only transfer personal data to a third party if the third party
agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.
Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised
purposes) of the personal data.
Providing information to third parties
We will not disclose personal data to a third party without consent, unless we are satisfied that they are
legally entitled to the data. Where we do disclose personal data to a third party, we will have regard to the
eight data protection principles.
Subject access requests
If an employee or parent wishes to know what personal data we hold about them/ their child, they must
make the request in writing. All such written requests should be forwarded to the Head Teacher.
Breaches of this policy
If a person considers that this policy has not been followed in respect of personal data about themselves or
others, they should raise the matter with the Head Teacher. Any breach of this policy will be taken seriously
and may result in disciplinary action.