Data Protection


Data protection legislation sets out rules and standards for the collection, use and storage of information relating to living identifiable individuals. The current legislation in the UK is the Data Protection Act 1998 (DPA).  From 25 May 2018, this will be replaced by the General Data Protection Regulation (GDPR). Both pieces of legislation are based around the notions of principles, rights and responsibilities.The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. ‘Personal data’ means information that can identify a living individual. The regulation will apply to all schools from 25 May 2018, and will apply even after the UK leaves the EU. The legislation is regulated by the Information Commissioner’s Office as well as the courts.


The DPA applies to some paper records as well as those held in electronic form. It imposes obligations on those who record and use personal information to be open about how that information is used and requires them to follow the eight data protection principles.

Personal data must be processed following these principles so that data are:

  1. processed fairly and lawfully and only if certain conditions are met;
  2. obtained for specified and lawful purposes;
  3. adequate, relevant and not excessive;
  4. accurate and where necessary kept up-to-date;
  5. not kept for longer than necessary;
  6. processed in accordance with an individual’s rights;
  7. kept in a secure manner;
  8. not transferred outside of the EEA without adequate protection.

These principles broadly are carried through into the GDPR, though they are expressed somewhat differently. There are also stronger rights for individuals regarding their own data. The individual’s rights include:

  • to be informed about how their data is used
  • to have access to their data
  • to rectify incorrect information
  • to have their data erased
  • to restrict how their data is used
  • to move their data from one organisation to another, and
  • to object to their data being used at all

Our Privacy Notice sets out how and why we hold and use personal data.

Privacy Notice (Pupils)

Chagford Church of England Primary School collects and holds personal information relating to our pupils and may also receive information about them from their previous school, local authority and/or the Department for Education (DfE). Collecting information about you or your child helps us give you the support and care that you need.  For example, if your child has special educational needs, we need to know what those needs are so that we can tailor our support to those needs. The information and data that we gather also helps us to fulfil our requirements, measure our performance, and make decisions based on relevant statistics.  We never use statistics in a way that identifies you or your child.

The categories of pupil information that we collect, hold and share include:

  • Personal information (such as name, unique pupil number and address)
  • Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
  • Attendance information (such as sessions attended, number of absences and absence reasons)
  • Assessment information
  • Relevant medical information
  • Special educational needs information
  • Information about exclusions or behavioural information
  • Information about payments for school meals, and consents for trips

Why we collect and use this information

We use the pupil data:

  • to support pupil learning
  • to monitor and report on pupil progress
  • to provide appropriate pastoral care
  • to assess the quality of our services
  • to comply with the law regarding data sharing

The lawful basis on which we use this information

In order to process personal data lawfully, we will obtain the individual’s explicit consent, or the processing must be necessary for one of the following:

  • Fulfilling a contract with the individual
  • Compliance with a legal obligation
  • Protecting vital interests, i.e. to protect someone’s life
  • Performing a task in the public interest or in the exercise of your official authority (sometimes referred to as the ‘public task’ basis)

The age for children to consent to the processing of their personal data online will be 13 years old in the UK.

Collecting pupil information

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.

Storing pupil data

We hold pupil data in accordance with the ICO guidance on storing documents.

Who we share pupil information with

We routinely share pupil information with:

  • schools that the pupils attend after leaving us
  • our local authority
  • third party agencies who provide professional support services e.g. Babcock LDP Educational Wefare
  • the Department for Education (DfE)
  • School Nurse where relevant or NHS where relevant
  • Dartmoor Multi Academy Trust
  • Third Party agencies including:
    • Capita SIMS
    • School Gateway
    • Tapestry (for foundation stage only)
    • School Pupil Tracker Online
    • Cool Milk (for free school milk for under 5s)
    • Microsoft Office 365
    • Scomis (DCC School’s ICT Support)

As a commitment to transparency, anytime we add new agencies or parties, we will disclose this information on this webpage and send you a notification about this change.

Why we share pupil information

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.

We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Data collection requirements:

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the NPD, go to

The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested: and
  • the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:

To contact DfE:

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at


If you would like to discuss anything in this privacy notice, please contact Liz Wiseman, Executive Headteacher via