Cheney School

Cheney School

GDPR Summary

GDPR Summary

As you are most likely already aware new data protection regulations are coming into force this week.  We are working to ensure we are fully compliant. 

At school we have been preparing for this which has involved us auditing what personal data we hold, reviewing what we do with it and with whom we share it. It is important that we now let you know what we do with your son/daughter's personal data and your child's rights to access this data. We would encourage you to share this with your sons and daughters however, we will also be covering this as part of the curriculum.


In preparation for the GDPR I would like to draw your attention to the Privacy Notices for students and parents which explains how we use your data.


You may also be interested to watch this short video about the GDPR in schools: GDPR Mind Map for Parents - YouTube

As a result of the legislation we will be contacting you more frequently to check the accuracy of the data we hold. I would be grateful if you could respond promptly to any such requests so that school staff do not waste time chasing parents for responses.

If you have any questions about data protection, please do not hesitate to contact us. 

 Below is a brief summary.

The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. Personal data means information that can identify a living individual.  The Regulation will apply to all schools from 25 May 2018. 

Main principles

The GDPR sets out the key principles that all personal data must be processed in line with. Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected. There are also stronger rights for individuals regarding their own data. The individual’s rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all.

New requirements

The GDPR is similar to the Data Protection Act 1998 (which schools already comply with), but strengthens many of the DPA’s principles. The main changes are: 

  • Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law 
  • Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data
  • Schools will only have a month to comply with subject access requests, and in most cases can’t charge 
  • Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
  • There are new, special protections for children’s data
  • The Information Commissioner’s Office must be notified within 72 hours of a data breach
  • Organisations will have to demonstrate how they comply with the new law Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils  
  • Higher fines for data breaches