General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data.

‘Personal data’ means information that can identify a living individual.

Main principles

The GDPR sets out the key principles that all personal data must be processed in line with. Data must be:

  • Processed lawfully, fairly and transparently;
  • Collected for specific, explicit and legitimate purposes;
  • Limited to what is necessary for the purposes for which it is processed;
  • Accurate and kept up to date;
  • Held securely;
  • Only retained for as long as is necessary for the reasons it was collected.                  

There are also stronger rights for individuals regarding their own data. The individual’s rights include:

  • To be informed about how their data is used;
  • To have access to their data;
  • To rectify incorrect information;
  • To have their data erased;
  • To restrict how their data is used;
  • To move their data from one organisation to another; and
  • To object to their data being used at all.

New requirements  

The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already comply with), but strengthens many of the DPA’s principles. The main changes are:

  • Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law;
  • Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data;
  • Schools will only have a month to comply with subject access requests, and in most cases can’t charge;
  • Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous;
  • There are new, special protections for children’s data;
  • The Information Commissioner’s Office must be notified within 72 hours of a data breach;
  • Organisations will have to demonstrate how they comply with the new law;
  • Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils.

How We Aim To Achieve This

At Hollinswood Primary School & Nursery we take data protection seriously and to ensure we are fully compliant with both the Data Protection Act and the new GDPR legislation. To this extent we have undertaken the following actions:

  • We are registered as a Data Controller with the Information Commissioners Office - our registration number is Z5419466;
  • We have employed a Data Protection Officer, through a contract with the Local Authority;
  • We have updated our Data Protection Policy, and ensure it is reviewed annually to ensure compliance with legislation. The policy includes the new guidelines on making a data request and the process that parents/carers will need to follow (See below and in School Polices Section); 
  • We have updated our Freedom of Information Policy, and ensure it is reviewed annually to ensure compliance with legislation (See below and in School Polices Section); 
  • We have completed a data audit of all information received, held or shared by the school. This includes naming an individual who has responsibility for each stream of data, analysing how the data is received, stored, its relevance, whether we have a legal purpose to hold the data and that it is deleted/destroyed at the appropriate time;
  • We have confirmed that the organisations, with which we share data, are also compliant with the GDPR and Data Protection regulations;
  • We have updated our Privacy Notices (See below and in School Polices Section); 
  • Staff, Governors and Volunteers to the school have received training in Data Protection and the new GDPR and this will be reviewed annually;
  • We have reviewed our legal purposes for holding and using data. Whilst most of the data we use is done so under legal obligation (i.e. under the Education Act 1996 or Keeping Children Safe in Education (DfE, September 2021) and allows us to perform our public task, some data we use is not. In these cases we will always seek parental consent;
  • We have updated our parental consent form to ensure parents can clearly see what is being requested, and can positively opt in;
  • Consent can be withdrawn by the parent, at any time, by contacting the school office: Hollinswood Primary School & Nursery, Dale Acre Way, Hollinswood, Telford, Shropshire, TF3 2EP. Tel: 01952 386920. Email:

Whilst the education of your child is not dependent on your consent being given, we do also ask for consent to certain activities. Whilst this does not fall under the scope of the GDPR, the refusal to give consent to certain requests (i.e. trips and visits, watching a video) could have an impact on your child being included in certain educational activities.


Data Protection Policy (v3.1) - September 2023

Subject Access Request Form - September 2023

Freedom of Information Policy

Information Sharing Policy (v4.2) - September 2023

Data Retention Policy (IRMS Toolkit for Schools - 2019

Information Security Policy (v4.6) - September 2023

Records Management Policy (v3) - September 2023

Password Management Policy (v5.1) - April 2024



Privacy Notices - 

Pupils - June 2023

Staff/Workforce - June 2023

Governors - June 2023


Multi-purpose Parental Consent Form