The head and chair of governors in all schools are the Data Controllers for their organisation. With the role come a number of statutory tasks that have to be fulfilled to remain compliant with the Data Protection Act 1998.
Data Protection Resources for schools
There are a number of tools that can help you to fulfil your responsibilities:
ICO Data Protection Self-Assessment Toolkit:
Barnet Council Data Protection Handbook
Barnet Council’s Information Management Team has produced a Handbook to assist schools in implementing good practice around information management and in helping them to ensure they stay compliant with current data protection law, which we have attached in the enclosure section. The Handbook is not a replacement for the IM policies and procedures each school should have in place but it will offer you an introduction to and overview over the areas you need to cover.
You can find the Schools Information Management Handbook, as well as a number of Barnet Council Information Management policies and guidance here:
If you have any further questions, please direct them to Alexandra West in the first instance (firstname.lastname@example.org).
Link to ICO
The Information Commissioner's Office (ICO) is the UK’s independent authority to uphold information rights in the public interest.
Their website provides a wealth of information for organisations and individuals alike and schools should be familiar with the tools available on the site. For information more specifically for education, please see the following link:
All schools are required to make Privacy Notices available to the parents/carers/young people on whom they store information on their Management Information Systems.
The purpose of a Privacy Notice is to tell the individuals’ whose information you are collecting what you are going to do with their information, how you are going to store it, use it and with whom you will share it.
A good Privacy Notice provides the above and more. You can also inform your data subjects what their rights are and where to find more information. For help with Privacy Notices, please see the toolkit provided by the ICO:
Or the Barnet Council Schools Handbook on Data Protection:
SARs and FOIs
Subject Access Requests (SARs):
We administer and monitor the process of requests to our service made by clients (members of the public) who want to find out what information we hold on them. All requests from the public are passed to our team on receipt to deal with on behalf of the Education & Skills Service. We have a maximum of 40 calendar days to process a SAR and responses should not be deliberately or unjustifiably delayed. We notify all staff once a new SAR has been logged and all staff are responsible for ensuring that they have undertaken thorough checks for data on an individual, including searching all systems and filing processes to locate the information that is being sought. Where data exists, it must be sent to the team who read through and prepare the document for disclosure. Third party and legally privileged data is identified and redacted as necessary before the information can be released to the requestor.
Schools (including academies and free schools) are considered under the DPA to be public authorities in their own rights and are subject to the DPA in the same way as the council.
Freedom of Information Act requests (FOIs):
The FOIA gives the public the right to access recorded information held by any public authority. The Act does not give people access to their own personal data (information about themselves). Anyone can make a freedom of information request – they do not have to be UK citizens, or resident in the UK. Freedom of information requests can also be made by organisations, for example, a newspaper, a campaign group or a company. Any such requests are always passed to our team, to deal with on behalf of the Education & Skills Service. We have 20 working days to process requests and responses should not be deliberately or unjustifiably delayed.
Schools (including academies and free schools) are considered under the FOIA to be public authorities in their own rights and are subject to the FOIA in the same way as the council.
SARs and FOIs in schools
Please refer to the Barnet Council Information Management Handbook for information on how to deal with SARs and FOIs in your school.
Or the ICO website:
Last updated 1 September 2016