Data Protection and Privacy (UK GDPR)
At Hayfield Cross Church of England School, we take data protection seriously. We collect and use personal information about children, parents, staff and visitors so that we can provide a safe, high‑quality education and meet our legal responsibilities. We follow the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which together set out how personal data must be handled.
This page explains how we use personal information, your rights, and how you can contact us if you have any questions or concerns.
Our Legal Responsibilities
As a school, we must ensure that personal data is:
-
Used lawfully, fairly, and transparently
-
Collected for clear, specific purposes
-
Limited to what is necessary
-
Accurate and kept up to date
-
Stored securely
-
Kept only for as long as needed
We also have a duty to keep personal information safe and to report certain types of data breaches to the Information Commissioner’s Office (ICO).
How We Use Personal Data
We process personal data so that we can:
-
Support teaching, learning, and pupil progress
-
Provide pastoral care and safeguarding
-
Meet our statutory duties (including census returns and attendance monitoring)
-
Communicate with parents and carers
-
Manage school operations such as admissions, staffing, and finance
-
Keep children and staff safe on site and online
We only collect information that is necessary for these purposes.
Lawful Bases for Processing
Under UK GDPR, we must have a lawful basis for using personal data. In schools, the most common are:
-
Public task: carrying out our official functions
-
Legal obligation: complying with the law
-
Vital interests: protecting someone’s life
-
Consent :when you have given clear permission (e.g. photos for marketing)
Where consent is required, you may withdraw it at any time.
How We Share Personal Data
We only share personal information when there is a lawful reason to do so. This may include sharing data with:
-
The Department for Education
-
Local authorities
-
Safeguarding partners
-
NHS and school health services
-
External providers supporting teaching and learning
-
Our school website provider or communication systems
We never sell personal data.
Your Rights
Under data protection law, you have the right to:
-
Access the personal data we hold about you
-
Request corrections if information is inaccurate
-
Request deletion in certain circumstances
-
Object to or restrict how your data is used
-
Request that data is transferred to another organisation (where applicable)
If you would like to exercise any of these rights, please contact us.
Data Breaches
If a data breach occurs, we follow a clear process to:
-
Contain the issue
-
Assess the risk
-
Notify affected individuals where necessary
-
Report serious breaches to the ICO
We also review incidents to prevent them happening again.
Data Protection Officer (DPO)
Our Data Protection Officer oversees how we handle personal data and ensures we comply with the law.
Data Protection Officer: The ICT Service
Privacy Notices
Our full privacy notices explain in more detail how we use personal data. You can find them here:
Policies and Documents