What is the GDPR?

The GDPR is a piece of EU-wide legislation that sets out the rules on two things:

  • How organisations, including schools, will process people’s personal data and keep it safe
  • The legal rights people have over their own data

It applied to all schools from 25th May 2018, and the UK government confirmed it will apply even after the UK leaves the EU.

The changes are intended to protect sensitive or confidential information about people, including school staff and pupils.


What will be different under the GDPR?

The GDPR is similar to the Data Protection Act (DPA) 1998, which is what schools comply with at the moment, but strengthens and builds on many of the DPA’s principles. It has been described as “evolution not revolution”, but there are some key changes.

  • All schools must appoint a data protection officer
  • Schools must comply with subject access requests within a month (not 40 days), and in most cases can no longer charge a fee
  • The Information Commissioner’s Office (which upholds information rights in the UK) must be notified within 72 hours of a data breach
  • Schools must demonstrate how they comply with the rules
  • Schools need to carry out ‘data protection impact assessments’ when they want to use data in new ways, or implement new technologies
  • Privacy notices need to include some extra information
  • Consent for using someone’s data must be freely given, specific, informed and unambiguous – a higher standard than before
  • There are new, special protections for children’s data in the context of commercial internet services, such as social networking. All schools must appoint a named data protection officer


What does a data protection officer do?

  • Advise the school on data protection issues
  • Monitor the school’s compliance with the GDPR and any other relevant data protection law
  • Ensure the school’s policies on data protection are followed
  • Deal with and report data breaches
  • Organise relevant data protection training
  • Report to governors/trustees on the school’s GDPR compliance
  • Act as a contact point for the whole school community and Information Commissioner’s Office on any data protection issues
  • Advise on the need to conduct ‘data protection impact assessments’ if anyone in school wants to collect data in a new way (e.g. a teacher wants to use a new classroom app that requires pupils’ or parents’ personal data)


Who are the Data Protection Officers at the Hornchurch Academy Trust?

  • Whybridge Junior School - Miss A Edgcombe c/o Upminster Junior School
  • Scargill Infant School - Mrs H Lendon c/o Upminster Infant School
  • Scargill Junior School – Mrs S Warshow c/o Whybridge Junior School
  • Upminster Infant School – Mrs H Graham c/o Scargill Junior School
  • Upminster Junior School – Miss D McGahey c/o Scargill Infant School​


What new documents do I need to sign as a parent?

  • GDPR Consent Letter
  • HAT Pupil Privacy Notice
  • Online Consent Form


How do I request information under the new law?

  •  ​Complete a Subject Access Request


Please find links below for documents relating to What is GDPR - documents that parents/carers would need to sign:

Hornchurch Academy Trust GDPR Privacy Notice Declaration

Freedom of Information and Data Protection Policy