Skip to content ↓

Data protection and information

Date and status: Effective May 2018
Date for re-adoption: May 2021
Required actions: Yearly report to Trust board (summer meeting)

1. Introduction

1.1. The Inspiration Trust collects and uses certain types of personal information about staff, pupils, parents and other individuals who come into contact with our academies. This information is gathered in order to enable us to provide education and other associated functions, and administered in accordance with the Data Protection Act.

1.2. We may be required by law to collect and use certain types of information to comply with statutory obligations related to employment, education and safeguarding.

1.3. The Trust holds general organisational records, documents, and other material that relates to our work. These may be subject to public access under the Freedom of Information Act or the Environmental Information Regulations.

1.4. The Trust is registered with the Information Commissioner’s Office under the Data Protection Act on behalf of its academies. The Trust’s Head of External Affairs acts as responsible officer for the Trust, and is also the designated contact for requests under the Freedom of Information Act and Environmental Information Regulations.

2. Purpose

2.1. This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with relevant legislation. It also discharges statutory requirements related to non-personal information held by the Trust.

2.2. It applies to all computerised data and manual files if they come within the definition of a filing system. Broadly speaking, a filing system is one where the data is structured in some way that it is searchable on the basis of specific criteria (so you would be able to use something like the individual’s name to find their information), and if this is the case, it does not matter whether the information is located in a different physical location.

2.3. All staff involved with the collection, processing and disclosure of personal and other data must be aware of their duties and responsibilities and adhere to these guidelines.

2.4. Failure to follow these guidelines may result in disciplinary action, or in some cases constitute a prosecutable offence.

3. Complaints

3.1. Complaints relating to requests under the Data Protection Act, Freedom of Information Act, or Environmental Information Regulations will be dealt with under the procedures set down by legislation, and may be referred to the statutory regulator, the Information Commissioner.

3.2. Complaints relating to other aspects of this policy will be dealt with in accordance with the Trust’s Complaints Policy.

4. Handling and disclosure of personal information

4.1. Personal data is information that identifies an individual, and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain. 

4.2. A sub-set of personal data is known as ‘special category personal data’. This data is given special protection and additional safeguards apply if this information is to be collected. Such data relates to:

  1. race or ethnic origin;
  2. political opinions;
  3. religious or philosophical beliefs;
  4. trade union membership;
  5. physical or mental health;
  6. an individual’s sex life or sexual orientation;
  7. genetic or biometric data for the purpose of uniquely identifying a natural person.

4.3. Information relating to criminal convictions shall only be held and processed where there is legal authority to do so.

4.4. The Trust does not intend to seek or hold sensitive personal data about staff or students except where we have been notified of the information, or it comes to the our attention via legitimate means (eg. a grievance) or needs to be sought and held in compliance with a legal obligation or as a matter of good practice.  Staff or students are under no obligation to disclose to the Trust their race or ethnic origin, political or religious beliefs, whether or not they are a trade union member or details of their sexual life (save to the extent that details of marital status and / or parenthood are needed for other purposes, eg. pension entitlements).

4.5. The Data Protection Act establishes six enforceable principles that must be adhered to at all times:

  1. personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met;
  2. personal data shall be collected for specific, explicit, and legitimate purposes,   and shall not be further processed in a manner incompatible with those purposes;
  3. personal data shall be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is being processed;
  4. personal data shall be accurate and, where necessary, kept up to date;
  5. personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose / those purposes;    
  6. personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

4.6.  The Trust is committed to maintaining the above principles at all times. Therefore we will:

a) inform individuals as to the purpose of collecting any information from them, as and when we ask for it;  

b) be responsible for checking the quality and accuracy of the information;

c) regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with our data retention schedules;                                                                                                                     

d) ensure that when information is authorised for disposal it is done appropriately;

e) ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system, and follow the relevant security policy requirements at all times;

f) share personal information with others only when it is necessary and legally appropriate to do so;

g) set out clear procedures for responding to requests for access to personal information known as subject access requests;

h) report any breaches of the principles in accordance with the procedures within this policy;

i) ensure our staff are aware of and understand our policies and procedures.

4.7. Conditions for processing in the first data protection principle

  1. The individual has given consent that is specific to the particular type of processing activity, and that consent is informed, unambiguous and freely given.
  2. The processing is necessary for the performance of a contract, to which the individual is a party, or is necessary for the purpose of taking steps with regards to entering into a contract with the individual, at their request.
  3. The processing is necessary for the performance of a legal obligation to which we are subject.
  4. The processing is necessary to protect the vital interests of the individual or another.
  5. The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
  6. The processing is necessary for a legitimate interest of the Trust or that of a third party, except where this interest is overridden by the rights and freedoms of the individual concerned.

4.8. Use of personal data: Pupils (including prospective pupils and alumni)

  1. The personal data held regarding pupils includes contact details, assessment and examination results, attendance information, characteristics such as ethnic group, special educational needs, any relevant medical information, and photographs and videos.
  2. The data is used in order to support the education of the pupils, to monitor and report on their progress, to provide appropriate pastoral care, and to assess how well the academy as a whole is doing, together with any other uses normally associated with this provision in a school environment.
  3. We may make use of limited personal data (such as contact details) relating to pupils, and their parents or guardians for fundraising, marketing or promotional purposes and to maintain relationships with pupils of the academy, but only where consent has been provided to this. In particular, we may:

a) transfer information to any association society or club set up for the purpose of maintaining contact with pupils or for fundraising, marketing or promotional purposes relating to the academy but only where consent has been obtained first

b) make personal data, including sensitive personal data, available to staff for planning curricular or extra-curricular activities;                   

c) use photographs and videos of pupils for marketing purposes.

  1.  Any wish to limit or object to any use of personal data should be notified to the Data Protection Officer in writing. If in the Trust’s view the objection cannot be reasonably maintained, the individual will be given written reasons why we cannot comply with the request.

4.9. Use of personal data: Staff (including job applicants and former staff)

  1. The personal data held about staff will include contact details, employment history, information relating to career progression, information relating to DBS checks, photographs and videos.
  2.  The data is used to comply with legal obligations placed on the Trust in relation to employment, and the education of children in a school environment. The Trust may pass information to other regulatory authorities where appropriate, and may use names, photographs and videos of staff in publicity and promotional material.  Personal data will also be used when giving references.
  3. Staff should note that information about disciplinary action may be kept for longer than the duration of the sanction.  Although treated as “spent” once the period of the sanction has expired, the details of the incident may need to be kept for a longer period.
  4. Any wish to limit or object to the uses to which personal data is to be put should be notified to the Data Protection Officer in writing. If in the Trust’s view the objection cannot be reasonably maintained, the individual will be given written reasons why the we cannot comply with the request.

4.10.  Use of personal data: Other individuals

  1. The Trust may hold personal information in relation to other individuals who have contact with the school, such as trustees, governors, volunteers and guests.  Such information shall be held only in accordance with the data protection principles, and shall not be kept longer than necessary.

4.11. Security of data

  1. The Trust will take reasonable steps to ensure that members of staff will only have access to personal data where it is necessary for them to carry out their duties.  All staff will be made aware of this policy and their duties under it. The Trust will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
  2. Further details of data security are contained in our relevant ICT policies and procedures.

4.12. Disclosure of personal data to third parties

  1. The following list includes the most usual reasons that the Trust will authorise disclosure of personal data to a third party:

a) to give a confidential reference relating to a current or former employee, volunteer or pupil;

b) for the prevention or detection of crime;              

c) for the assessment of any tax or duty;

d) where it is necessary to exercise a right or obligation conferred or imposed by law upon the Trust (other than an obligation imposed by contract);

e) for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);                   

f) for the purpose of obtaining legal advice;

g) for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress);

h) to publish the results of public examinations or other achievements of pupils of the Trust;

i) to disclose details of a pupil’s medical condition where it is in the pupil’s interests to do so, for example for medical advice, insurance purposes or to organisers of school trips;             

j) to provide information to another educational establishment to which a pupil is transferring;             

k) to provide information to an examination authority as part of the examination process; and

l) to provide information to local or central government where it is required for the discharge of their statutory and regulatory functions.

  1. The Trust may receive requests from third parties (ie. those other than the data subject, the Trust, and our employees) to disclose personal data it holds about pupils, their parents or guardians, staff or other individuals. This information will not generally be disclosed unless one of the specific exemptions under data protection legislation which allow disclosure applies; or where necessary for the legitimate interests of the individual concerned or the Trust. 
  2. All requests for the disclosure of personal data must be sent to the Data Protection Officer. The Trust will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of that third party before making any disclosure.

4.13. Confidentiality of pupil concerns

  1. Where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents or guardian, the Trust will maintain confidentiality unless it has reasonable grounds to believe that the pupil does not fully understand the consequences of withholding their consent, or where the Trust believes disclosure will be in the best interests of the pupil or other pupils.

4.7. Rights of access to personal information

  1. Anybody who makes a request to see any personal information held about them by the Trust is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure.    
  2. All requests should be forward to the Data Protection Officer within 3 working days of receipt, and must be dealt with in full without delay and at the latest within one month of receipt.
  3. Where a child or young person does not have sufficient understanding to make his or her own request (usually those under the age of 12, or over 12 but with a special educational need which makes understanding their information rights more difficult), a person with parental responsibility can make a request on their behalf.  The Data Protection Officer of their delegate must, however, be satisfied that:
    1. the child or young person lacks sufficient understanding; and                             
    2. the request made on behalf of the child or young person is in their interests.
  4. Any individual, including a child or young person with ownership of their own information rights, may appoint another person to request access to their records. In such circumstances the Trust must have written evidence that the individual has authorised the person to make the application and the Data Protection Officer or their delegate must be confident of the identity of the individual making the request and of the authorisation of the individual to whom the request relates.
  5. Access to records will be refused in instances where an exemption applies, for example, information sharing may place the individual at risk of significant harm or jeopardise police investigations into any alleged offence(s).                             
  6. A subject access request must be made in writing. The Trust may ask for any further information reasonably required to locate the information.                   
  7. An individual only has the automatic right to access information about themselves, and care needs to be taken not to disclose the personal data of third parties where consent has not been given, or where seeking consent would not be reasonable, and it would not be appropriate to release the information.  Particular care must be taken in the case of any complaint or dispute to ensure confidentiality is protected.
  8. The identity of the requestor must be established before the disclosure of any information; in the case of a parent or member of staff they may already be well known to the Trust or academy staff. Where relevant, checks should also be carried out regarding proof of relationship to the child. Evidence of identity may be established by requesting production of:
    1. passport
    2. driving licence
    3. utility bills with the current address
    4. birth certificate
    5. P45/P60
    6. credit card or mortgage statement
  9. All files must be reviewed by the Data Protection Officer or their delegate before any disclosure takes place. Access will not be granted before this review has taken place.
  10. Where all the data in a document cannot be disclosed a copy should be made and the withheld data obscured. A copy of the full document and the altered document should be retained, with the reason why the document was altered.

4.8. Exemptions to access by data subjects

  1. Where a claim to legal professional privilege could be maintained in legal proceedings, the information is likely to be exempt from disclosure unless the privilege is waived.
  2. There are other exemptions from the right of subject access. If we intend to apply any of them to a request then we will usually explain which exemption is being applied and why.

4.9. Right to object to processing

  1. An individual has the right to object to the processing of their personal data on the grounds of pursuit of a public interest or legitimate interest where they do not believe that those grounds are made out.
  2. Where such an objection is made, it must be forwarded to the Data Protection Officer within 3 working days of receipt. The Trust will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings. 
  3. The Trust will notify the individual of the outcome of their assessment within 30 days of receipt of the objection. 

4.10. Right to rectification

  1. An individual has the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, it should be forwarded to the Data Protection Officer within 3 working days of receipt, and where adequate proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and the individual notified.
  2. Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data, and communicated to the individual. If the individual is not content with this decision, they may appeal direct to the Information Commissioner.           
  3. An individual also has a right to have incomplete information completed by providing the missing data, and any information submitted in this way shall be updated without undue delay.

4.11. Right to erasure

  1. Individuals have a right, in certain circumstances, to have data permanently erased without undue delay.  This right arises in the following circumstances:
    1. where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed;
    2. where consent is withdrawn and there is no other legal basis for the processing;
    3. where an objection has been raised under the right to object, and found to be legitimate;
    4. where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met);
    5. where there is a legal obligation on the Trust to delete.
  2. The Data Protection Officer  or their delegate will make a decision regarding any application for erasure of personal data, and will balance the request against the exemptions provided for in the law.  Where a decision is made to erase the data, and this data has been passed to other data controllers, and / or has been made public, reasonable attempts to inform those controllers of the request shall be made.

4.12. Right to restrict processing

  1. In the following circumstances, processing of an individual’s personal data may be restricted:
    1. where the accuracy of data has been contested, during the period when the Trust is attempting to verify the accuracy of the data;
    2. where processing has been found to be unlawful, and the individual has asked that there be a restriction on processing rather than erasure;
    3. where data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise or defence of a legal claim;

4.13. Right to portability

  1. If an individual wants to send their personal data to another organisation they have a right to request that the Trust provides their information in a structured, commonly used, and machine readable format.  As this right is limited to situations where the Trust is processing the information on the basis of consent or performance of a contract, the situations in which this right can be exercised will be quite limited. If a request for this is made, it should be forwarded to the Data Protection Officer within 2 working days of receipt, and they will review and respond as necessary.

4.14. Breach of this policy

  1. Any and all breaches of the GDPR, including a breach of any of the data protection principles shall be reported as soon as it is discovered, to the Data Protection Officer.
  2. Once notified, the Data Protection Officer shall assess:
    1. the extent of the breach;
    2. the risks to the data subjects as a consequence of the breach;
    3. any security measures in place that will protect the information;
    4. any measures that can be taken immediately to mitigate the risk to the individuals.
  3. Unless the Data Protection Officer concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the Trust, unless a delay can be justified.
  4. The Information Commissioner shall be told:
    1. details of the breach, including the volume of data at risk, and the number and categories of data subjects;
    2. the contact point for any enquiries (which shall usually be the Head of External Affairs);            
    3. the likely consequences of the breach;
    4. measures proposed or already taken to address the breach.
  5. If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals then the Data Protection Officer shall arrange to notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals. Data subjects shall be told:
    1. the nature of the breach;                                                                                     
    2. who to contact with any questions;                                                                   
    3. measures taken to mitigate any risks.
  6. The Data Protection Officer shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented.  Any recommendations for further training or a change in procedure shall be reviewed by the Trust board and a decision made about implementation of those recommendations.

4.15. Other provisions relating to pupil data

  1. Under the Education (Independent School Standards) (England) Regulations 2010 parents have the right to receive an annual written report about their child. In practice, our academies will share information more frequently to help support pupils’ education through written reports, parents’ evenings, and the like.
  2.  As academies, the Education (Pupil Information) (England) Regulations 2005 do not apply to our schools. Instead, pupils or parents acting on their behalf may request information under the Data Protection Act.

5. Handling and disclosure of non-personal information

5.1. Rights of access to non-personal information

  1. The Trust is a public authority for the purposes of the Freedom of Information Act, and as such the public have a general right of access to information held by the Trust, subject to certain exemptions.
  2. The Trust is also required to adopt a publication scheme, setting out information it will pro-actively publish.
  3. The Trust is also a public authority for the purposes of the Environmental Information Regulations, which gives access to environmental information.

5.2. Making freedom of information requests

  1.  In many circumstances, information may be shared informally as part of the Trust’s normal working practices. Where more detailed or sensitive information is required it should be treated as a formal Freedom of Information request, or where relevant, a request under the Environmental Information Regulations.
  2. Requests for information that includes the personal data of the applicant should be treated as a data protection subject access request, rather than under freedom of information provisions.
  3. Formal requests for information must be made in writing, which includes email. There is no need to use a specific form.
  4. Requests may be made in the first instance to an academy or the Trust centrally. Once received, all requests must be forwarded to the Trust’s Head of External Affairs for validation and processing within 3 working days of receipt.
  5. A fee may be payable for fulfilling a request. Requests may be refused if complying with them would exceed processing limits set by legislation, or if the information is exempt from disclosure.

5.3. Handling a request

  1. Where processing a Freedom of Information request would exceed the cost limits set by legislation, the Trust may refuse the request. In other cases, the Trust may charge disbursement costs as set out in our publication scheme.
  2. For requests under the Environmental Information Regulations, the Trust will charge for reasonable staff time required to collate the information in addition to any disbursement costs, as set out in our publication scheme.
  3. Where a charge is to be applied we will issue a fees notice and require payment prior to completing the request.
  4. For schools, the standard time limit for a Freedom of Information request is 20 school days, or 60 working days if this is shorter. Requests should normally be processed within this time.
  5. Under the Environmental Information Regulations, the limit is 20 working days or 40 working days for particularly complex requests.

5.4. Exemptions when disclosing information

  1. The right to access relates to information, not documents, so the Trust is not generally obliged to provide copies of original documents - only the relevant information within them.
  2. Both the Freedom of Information Act and Environmental Impact Regulations allow exemptions as to the provision of some information, such as where disclosing information would not be in the public interest.
  3. Where information has provided by the police, local authority, health care professional or another school, their advice should normally be obtained before disclosing the information.
  4. Where redaction (information blacked out/removed) has taken place then a full copy of the information provided should be retained privately by the Trust in order to establish, if a complaint is made, what was redacted and why.

5.5. Providing meaningful information

  1. Information disclosed should be clear, thus any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped.
  2. It may be useful for information to be provided at a face to face meeting, with a relevant member of staff on hand to help and explain matters if requested, or provided at face to face handover.
  3. The views of the applicant should be taken into account when considering the method of delivery.

5.6. Freedom of Information Act publication scheme for academies

  1. This generic model publication scheme has been prepared and approved by the Information Commissioner. It has been adopted by the Inspiration Trust and is reproduced at Appendix A.
  2. The scheme commits the Trust:
    1. To proactively publish or otherwise make available as a matter of routine, information, including environmental information, which is held by the authority and falls within the classifications below.
    2. To specify the information which is held by the authority and falls within the classifications below.
    3. To proactively publish or otherwise make available as a matter of routine, information in line with the statements contained within this scheme.
    4. To produce and publish the methods by which the specific information is made routinely available so that it can be easily identified and accessed by members of the public.
    5. To review and update on a regular basis the information the authority makes available under this scheme.
    6. To produce a schedule of any fees charged for access to information which is made proactively available.
    7. To make this publication scheme available to the public
  3.  Classes of information
    1. Who we are and what we do: Organisational information, locations and contacts, constitutional and legal governance.
    2. What we spend and how we spend it: Financial information relating to projected and actual income and expenditure, tendering, procurement and contracts.
    3. What our priorities are and how we are doing: Strategy and performance information, plans, assessments, inspections and reviews.
    4. How we make decisions: Policy proposals and decisions. Decision making processes, internal criteria and procedures, consultations.
    5. Our policies and procedures: Current written protocols for delivering our functions and responsibilities.
    6. Lists and registers: Information held in registers required by law and other lists and registers relating to the functions of the authority.
    7. The Services we offer: Advice and guidance, booklets and leaflets, transactions and media releases. A description of the services offered.
  4. The classes of information will not generally include:
    1. Information the disclosure of which is prevented by law, or exempt under the Freedom of Information Act, or is otherwise properly considered to be protected from disclosure.
    2. Information in draft form.
    3. Information that is no longer readily available as it is contained in files that have been placed in archive storage, or is difficult to access for similar reasons.
  5.  The authority will indicate clearly to the public what information is covered by this scheme and how it can be obtained.
  6. Where it is within the capability of a public authority, information will be provided on a website. Where it is impracticable to make information available on a website or when an individual does not wish to access the information by the website, a public authority will indicate how information can be obtained by other means and provide it by those means.
  7. In exceptional circumstances some information may be available only by viewing in person. Where this manner is specified, contact details will be provided. An appointment to view the information will be arranged within a reasonable timescale.
  8. Information will be provided in the language in which it is held or in such other language that is legally required. Where an authority is legally required to translate any information, it will do so.
  9. Obligations under disability and discrimination legislation and any other legislation to provide information in other forms and formats will be adhered to when providing information in accordance with this scheme.
  10. The purpose of this scheme is to make the maximum amount of information readily available at minimum inconvenience and cost to the public. Charges made by the authority for routinely published material will be justified and transparent and kept to a minimum.
  11. Material which is published and accessed on a website will be provided free of charge.
  12. Charges may be made for information subject to a charging regime specified by Parliament. Charges may be made for actual disbursements incurred such as:
  1. photocopying
  2. postage and packaging
  3. the costs directly incurred as a result of viewing information
    1. Charges may also be made for information provided under this scheme where they are legally authorised, they are in all the circumstances, including the general principles of the right of access to information held by public authorities, justified and are in accordance with a published schedule or schedules of fees which is readily available to the public.
    2. If a charge is to be made, confirmation of the payment due will be given before the information is provided. Payment may be requested prior to provision of the information.
    3. Written requests
    4. Information held by a public authority that is not published under this scheme can be requested in writing, when its provision will be considered in accordance with the provisions of the Freedom of Information Act.
    5. Requests should be made to the Head of External Affairs, Inspiration Trust, 28 Bethel Street, Norwich, NR2 1NR.

6. Records management and retention

6.1. The Data Protection Act requires that information is retained only for as long as necessary. These guidelines detail the standard retention period for data held by the Trust.

6.2. The retention period may differ in particular circumstances. Where an academy has been taken on by the Trust, certain records may have been retained by the predecessor organisation.

6.3. Recommended retention periods for particular classes of data are contained within Appendix B. If a document or piece of information is reaching the end of its stated retention period, but you are of the view that it should be kept longer, please refer to the Head of External Affairs, who will make a decision as to whether it should be kept, for how long, and note the new time limit and reasons for extension. 

6.4. Deletion of documents: Confidential waste

  1. This should be made available for collection in the confidential waste bins or sacks located around the office, or shredded using equipment where provided.
  2.  Anything that contains personal information should be treated as confidential.

6.5. Where deleting electronically, please refer to the Head of ICT and the Trust’s data security policies to ensure that this is carried out effectively.

6.6. Deletion of other documentation

  1. Other documentation can be deleted or placed in recycling bins where appropriate.

6.7. Automatic deletion

  1. Certain information will be automatically archived by the computer systems. Should you want to retrieve any information, or prevent this happening in a particular circumstance, please contact the Head of ICT.

6.8. Much of the retention and deletion of documents will be automatic, but when faced with a decision about an individual document, you should ask yourself the following:

  1. Has the information come to the end of its useful life?
  2. Is there a legal requirement to keep this information or document for a set period?
  3. Would the information be likely to be needed in the case of any legal proceedings? In particular, is it potentially relevant to an historic child abuse enquiry?  Is the information contentious, does it relate to an incident that could potentially give rise to proceedings?)
  4. Would the document be useful for the organisation as a precedent, learning document, or for performance management processes?
  5. Is the document of historic or statistical significance?

6.9. If the decision is made to keep the document, this should be referred to the Head of External Affairs for approval and reasons given.

7. Policy review and amendments

7.1. A yearly report on the operation of this policy will be presented to the Trust board.

7.2. This policy will be reviewed periodically by the Trust, and formally re-adopted by the trustees at least every three years.

7.3. The board grants delegated authority to the Chief Executive to make amendments to this policy to reflect changes in legislation, the regulatory regime, and best practice. Any such changes will be notified to trustees, and will automatically be deemed as accepted unless any objection is received within two weeks of notification.

7.4. The board grants delegated authority to the Chief Executive to make amendments to appendices to reflect changes in legislation, the regulatory regime, and best practice as they deem necessary.

Regulatory framework: Data Protection Act 1988; Data Protection Bill 2018; Freedom of Information Act 2000; Environmental Information Regulations 2004; Freedom of Information (Time for Compliance with Request) Regulations 2010

Appendix A: Publication Scheme

Information to be published


How the information can be obtained


Class 1 - Who we are and what we do

(Organisational information, structures, locations and contacts)

Who’s who in the school



Who’s who on the governing body / board of governors and the basis of their appointment



Instrument of Government / Articles of Association



Contact details for the principal and for the governing body, via the school



School prospectus

Hard copy


School session times and term dates



Address of school and contact details, including email address.



Class 2 – What we spend and how we spend it

(Financial information relating to projected and actual income and expenditure, procurement, contracts and financial audit)

Annual budget plan and financial statements



Capital funding



Financial audit reports



Governors’ allowances that can be incurred or claimed, and a record of total payments made to individual governors.



Class 3 – What our priorities are and how we are doing

(Strategies and plans, performance indicators, audits, inspections and reviews)

Performance management policy and procedures adopted by the governing body.



Performance data or a direct link to it



Ofsted inspection reports



The school’s future plans; for example, proposals for and any consultation on the future of the school, such as a change in status



Safeguarding and child protection



Class 4 – How we make decisions

(Decision making processes and records of decisions)

Admissions policy



Agendas and minutes of meetings of the governing body and its committees. (NB this will exclude information that is properly regarded as private to the meetings).



Class 5 – Our policies and procedures

(Current written protocols, policies and procedures for delivering our services and responsibilities)

Records management and personal data policies



Charging regimes and policies.



Class 6 – Lists and Registers

Asset register

By inspection


Any information the school is currently legally required to hold in publicly available registers

By inspection


Class 7 – The services we offer

(Information about the services we offer, including leaflets, guidance and newsletters produced for the public and businesses)

Extra-curricular activities



Out of school clubs



Services for which the school is entitled to recover a fee, together with those fees



School publications, leaflets, books and newsletters




Schedule of charges



Basis of charge

Disbursement cost

Photocopying/printing @ 10p per sheet (black & white)

Actual cost


Photocopying/printing @ 20p per sheet (colour)

Actual cost



Actual cost of Royal Mail standard 2nd class

Statutory fees


In accordance with the relevant legislation


Appendix B – Retention schedule

Document type

Basis for retention





Company Articles of Association, Rules / bylaws

Companies Act 2006

Charities Act 2011


Academy funding agreement and any supplemental agreements

Charities Act 2011


Trustee / director minutes of meetings and written resolutions

Companies Act 2006

Charities Act 2011


10 years

Members’ meetings etc.

Minutes / resolutions

Companies Act 2006

Charities Act 2011


10 years

Documents of clear historical / archival significance

Data Protection regulation

Permanent if relevant data protection regulation provisions are met.

Contracts eg. with suppliers or grant makers

Limitation Act 1980

Length of contract term plus 6 years

Contracts executed as deeds

Limitation Act 1980

Length of contract term plus 12 years

Intellectual property records and legal files re provision of service

Limitation Act 1980

Life of service provision or IP plus 6 years




Annual accounts and review (including transferred records on amalgamation)

Companies Act 2006

Charities Act 2011


6 years

Tax and accounting records

Finance Act 1998

Taxes Management Act 1970

6 years from end of relevant tax year

Information relevant for VAT purposes

Finance Act 1998 and

HMRC Notice 700/21

6 years from end of relevant period

Banking records / receipts book/sales ledger

Companies Act 2006

Charities Act 2011

6 years from transaction




Payroll / Employee / Income Tax and NI records:

P45; P6; PIID; P60, etc.

Taxes Management Act 1970  / IT (PAYE) Regulations

6 years from end of current year

Maternity pay

Statutory Maternity Pay Regulations

3 years after the end of the tax year

Sick pay

Statutory Sick Pay

(General) Regulations

3 years after the end of the tax year

National Minimum wage records

National Minimum Wage Act

3 years after the end of the tax year

Foreign national ID documents

Immigration (Restrictions on Employment) Order 2007

Independent School Standards Regulations

Minimum 2 years from end of employment

HR files and training records

Limitation Act 1970 and Data Protection regulation

6 years from end of employment

Records re working time

Working Time Regulations 1998 as amended

2 years

Job applications (CVs and related materials re unsuccessful applicants)

ICO Employment Practices Code (Recruitment & Selection) Disability Discrimination Act 1995 & Race Relations Act 1976

12 months from your notification of outcome of application

Pre-employment / volunteer vetting

ICO Employment Practice Code

Independent School Standards Regulations

6 months

Disclosure & Barring Service checks

Single Central Record Requirements under

• for independent schools, (including academies and free schools and alternative provision academies and free schools): Part 4 of the Schedule to the Education (Independent School Standards) Regulations 2014;

• for colleges: Regulations 20-25 and the Schedule to the Further Education (Providers of Education) (England) Regulations 2006;46 and

Record only satisfactory / unsatisfactory result and delete other information. If copy is kept, not to be retained beyond 6 months.

See further DfE statutory Guidance ‘ Working Together to safeguard children’

Volunteer records


6 years from end of engagement




Employer’s Liability Insurance

Employers’ Liability (Compulsory Insurance Regulation) 1998

40 years



3 years after lapse

Claims correspondence


3 years after settlement




General records

Limitation Act 1970

Minimum 3 years

Records re work with hazardous substances

Control of Hazardous Substances to Health Regulations 2002

40 years

Accident books / records and reports

Reporting of Injuries Diseases and Dangerous Occurrences Regulations 1995

3 years after last entry or end of investigation

Medical Scheme documentation


Permanent unless personal data is included




Original title deeds


Permanent / to disposal of property


Limitation Act 1980

12 years after lease has expired

Building records, plans, consents and certification and warranties etc

Limitations Act 1980

6 years after disposal or permanent if of historical / archival interest.




Records about employees and workers

For all categories see:

Detailed Guidance for Employers: (April 2017)


6 years

Records re the Scheme

6 years

Records re active members and opt in / opt out

6 years




Educational Record

Pupil information Regulations 2005 (maintained schools only) Same approach applied in academy context.

Data Protection regulation

25 years from date of birth  unless passed to new school

Child Protection information (on child’s file)

“Keeping children safe in education Statutory guidance for schools and colleges - September 2016”;

“Working together to safeguard children. A guide to inter-agency working to safeguard and promote the welfare of children - February 2017”


Subject to moratorium on destruction due to historic child abuse enquiry. See


Child Protection Information in other files

“Keeping children safe in education Statutory guidance for schools and colleges - September 2016”;

“Working together to safeguard children. A guide to inter-agency working to safeguard and promote the welfare of children - February 2017”


Subject to moratorium on destruction due to historic child abuse enquiry. See

Special Educational needs



SEN files

Limitation Act 1980

Usually 25 years from date of birth of the pupil. If kept longer show good justification.

Education Health and Care Plans

Special Educational Needs and Disability Regulations 2014

Children and families Act 2014, part 3

25 years from date of birth of the pupil

Statements of Special Educational Needs (now historic)

Originally under Special Educational Needs and Disability Regulations 2001

25 years from date of birth of pupil unless passed to new school (usually on the pupil’s file)

Attendance registers

Pupil Registration Regulations 2006

Regulation 14

3 years from when the register entry was made if made in paper registers

For computerised registers retain until 3 years after the end of the school year during which the entry was made.

Note: The difference in retention periods as between manual and computerised registers has probably come about in error but this is what the Regulations say.

Other items e.g. curriculum related, photographs, video recordings

Case by case basis

Look at why you are processing this and how long you need it for. Make sure you have a good justification for keeping it as long as you do. Set out the items and the justification.


Pupil Registration Regulations 2006

For basic name and contact details.

Otherwise usually operational in accordance with the statutory functions of the school

Usually, for the duration that the parent has a pupil at the school. Otherwise subject to case by case justification.


Data protection regulation

For as long as there is an active relationship.