Skip to content ↓

GDPR and Data Protection



What is a Privacy Notice?

A Privacy Notice sets out how we use personal data (information) that we hold about individuals. The General Data Protection Regulation (GDPR) requires us to publish this information. This Privacy Notice explains how we collect, store, use and share personal data about our students and their parents/ carers.

The types of personal data that we collect, hold and share include:

  • Personal information (such as name, unique pupil number and address)
  • Characteristics (such as ethnicity, language, nationality and eligibility for free school meals)
  • Attendance information (including the number of absences and reasons for absence)
  • Assessment information (such as KS2 test data, results of tests, progress reports, estimated attainment grades and external examination results)
  • Information relating to medical needs, special educational needs and disabilities
  • Information relating to positive and negative attitude and behaviour (such as rewards, misdemeanours and sanctions including detention, isolation and internal/external exclusion)
  • Payment information relating to school meals, trips, extra-curricular activities, the iPad for Learning scheme and other items

Why we collect and use this information

We use this personal data:

  • to support student learning
  • to safeguard students
  • to monitor and report on student progress
  • to provide appropriate pastoral care
  • to keep parents/carers informed about their child’s education and wellbeing
  • to assess the quality of our servicesprovision
  • to comply with the law regarding data sharing
  • to provide services such as school meals and trips and visits

The lawful basis on which we use this information

We collect and use personal data in order to meet certain legal requirements. Under the GDPR, this is known as “Legal obligation”. Relevant laws include:

  • Article 6 and Article 9 of the GDPR
  • Education Act 1996
  • Education (Pupil Registration) (England) Regulations 2006
  • Education (Information About Individual Pupils) (England) Regulations 2013
  • Children’s and Families Act 2014, section 69

In some cases, we use personal data as part of our day-to-day function as a school even though there may not be a specific law covering this. This is part of our “Public task” to educate and support our students. In very rare instances, “Legitimate Interest” or “Vital Interest” may be used as the lawful basis for processing personal data.


Giving your consent

The majority of the data you provide to us is mandatory (ie we do not need your permission to hold this data). However, in some cases data is provided to us on a voluntary basis. Under the GDPR, this is known as “Consent”, and applies to things like using a student’s photo in the school magazine. Where required, we will ask you to give us your consent before using this data.

Special Category Personal Data

Information such as health needs, ethnic origin, religious beliefs and biometric data is known as “Special Category Personal Data”. There are additional restrictions on how we can use this.

How long do we keep your data?

We keep different types of data for different amounts of time, in accordance with our Retention Policy. This policy takes account of the retention schedules produced by the Information Record Management Society, which can be viewed at

Who we share personal data with

The law requires us to share students’ data with the Department for Education (DfE).

We do not share personal data with anyone else without consent unless the law and our policies allow us to do so. As well as the DfE, we routinely share certain types of personal data with:

  • Examination boards
  • Off-site learning providers (for students following alternative learning programmes)
  • Other schools (eg when students move to another school)
  • Leeds City Council (and other local authorities, where appropriate)
  • National Health Service
  • West Yorkshire Police
  • Youth support services

We also share personal data with certain other third parties as part of our function as a school. These companies / organisations must comply with strict terms and conditions covering the confidentiality, security, retention and use of data. They include:


  • Bug Club (online reading scheme)
  • CPOMS (child protection, safeguarding and student wellbeing management system)
  • Educational visits providers (for students participating in off-site visits)
  • Evolve (our educational visits risk assessment system)
  • FFT Aspire (student achievement data analysis)
  • Microsoft 365 (email, OneDrive and Office functionality for students)
  • Microsoft Teams (online learning platform)
  • Sage (finance software)
  • SIMS (Schools Information Management System)
  • The Headteacher’s Report (report compilation tool for senior leaders)
  • Times Tables Rock Stars (online learning tool for mathematics)
  • Tucasi / Scopay (payments / online banking system)
  • Wonde (single sign-on system for educational apps)

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (for example, via the school census) go to

Data Security

St Mary’s has in place technical and organisational measures to ensure a level of security appropriate to the sensitive nature of the personal data that we use. We also provide data privacy awareness training for all staff.

Requesting access to your personal data

Under data protection law, parents/carers and students have the right to request access to information that we hold about them. To make a request for your personal information, or be given access to your child’s educational record, contact the trust’s Data Protection Officer, Alison Jones, at

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
  • claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, please raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at


If you would like to discuss anything in this privacy notice, please contact