Data Protection Policy

Details on our Data Protection Policy


The Mill Academy collects and uses relevant personal data regarding staff, students, parents and carers, and other individuals who come into contact with the Academy and its schools. This information is gathered in order to enable it to provide education and its other associated functions, including complying with its statutory obligations. We shall take all reasonable steps  hold  and process this data only in accordance with this policy.



“Processing” may include obtaining, recording, holding, disclosing, destroying or otherwise using data.

“Students” may include current, past or prospective students.

“Data subject” means an individual who is the subject of personal data or the person to whom the information relates.

“Personal data or personal information” means data which relates to a living individual who can be identified. Addresses and telephone numbers are particularly vulnerable to abuse, but so can names and photographs be, if published in the press, Internet or media.

“Parent” has the meaning given in the Education act 1996, and includes any person having parental responsibility or care of a child.



This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 1988, and other related legislation.

The Policy applies to any personal information or data regardless of the way that it is held, i.e. in paper files or held electronically.



 The Principles

Under the Data Protection Act 1998, all schools processing personal data must comply with the eight enforceable principles of good practice.  Data must be:

  1. Fairly and lawfully processed
  2. Processed for limited purposes
  3. Adequate, relevant and not excessive
  4. Accurate
  5. Not kept longer than necessary
  6. Processed in accordance with the data subject’s rights
  7. Secure
  8. Not transferred to other countries without adequate protection

Academies have a duty to be registered Data Protection Controllers, which ensures that all personal data is processed fairly, securely and in compliance with the principles of the Data Protection Act.

Personal Data

Definitions of personal data are highly complex, and it is difficult to define categorically. However, broadly speaking and in day-to-day use, ‘personal data’ is information which relates to a living, identifiable individual. Personal data may include but is not limited to:

  • School admission and attendance registers;
  • Student’s curricular records;
  • Biometric data (a numerical value of a student’s thumb or fingerprint;
  • Reports to parents on the achievements of their children;
  • Records in connection with students entered for prescribed public examinations;
  • Staff records, including payroll records;
  • Directors, Members and Governors records;
  • Student disciplinary records;
  • Personal information for teaching purposes;
  • Records of contractors and

Processing Personal Data

If it is necessary for the Academy to process certain personal data to fulfil its obligations to students and their parents or guardians then consent is not required. However, any information which falls under the definition of personal data, and is not otherwise exempt, will remain confidential. Data will only be disclosed to third parties with the consent of the appropriate individual or under the terms of this Policy.

Sensitive Personal Data

Sensitive data may include but is not limited to:

  • Ethnic or racial origin;
  • Political opinions;
  • Religious beliefs;
  • Other beliefs of a similar nature;
  • Membership of a trade union;
  • Physical or mental health or condition;
  • Sexual orientation;
  • Offence or alleged offence;
  • Proceedings or court

Where sensitive personal data is processed by the Academy and its schools, the explicit consent of the appropriate individual will be required in writing.

Biometric Data

The Academy and its schools may implement the use of biometric data for purchase of catering and will ensure that the duties as set out in the Department for Education advice document ‘Protection of Biometric Information of Children in Schools’, December 2012 will be followed if biometric data is collected and held by the Academy and its schools. In particular we will notify each parent of pupils under the age of 18 of any wish to take and use their child’s biometric data. We will gain the  written

consent of one parent and will not take or use biometric data where either the child or either parents objects.

Rights of Access

Individuals have a right of access to information held by the Academy and its schools. Any individual wishing to access their personal data should put their written request to the Headteacher of the relevant school. The school will try to respond to any such written requests as soon as is reasonably practicable and in any event, within 40 days for access to records and 21 days to reply to an access to information request.

It is important to note that certain data is exempt from the right of access under the Data Protection Act. This can include:

  • Information which identifies other individuals;
  • Information which the School reasonably believes is likely to cause damage or distress;
  • Information which is subject to legal professional privilege;
  • Student examination

Data Rights

Under the Data Protection Act, the rights to the data belong to the individual to whom the data relates. However, in most cases, the Academy and its schools will rely on parental consent to process data relating to students unless, given the circumstances and the student’s age and understanding; it is unreasonable to rely on the parent’s consent. Parents should be aware that in such situations they may not be consulted. These situations are very rare, and it is a general policy in the Academy and its schools to always seek parental or guardian consent before processing a child’s personal data.

Disclosure of Information

The Academy and its schools confirm that it will not generally disclose information about individuals, unless the individual has given their consent or one of the specific exemptions under the Data Protection Act applies. However, for the following purposes, the Academy and its schools do intend  to disclose data as is necessary to third parties:

  • To give confidential references for any educational institution which the student may wish to
  • To give information relating to outstanding fees or payment history to any educational institution which it is proposed that the student may
  • To publish the results of public examinations or other achievements of students of the School.
  • To disclose medical details of a student’s medical condition where it is in the student’s interests to do so (e.g. to organisers of a School trip).
  • To share information required for the management and operation of any shared provision, including shared Sixth Form

When the Academy or one of its schools receives a disclosure request from a third party it will always take action to establish the identity of that third party before making any disclosure.

Use of Personal Information by the Schools

As part of the entry procedure into a school at any age, all students are asked to sign an agreement giving the school their consent to use their personal data for:

  • Use of photographic images in school publications (e.g. the newsletter) or on the school website.
  • Fundraising, marketing or promotional purposes and to maintain relationships with students of the


In accordance with the Data Protection Act 1998, the Academy and its schools are required to ensure that any personal data held about an individual is accurate. Conversely, schools will seek to encourage all students and staff to notify them of any changes to information held about them (change of address, change of marital status etc).


Where it is reasonably practicable, the Academy and its schools will take steps to ensure that members of staff will only have access to personal data relating to students, their parents or guardians where it is necessary for them to do so. All staff will be made aware of this policy and their duties under the Data Protection Act. Schools will ensure that all personal information is held in a secure central location and is not accessible to unauthorised persons.


Personal data processed for any purpose shall not be kept for longer than is necessary. Current  advice states:

  • Finance Data – 6 years or as laid down by Academies Financial Handbook
  • Pupil and Staff Data – 7 years seems to be the acceptable period, after which schools might not be required to provide exam results or
  • Data relating to Looked After Children (LAC), High needs SEN and non-minor accidents or incidents – 25 years from the date of
  • Based on guidance from the Records Management Society of Great Britain


If an individual believes that the Academy or its schools have not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, they should make a complaint to the relevant school using that school’s Complaints Procedure. Complaints relating to information handling may be referred to the Information Commissioner (the Statutory Regulator).


 The Mill Academy is committed to the Freedom of Information Act 2000 and to the principles of accountability and the general right of access to information, subject to legal exemptions.

The Freedom of Information Act 2000 (FOI) came fully into force on January 1 2005. Under the Act, any person has a legal right of access to information produced in the course of the Academy and/or its Schools work. They are entitled to be told whether the Academy or its schools hold information and to receive a copy.  There are exceptions to this right to information; in particular data, about

living, identifiable people (personal data) continues to be covered by the Data Protection Act and is not generally publicly available except to the “subject” of the data – that is, the person whom the data is about.

The Directors are responsible for ensuring that the Academy and its Schools comply with FOI.

The Academy and its schools will be clear and proactive about the information they will make public, each school will set out its own Publication Scheme and the Academy’s Publication Scheme is shown in Appendix 1. Each Publication Scheme will show the following

  • The classes of information which we publish or intend to publish;
  • The manner in which the information published will be made available; and
  • Whether the information is available free of charge or the charges applicable for providing

Information held by the Academy and its Schools which is not published under the Publication Scheme can be requested in writing, when its provision will be considered in accordance with the provisions of the FOI Act.


 The Academy will review this policy in a 3-year cycle and assess its implementation and effectiveness. A log of requests for information under this policy will be required to be kept by each School and any logged requests will be notified to and reviewed by the Mill Academy’s Finance and Resources Committee.



  •  The Business Manager or School Administrator in each school for maintaining the log of data requests under the Data Protection Act;
  • The Headteachers for reporting the log when requested to the Mill Academy’s Finance and Resources Committee;
  • The Director of Finance and Academy Services for reviewing any changes to statutory obligations and this policy document;
  • All staff in relation to ensuring accuracy, security and confidentiality during collection, handling, processing and disposing of any personal data;
  • The Headteachers and LGBs for compiling their Publication Scheme and putting in place a system for logging and managing information requests made either under their Publication Scheme or under the provisions of the Freedom of Information

Author: Nichola Stretton – Director of Finance and Academy Services Date Revised: October 2016

Next Review Date: October 2019 or as required by statutory changes if relevant before the review date


Download Policy