GDPR Privacy Policy



Woodhill collects a lot of data and information about pupils attending the school so that it can run effectively as a school and so we can meet our responsibilities as the admission authority. This privacy notice explains how and why we collect pupils’ data, what we do with it and what rights parents and pupils have in relation to the personal data and information collected.


Privacy Notice (How we use pupil information)

Woodhill Primary School is the data controller for the purposes of General Data Protection Regulation (GDPR).
The school acknowledges its obligations to parents and pupils under the GDPR in relation to the personal data of the pupils attending Woodhill Primary School and is committed to the principles of data protection as detailed in the school’s Data Protection Policy.


Why do we collect and use pupil information?

We collect and use pupil information under the following lawful bases:

a. where we have the consent of the data subject (Article 6 (a));

b. where it is necessary for compliance with a legal obligation (Article 6 (c));

c. where processing is necessary to protect the vital interests of the data subject or another person (Article 6(d));

d. where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (e))


Where the personal data we collect about pupils is sensitive personal data, we will only process it where:

a. we have explicit consent;

b. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; and / or

c. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.


Please see our Data Protection Policy for a definition of sensitive personal data.


We use the pupil data to support our statutory functions of running a school, in particular:

a. to support pupil learning;

b. to monitor and report on pupil progress;

c. to provide appropriate pastoral care;

d. to assess the quality of our services;

e. to comply with the law regarding data sharing;

f. for the protection and welfare of pupils and others in the school; g. for the safe and orderly running of the school;

h. for the administration and business functions of the school.

i. for external trips and visits


The categories of pupil information that we collect, hold and share include:

  1. Personal information (such as name, unique pupil number, address, gender and date of birth); 

  2. Parent details (such as name, address, telephone number, email, relationship to pupil, divorced, court order in place etc);

  3. Characteristics (such as ethnicity, language, medical conditions, nationality, country of birth, dietary requirements and free school meal eligibility);
  4. Attendance information (such as sessions attended, number of absences and 
absence reasons); 

  5. Admission information (such as application, supplemental information form and 
registration paperwork, home authority)
  6. Emergency contact details; 

  7. Medical Information (such as medical condition, medication, internal healthcare 
plans, doctor’s details and hospital details); 

  8. SEN and Disability Information (such as EHC plan and internal educational plans);
  9. Pupil record from previous setting; 

  10. Educational information (such as examination results, school school work, internal assessments, internal educational tracking data, pupil premium eligibility);
  11. School Report;

  12. Behaviour information (such as incidences of good or poor behaviour, incidences of bullying, exclusions, final warning letter and letters to parents);
  13. Correspondence relating to the pupil with parents and external agencies; 

  14. Photographs taken for our information management system which are held on the 
personal file and on the school’s information management system; 

  15. CCTV footage. 


From time to time and in certain circumstances, we might also process personal data about pupils, some of which might be sensitive personal data, including information about criminal proceedings / convictions, information about sex life and sexual orientation, child protection / safeguarding. This information is not routinely collected about pupils and is only likely to be processed by the school in specific circumstances relating to particular pupils, for example, if a child protection issue arises or if a pupil is involved in a criminal matter. Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and / or the Police. Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.


We collect information about pupils when they join the school and update it during their time on the roll as and when new information is acquired. We may also ask you to review some of the personal information we hold to ensure that it is accurate.


Collecting pupil information

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the GDPR, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. Where appropriate, we will ask parents for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to use photos or images of pupils on our website or on social media to promote school activities. Parents may withdraw consent at any time.


In addition, the school also uses CCTV cameras around the school site for security purposes and for the protection of staff and pupils. CCTV footage may be referred to during the course of disciplinary procedures (for staff or pupils) or investigate other issues. CCTV footage involving pupils will only be processed to the extent that it is lawful to do so. Please see our CCTV policy for more details.


Storing pupil data

We hold pupil data in accordance with the school’s Document Management and Retention Policy.


A significant amount of personal data is stored electronically, for example, on our database, information management systems, finance and payroll systems and IT systems. Some information may also be stored in hard copy format.


Data stored electronically will be saved within a hybrid solution: on premises as part of a Local Area Network which is supported by Plum Innovations Ltd, and within the school servers. Plum Innovations Ltd are located within the UK and Europe. The contracts with Plum Innovations, London Grid for Learning and Atomwide contain the necessary provisions to ensure the security of personal data.


Personal data may be transferred to other countries if, for example, there is a school trip to a different country or the pupil is relocating to a different country and joining a new setting abroad. Appropriate steps will be taken to keep the data secure.


Who do we share pupil information with?

The pupil information and data we are provided with is shared with staff at the school, where necessary.
We routinely share pupil information with:

                    schools that pupils attend after leaving us; 

                    our local authority, the Royal Borough of Greenwich; 

                    a pupil’s home local authority (if different); 

                    the Department for Education (DfE); 

                    exam boards. 

                    Clubs run by external providers. 
From time to time, we may also share pupil information other third parties including the following: 

                    the Police and law enforcement agencies; 

                    health professionals including the school nurse, educational psychologists, 

                    Education Welfare Officers; 

                    Courts, if ordered to do so; 

                    Independent Review Panel 

                    Admission Appeal Panels 

                    the National College for Teaching and Learning; 

                    Social Care and other external agencies; 

                    Prevent teams in accordance with the Prevent Duty on schools; 

                    other schools, for example, if we are negotiating a managed move and we have your 
consent to share information in these circumstances; 

                    the Education Skills and Funding Agency (ESFA) or Department for Education (DfE) for the purposes of receiving educational support]; 

                    our HR providers, for example, if we are seeking HR advice and a pupil is involved in an issue; 

                    our legal advisors; 


Some of the above organisations may also be Data Controllers in their own right in which case we will be jointly controllers of your personal data and may be jointly liable in the event of any data breaches. 


In the event that we share personal data about pupils with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data. 


Why we share pupil information?

We do not share information about our pupils with anyone without consent unless the law allows us to do so. We share pupils’ data with the DfE on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring. We are required to share information about our pupils with the DfE under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.


Data collection requirements:

To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) go to censuses-for-schools


The National Pupil Database (NPD)

The NPD is owned and managed by the DfE and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the DfE. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.


We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.


To find out more about the pupil information we share with the Dfe, for the purpose of data collections, go to


To find out more about the NPD, go to pupil-database-userguide-and-supporting-information


The DfE may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

                    conducting research or analysis 

                    producing statistics 

                    providing information, advice or guidance 


The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of: 

                    who is requesting the data; 

                    the purpose for which it is required; 

                    the level and sensitivity of data requested; and 

                    the arrangements in place to store and handle the data. 


To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.


For more information about the DfE’s data sharing process, please visit: 

For information about which organisations the DfE has provided pupil information, (and for which project), please visit the following website: 


To contact DfE: 


Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold (“Subject Access Request”). Where a child does not have the maturity to make their own requests for personal data, parents may do so on their behalf in a primary school setting. To make a request for your child’s personal data, or be given access to your child’s educational record, contact the school’s Data Protection Officer, although any written request for personal data will be treated as a Subject Access Request.

The school’s Data Protection Officer can be contacted by writing c/o Woodhill Primary School, Woodhill, London SE18 5JE or by emailing and inserting ‘subject access request’ in the subject box.


Subject to the section below, the legal timescales to respond to a Subject Access Request is one calendar month. As the school has limited staff resources outside of term time, we encourage parents / pupils to submit Subject Access Requests during term time and to avoid sending a request during periods when the school is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible. For further information about how we handle Subject Access Requests, please see the school’s Data Protection Policy.


Parents of pupils have a separate statutory right to receive an annual written report setting out their child’s attainment for the main subject areas which are taught. This is an independent legal right of parents rather than a pupil’s own legal right which falls outside of the GDPR, therefore a pupil’s consent is not required even a pupil is able to make their own decisions in relation to their personal data, unless a court order is in place which states otherwise.


The term “parent” is widely defined in education law to include the natural or adoptive parents (regardless of whether parents are or were married, whether a father is named on a birth certificate or has parental responsibility for the pupil, with whom the pupil lives or whether the pupil has contact with that parent), and also includes nonparents who have parental responsibility for the pupil, or with whom the pupil lives. It is therefore possible for a pupil to have several “parents” for the purposes of education law.


You also have the right to:

                    object to processing of personal data that is likely to cause, or is causing, damage or 

                    prevent processing for the purpose of direct marketing; 

                    object to decisions being taken by automated means; 

                    in certain circumstances, have inaccurate personal data rectified, blocked, erased or 
destroyed; and 

                    claim compensation for damages caused by a breach of our data protection 

If you have a concern about the way we are collecting or using pupil data, you should raise your concern with us in the first instance by contacting the school’s data protection officer or the school’s data protection lead. 

Alternatively, you can contact directly the Information Commissioner’s Office at



If you have any queries regarding this notice or the use of pupil personal information, please contact: The school’s data protection officer, c/o Woodhill Primary School, Woodhill, London SE18 5JE or by emailing or calling 020 8305 7550.