Data Protection & GDPR

As a school we collect and use data a various different ways.

New General Data Protection Regulations (GDPR) are to be released on 25th May, and they will have implications for all schools and businesses that use data.  As a school we need to comply with these guidelines and make individuals aware of how their data is used and stored within our organisation.

How we use pupil information

Why do we collect and use pupil information and Legal Basis for Using Information

We collect and use pupil information under section 537A of the Education Act 1996, and section 83 of the Children Act 1989. We also comply with Article 6(1)(c) and Article 9(2)(b) of the General Data Protection Regulation (GDPR).

We use the pupil data:

  • As part of our admissions process
  • To support pupil teaching and learning
  • To monitor and report on pupil progress to provide appropriate pastoral care
  • To assess the quality of our services
  • To comply with the law regarding data sharing
  • To access our school meals, payments and school communication system   
  • To support you to decide what to do after you leave school

Categories of pupil information that we collect, hold and share include:

  • Personal information (such as name, unique pupil number and contact details)
  • Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
  • Attendance information (such as sessions attended, number of absences and absence reasons)
  • National curriculum assessment results, special educational needs information, relevant medical information
  • Biometric fingerprints for school meals

Collecting pupil information

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us, or if you have a choice in this.

Storing pupil information

St Julian’s School keeps information about you on computer systems and also sometimes on paper.

We hold your education records securely (computerised and paper) in accordance with guidance issued by the Local Authority regarding document retention i.e. to comply with legal requirements e.g. date of birth plus 25 years for prime documents linked to safeguarding, SEN, Educational Psychology, School Admissions, EWS and 7 years for PLASC counts, class counts, SEN registers, School Action Plans, GEMS intervention referrals, admissions reports, school meals reports etc. after which they are safely destroyed. Biometric fingerprint data is destroyed as pupils leave school in years 11, 12 and 13.  

Access to the school’s IT and Data Systems is restricted to authorised individuals only and is underpinned and protected by our Digital Safety and Acceptable Usage Policies. Access is logged and routinely monitored to protect users and the integrity and security of systems and data.

St Julian’s School adheres to the following retention periods for computer held personal data:

  • Pupil local home drives are retained for a period of 1 calendar year.
  • Pupil Google mailboxes/Drive are retained for a period of 2 calendar year.
  • Staff local homedrives and mailboxes/Drive are retained for a period of 5 calendar years.
  • System and Web Filter logs are retained for a period of 1 calendar year with the exception of print logs which are held for a period of 1 calendar year and 1 month.
  • CCTV Footage is retained for a period of 1 months.
  • Phone managed by the LEA  records/messages are retained for a period of 3 months.
  • We have a third party arrangement with a catering partner to access information for school meal purposes. This information is held on a computerised system and is accessed by the catering staff but not shared. Biometric fingerprint information is destroyed as pupils leave school. Basic pupil information is retained on our SIMS system (School Management Information System) and retained for a period of 25 years.

Access to data on all laptop computers is secured through encryption or other means,to provide confidentiality of a data in the event of loss or theft of equipment.

Backups are also encrypted, files and data at source during backup.

After the following retention periods the data is deleted securely from our systems

Where data resides on third party systems e.g. Google Apps, contracts exist to ensure data security, integrity and retention periods match legislation with St Julian’s School in house systems.

All system backups are encrypted and are held in multiple, physically secure locations as part of the school’s disaster recovery plan.

There are strict controls on who can see your information. We will not share your data if you have advised us that you do not want it shared unless it is the only way we can make sure you stay safe and healthy, are legally required to do so or the data is required for operational purposes.

Paper records are held in lockable cabinets. All visitors to site have a photograph taken and are logged into an electronic visitors access system. Control to areas where records are stored is restricted – pupils and visitors are not permitted to access any such area unless required and under the supervision of a staff member.  

Who do we share pupil information with?

We routinely share pupil information with:

  • Other Schools or colleges that pupils attend after leaving us
  • Our local authority (Newport City Council) and the Education Achievement Service (EAS)
  • Welsh Assembly Government

Why we share pupil information

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.

We share pupils’ data with the Welsh Assembly Government on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

To find out more about the data collection requirements placed on us by the Welsh Assembly Government (for example; PLASC and post16 data, go to

The school will, on an annual basis, share individual Data Collection Sheets with you in order to ensure that our records are accurate and up to date.

Requests for Information

All recorded information held by the School may be subject to requests under the Freedom of Information Act 2000, and the General Data Protection Regulations. If you would like to submit a Freedom of Information / Subject Access Request, you can e-mail us here. Subject Access Requests will be dealt with within one month (including weekends) of the date of receipt by the school. Please note that no charge is made for this information. Requests should be marked for the attention of Victoria Williams and e-mailed to:

Your Rights

The Data Protection Act/GDPR gives you a number of rights.  Please note that not all of your rights are absolute and we will need to consider your request upon receipt.

You have the right to request;

  • to have your data rectified if it is inaccurate or incomplete.
  • to have your data erased.
  • to restrict the processing of your data.
  • to exercise your right to data portability.
  • to object to the processing for the purposes of direct marketing, profiling and automated decision making.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by contacting one of the two School contacts detailed below or directly to the Information Commissioner’s Office at:-


If you would like to get a copy of the information about you that Newport City Council provides to other providers please contact: Jodi Pontin on telephone no: (01633) 210100 or


If you would like to discuss anything in this privacy notice, please contact: Business Manager – Victoria Williams or Network Manager – Majid Elharrif who will be pleased to assist.