General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

GDPR came into effect on 25 May 2018. The Data and Assessment Team are playing a part in bringing support to schools with two members of our team now qualified EU General Data Protection Regulation Practitioners. Annette Henry and Rachael Harris are looking forward to sharing their knowledge with you.

Click here to view details on the team supporting schools

Amber Badley

Amber Badley, Firebird Data Protection Consultancy Limited, is an independent consultant and associate of Babcock LDP and will be providing Data Protection Officer duties to schools and academies across the South West, as well as mentoring both Annette and Rachael in their role of Data Protection Officers.. Amber holds a Master’s Degree in Information Rights Law and Practice and has 17 years’ experience working in the data protection field in the public sector, including over a decade as a Data Protection Officer for a large County Council.

During this time, Amber has worked with schools supporting them with advice and guidance, which included writing the Devon Photography and Filming in Schools Code of Practice (revised 2010) and the Devon Sharing Children’s Information Code of Practice (2010-2015).

Annette Henry

Annette Henry is an Education Information Analyst and has worked in the Babcock LDP Data and Assessment team since 2011. Annette provides support, advice and guidance to schools and academies on all elements of statutory national curriculum assessment across all key stages including data collection. She also provides FFT support and training to schools. Previously Annette has worked with schools in a safeguarding capacity and as a HLTA in a secondary school.

Rachael Harris

Rachael Harris joined the Data and Assessment Team from ScoMIS Data in 2007. As an Education Information Analyst she provides support and guidance for schools and academies in all key stages of the statutory national curriculum. She is trained to level 3 in safeguarding and has 15 years’ experience of working with school pupil data and related software systems.

Annette and Rachael have been awarded the qualification of EU General Data Protection Regulation Practitioner (GDPR P) and will be providing support to schools in the role of Data Protection Officer.

GDPR Guidance in the KS2 Assessment and Reporting Arrangements (ARA)

Section 12 (p52) of the KS2 Assessment and Reporting Arrangements (ARA) gives guidance on keeping and maintaining records and disclosure of educational records.

'Under the General Data Protection Regulation (GDPR) and the Data Protection Act 201868 (DPA), schools are responsible for ensuring that the collation, retention, storage and security of all personal information they produce and hold meets the provisions of the Act. This includes:

• personal information appearing in a pupil’s educational record

• any other information they hold which identifies individuals, including pupils, staff and parents

Schools must consider the implications of the DPA, under which they are required to registerInformation Commissioner’s OfficeDfE provides suggested text for school privacy notices7169 as a data controller with the 70 (ICO). Many schools consult their legal advisors for guidance on their responsibilities under the Act and advice on developing their data policies.'


'There are several pieces of legislation under which information may be accessed from public organisations, including schools. These include the GDPR, the DPA and the Freedom of Information Act 200072. Access to a pupil’s educational information held by a maintained school is covered by a parent’s right of access under the Education (Pupil Information) Regulations 2005.

Under these Regulations, a maintained school’s governing body must ensure that a pupil’s educational record is made available for parents to see, for free, within 15 school days of receipt of the parent’s written request. If a parent makes a written request for a copy of the record, this must also be provided within 15 school days of receipt of the request. Governing bodies can charge a fee for these copies but this must not be more than the cost of supply. The ICO provides further information on charges73.

The Regulations describe the material that is exempt from disclosure to parents. This relates to information that the pupil could not lawfully be given under the DPA. It also relates to information which they would not have right of access to under that Act, by virtue of paragraph 18 in Schedule 1 or paragraph 16 in Schedule 2 to the Act. This includes material that may cause serious harm to the physical or mental health or condition of the pupil or someone else. A school may not fulfil a parent’s request for these records if there is a court order in place which limits a parent’s exercise of parental responsibility. This affects the parent’s entitlement to receive such information.'


'Headteachers at maintained schools, including maintained special schools, must ensure the statutory requirements for the transfer of records between schools are fulfilled, including the completion of the CTF. This requirement is set out in the Education (Pupil Information) Regulations 2005, as amended.

If a pupil moves to another school in England, Wales, Scotland or Northern Ireland, the pupil’s CTF and educational records must be passed to the new school. Academies are not subject to these regulations, but are expected to adhere to the following protocols as a matter of good practice.'

Please see downloadable document below for more details.


Key Stage 2: Assessment and Reporting Arrangements (ARA)

October 2018

Scroll to top