Data Protection Policy
St. Joseph’s National School’s data protection policy sets out in writing the manner in which personal
data on Board of Management members, staff, students and parents is kept and how the data
concerned is protected.
This policy was formulated with reference to:
New GDPR Procedures 25TH May 2018
A guide for Data Controllers- Data Protection Commissioner
The Data Protection Act 1988
The Data Protection (Amendment) Act 2003
The Education Act 1998
Education Welfare Act 2000
The policy was formulated by the Principal and members of the Board of Management. This policy
applies to the keeping and processing of personal data, both in manual form, on computer, and in
the cloud and includes personal data on Board members, staff, parents and pupils of St. Mary’s
National School. The school understands data to include any information that is kept relating to a
living individual who is or can be identified from the data, or from the data in conjunction with other
information that is in or is likely to come into the possession of the data controller. In order to
properly understand the school’s obligations, there are some key terms which should be understood
by all relevant parties.
Definition of Data Protection Terms
Data means information in a form that can be processed. It includes both automated data
(e.g. electronic data) and manual data.
Automated data means any information on computer, or information recorded with the
intention that it be processed by computer.
Manual data means information that is kept/recorded as part of a relevant filing system or
with the intention that it form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is
structured by reference to individuals or by reference to criteria relating to individuals, so
that specific information relating to a particular individual is readily, quickly and easily
Personal Data means data relating to a living individual who is or can be identified either
from the data or from the data in conjunction with other information that is in, or is likely to
come into, the possession of the Data Controller i.e. the school.
Sensitive Personal Data refers to Personal Data regarding a person’s
racial or ethnic origin, political opinions or religious or philosophical beliefs
membership of a trade union
physical or mental health or condition or sexual life
commission or alleged commission of any offence or
any proceedings for an offence committed or alleged to have been committed by the
person, the disposal of such proceedings or the sentence of any court in such proceedings,
criminal convictions or the alleged commission of an offence.
Data Controller for the purpose of this policy is the Board of Management of St. Joseph’s National
School who delegate the responsibility for overseeing data protection on a day to day basis to the
To Whom this Policy Applies:
This policy applies to all school staff, the Board of Management, parents/guardians, students and
others insofar as the measures in this policy relate to them.
St. Joseph’s National School understands that:
Schools are obliged to comply with the Data Protection Act (1988) and the Data Protection
(Amendment) Act (2003).
Parents of students, and students that have reached their 18th birthday, must be given access to
records kept by the school relating to the progress of the student in his/her education. (Education
The school must maintain a register of all students attending the school and must also maintain a
record of attendance and non- attendance at the school on each school day. (Education Welfare Act
It is understood that the Freedom of Information Act (1997) does not currently apply to schools.
Aims of this Policy
The objectives of developing this policy include the following:
To ensure that the school complies with the Data Protection Acts 1988 and 2003.
To ensure compliance by the school with the eight rules of data protection as set down by
the Data Protection Commissioner based on the Acts (see below).
To ensure that the data protection rights of students, staff and other members of the school
community are safeguarded.
To provide clarity to all interested parties re the data protection protocols of the school.
Transfer of Personal Data
The data controller, (normally the Principal of the school or another person designated by the
Principal or Chairperson of the Board) may supply data kept by him/her, or information extracted
from such data, to the data controller of another prescribed body if satisfied it will be used for a
relevant purpose only.
Examples of this are as follows:
The school may supply information to secondary schools into which pupils are enrolled regarding
their performance in standardised tests. The NCCA designed Education Passport is now mandatory
for schools to use as they transfer from primary to secondary.
Information required by other government bodies so that resources may be obtained for use by
children with Special Educational Needs e.g. National Council for Special Education (N.C.S.E.) or
National Education Psychological Service (N.E.P.S.).
The Department of Education and Skills.
Information regarding attendance/non-Attendance of pupils may be given to TUSLA /
National Education Welfare Board (NEWB).
The Health Service Executive (H.S.E).
Child and Family Services such as CAMHS and the H.S.E.
The policy content is divided into two sections as follows:
Details of all personal data which will be held, the format in which it will be held and the
purpose(s) for collecting the data in each case.
Details of the arrangements in place to ensure compliance with the eight rules of data protection.
Name, address and contact details.
Original records of application and appointment.
Record of appointments to promoted posts.
Details of approved absences (career breaks, parental leave, study leave etc.).
Details of work record (qualifications, classes taught, subjects etc.).
Details of any accidents /injuries sustained on school property or in connection with the staff
member carrying out their duties.
Records of any reports the school have made in respect of the staff member to the state
department and/or other agencies under mandatory reporting legislation and or Child Safe-
Guarding Guidelines which are subject to the DES Child Protection Procedures.
Details of complaints and/or grievances including consultations or competency discussions,
action/improvement/evaluation plans and record of progress.
Note: a record of grievances may be maintained in a format which is distinct from and separate to
individual personnel files.
Staff records are kept for the following purposes:
The management and administration of school business (now and in the future).
to facilitate the payment of staff, and calculate other benefits/ entitlements (including
reckonable service for the purpose of calculation of pension payments, entitlements and/or
redundancy payments where relevant).
to facilitate pension payments in the future.
human resources management.
recording promotions made (documentation relating to promotions applied for) and
changes in responsibilities etc.
to enable the school to comply with its obligations as an employer including the
preservation of a safe, efficient working and teaching environment (including complying with
its responsibilities under the Safety, Health and Welfare At Work Act. 2005).
to enable the school to comply with requirements set down by the Department of Education
and Skills, the Revenue Commissioners, the National Council for Special Education, TUSLA,
the HSE, and any other governmental, statutory and/or regulatory departments and/or
agencies for compliance with legislation relevant to the school.
In a secure, locked filing cabinet and on the administration laptops /computers in the office.
These records are kept as manual records in a secure /lockable filing cabinet in the Principal’s office
that only personnel who are authorised to use the data can access. Employees are required to
maintain the confidentiality of any data to which they have access. Some information is also stored
on the office computers which are password protected and have firewall software such as Norton
installed or downloaded. Such protective software is regularly updated. Information is also regularly
Each staff member has a personal file maintained in a locked filing cabinet in the office. Personal
Contact details, PPS numbers, class records, duty lists and reports are stored on the office/Principal’s
computer and in the cloud by Aladdin Systems. The School Accounting.ie system is used to facilitate
the payment of ancillary staff and payments for extracurricular actitivies or visiting teachers.
Records of promotions, career breaks, leave taken, illness etc, is available through the Department
of Education and Skills On line Claims System (OLCS/Esinet).
These may include:
Information which may be sought and recorded at enrolment, and which may be collated
and compiled during the course of the student’s time in the school including: name, address
and contact details, PPS number, names and addresses of parents/guardians and their
records of relevant special conditions (e.g. special educational needs, health issues/ care
orders/custody arrangements etc.) which may apply.
H.S.E. Early intervention reports, psychological/ psychiatric and /or medical assessments
Information on previous academic record.
School relevant medical records.
Photographs and recorded images of students.
Attendance Records, class roll books/ Aladdin System/ Registers
Academic record – subjects studied, test results as recorded on official school reports.
Records of significant achievements.
Records of exemptions from Irish (letter of application from parents, copy of certificate
granted, record on Aladdin).
Records of disciplinary issues and/or sanctions imposed.
Serious Injuries and accident reports.
Records of reports the school or its employees have made in respect of a student to State
departments and or other agencies under mandatory reporting legislation and/ or child safe
Records of meetings with Parents as part of the complaint’s procedures.
Permission slips e.g. AUP policy/school tours etc.
The information on students is stored in two formats: both manual files containing hard copy of
forms signed etc. and on computer files backed up and stored via the Aladdin system or on the office
The purpose for keeping student records includes the following:
to enable each student to develop his/her full potential.
to comply with legislative and administrative requirements.
to ensure that eligible students can benefit from the relevant additional teaching / resource/
to support the provision of support teaching.
to support the provision of religious instruction and sacramental preparation.
to ensure that the student fulfils the criteria for the exemption from Irish.
to enable parent/guardians to be contacted in the case of emergency/ school closure etc.
to ensure that the pupil meets the school’s admission criteria.
to maintain a record of the student’s progress through school.
to maintain accurate accident/incident reports.
to communicate clearly with all educational partners.
to support medical/special needs conditions within the school environment.
photographs and recorded images of students are taken to celebrate school achievements,
compile yearbooks, establish a school website, record school events, and to keep a record of
the history of the school. Such records are taken and used in accordance with the school’s
photography policy ie: parents need to give consent for photographs to be used.
to furnish documentation/ information about the student to the Department of Education
and Skills, the National Council for Special Education, TUSLA, and other Schools etc. in
compliance with law and directions issued by government departments.
to furnish, when requested by the student (or their parents/guardians in the case of a
student under 18 years) documentation/information/ references to third-level educational
institutions and/or prospective employers.
Location: Records are kept in a secure, locked filing cabinet that only personnel who are authorised
to use the data can access. Additional Information is also stored on the Aladdin data system.
Teachers have access via Aladdin to their own class data only. Employees are required to maintain
the confidentiality of any data to which they have access. Confidential reports, child protection
report forms, Continuum of Support documents are password controlled within the Aladdin system.
Board of Management records maintained include:
Name, address and contact details of each member of the Board of Management.
Records in relation to appointments to the board.
Minutes of board of management meetings.
Financial statements/ audits and certification of accounts.
Record of how funding from the DES is managed.
Correspondence to the board.
The purpose for keeping Board of Management records include:
A record of board appointments.
A record of how legislative requirements are carried out.
A record of staff appointments.
Documenting decisions made by the board.
A record of how enrolment to the school is managed.
A record of the financial management of the school.
A record of the development of the school.
A record of how health and safety issues within the school are managed.
A record of policy development within the school.
A record of insurance cover and related issues.
A record of capital development and building/grounds maintenance.
Documentation relating to grievance and disciplinary procedures.
Other Information that may be retained by the school includes:
The school will hold other records relating to individuals. The format in which these records will be
kept are manual record (personal file within a relevant filing system), and/or computer record
(database). Some examples of the type of other records which the school will hold are set out below
(this list is not exhaustive):
Categories of data:
The school may hold some or all of the following information about creditors (some of whom are
Name, address, contact details, PPS number
Tax details, bank details and amount paid.
Purpose: This information is required for routine management and administration of the school’s
financial accounts and complying with audits and investigations by the Revenue Commissioners.
Location: In a secure, locked office that only personnel who are authorised to use the data can
access. Employees are required to maintain the confidentiality of any data to which they have
access. We use on-line banking in the school where possible so much of this detail is stored on this
system. This is regulated by AIB online banking regulations.
Categories: CCTV is installed in the schools, externally i.e. perimeter walls/fencing and internally as
detailed in the CCTV Policy. These CCTV systems may record images of staff, students and members
of the public who visit the premises.
Purposes: Safety and security of staff, students and visitors and to safeguard school property
Location: Cameras are located externally and internally as detailed in the CCTV Policy.
Recording equipment is located in the reception office of school.
Security: Access to images/recordings is restricted to the principal & deputy principal of the
school. Tapes, DVDs, hard disk recordings are retained for 28 days, except if required for the
investigation of an incident (eg: vandalism, break-in). Images/recordings may be viewed or
made available to An Garda Síochána pursuant to section 8 Data Protection Acts 1988 and
Garda Vetting Information
All adults working with children in any capacity within the school must be Garda vetted. Completed
vetting forms are sent to the Education Secretariat in Archbishop’s House and the results of vetting
process are stored manually in a locked filing cabinet in the Principal’s office to which only
authorised personnel may have access. Teachers are vetted through the Teaching Council and the
vetting outcome is available through the Digitary Core which is password controlled by each
Rules of Data Protection
All personal data records held by the school are obtained, processed, used and retained in
accordance with the following eight rules of data protection based on the Data Protection Acts.
Obtain and process information fairly.
Keep it only for one or more specified, explicit and lawful purposes.
Use and disclose it only in ways compatible with these purposes.
Keep it safe and secure.
Keep it accurate, complete and up-to-date.
Ensure that it is adequate, relevant and not excessive.
Retain it for no longer than is necessary for the purpose or purposes.
Give a copy of his/her personal data to that individual on request.
The minimum age at which consent can be legitimately obtained for processing and disclosure of
personal data under rules 1 and 3 above is not defined in the Data Protection Acts. However,
guidance material published on the Data Protection Commissioner’s website states the following:
“As a general rule in the area of education, a student aged eighteen or older may give consent
themselves. A student aged from twelve up to and including seventeen should give consent
themselves and, in addition, consent should also be obtained from the student’s parent or guardian.
In the case of students under the age of twelve consent of a parent or guardian will suffice.”
Appendix 1 has our data protection statement which is included with relevant forms when personal
information is being requested.
Note: The statute of limitations in relation to personal injuries is currently two years. The limitation
period for other causes of action varies, but in most cases is not greater than six years. A limitation
period does not begin to run until the person concerned acquires knowledge of the facts giving rise
to the claim. In the case of minors, the limitation period does not begin to run until they reach their
18th birthday or later if the date of knowledge postdates their 18th birthday. The school adheres to
the retention schedule for schools which has been supplied via the Catholic Primary Schools
Links to other Policies and to Curriculum Delivery
Relevant school policies already in place or being developed or reviewed, are examined with
reference to the data protection policy and any implications which it has for them shall be
addressed. The following policies may be among those considered:
Child Protection Policy
Code of Behaviour, including Mobile Phone Code
Substance Use/ Misuse Policy
ICT Acceptable Use Policy
Data in this school will be processed in line with the data subjects’ rights. Data subjects have a right
Request access to any data held about them by a data controller.
Prevent the processing of their data for direct-marketing purposes.
Ask to have inaccurate data amended.
Prevent processing that is likely to cause damage or distress to themselves or anyone else.
Dealing with Data Access Requests Under Section 3 of the Data Protection Acts, an individual
has the right to be informed whether the school holds data/information about them and to
be given a description of the data together with details of the purposes for which their data
is being kept. The individual must make this request in writing and the data controller will
accede to the request within 21 days.
Individuals are entitled to a copy of their personal data on written request.
The individual is entitled to a copy of their personal data (subject to some exemptions and
prohibitions set down in Section 5 of the Data Protection Act).
Request must be responded to within 40 days.
Fee may apply but cannot exceed €6.35.
Where a subsequent or similar request is made soon after a request has just been dealt
with, it is at the discretion of the school as data controller to comply with the second
request (no time limit but reasonable interval from the date of compliance with the last
access request.) This will be determined on a case-by-case basis.
No personal data can be supplied relating to another individual unless that third party has
consented to the disclosure of their data to the applicant. Data will be carefully redacted to
omit references to any other individual and only where it has not been possible to redact the
data to ensure that the third party is not identifiable would the school refuse to furnish the
data to the applicant.
Providing Information over the Phone
In our school, any employee dealing with telephone enquiries is careful about disclosing any
personal information held by the school over the phone. In particular the employee will:
Check the identity of the caller to ensure that information is only given to a person who is
entitled to that information.
Suggest that the caller put their request in writing if the employee is not sure about the
identity of the caller and in circumstances where the identity of the caller cannot be verified.
Refer the request to the Principal for assistance in difficult situations. No employee should
feel forced into disclosing personal information.
Implementation Roles and Responsibilities
In our school the Board of Management is the data controller and the Principal will be assigned the
role of co-ordinating implementation of this Data Protection Policy, and for ensuring that staff who
handle or have access to Personal Data are familiar with their data protection responsibilities. The
following personnel have responsibility for implementing the Data Protection Policy:
Ratification and Communication
This Data Protection Policy has been ratified by the Board of Management of St. Joseph’s National
Parents/guardians and students will be informed of the Data Protection Policy at the time of
enrolment of the student (by inclusion of a statement…see Appendix1).
The policy will be available via the school’s website.
Monitoring the Implementation of the Policy
The implementation of the policy shall be monitored by the Principal. At least one annual report
shall be issued to the board of management to confirm that the actions/measures set down under
the policy are being implemented.
Reviewing and evaluating the policy
The policy should be reviewed and evaluated as the need arises but at least every second year. On-
going review and evaluation will take cognisance of changing information or guidelines (e.g. from the
Data Protection Commissioner, Department of Education and Skills), legislation and feedback from
parents/guardians, students, school staff and others.
The policy should be revised as necessary in the light of such review and evaluation and within the
framework of school planning.
Data Protection Statement for inclusion on relevant forms when personal information is being
The information collected on this form will be held by St. Mary’s National School in manual and in
electronic format. The information will be processed in accordance with the Data Protection Act,
1988 and the Data Protection (Amendment) Act, 2003.
The purpose of holding this information is for administration needs and to facilitate the school in
meeting the student’s educational needs and legal commitments etc.
Disclosure of any of this information to statutory bodies such as the Department of Education and
Skills or its agencies will take place only in accordance with legislation or regulatory requirements.
Explicit consent will be sought from Parents/Guardians or students aged 18 or over if the school
wishes to disclose this information to a third party for any other reason.
Parents/Guardians of students and students aged 18 or over have a right to access the personal data
held on them by the school and to correct it if necessary.
I consent to the use of the information supplied as described.
Tel: (091) 638171 Email: firstname.lastname@example.org
Fax No: (091) 638171 Web: www.kinvarans.ie