Data Protection

The UK General Data Protection Regulation (GDPR) is designed to protect and empower British citizens with regard to their data privacy, and places greater obligations and sanctions on organisations that process for example obtain, use, store, share and destroy, personal data.

This new legislation is the biggest change in data privacy legislation in 20 years. Although the Information Commissioner (the UK Data Protection Regulator) has stated it is an “evolution…not a revolution” of our current data protection laws, it does still create significant burdens (resources and financial) on schools requiring them to overhaul their existing practices for handling personal data about pupils, parents and carers, staff, governors in order to be compliant.

GDPR

GDPR for schools is the application of the General Data Protection Regulation, a law that requires educational institutions to protect the personal data of students, staff, and their families. It mandates that schools must handle, store, and share data responsibly, transparently, and securely, with strict rules for consent, and requires reporting data breaches to the Information Commissioner's Office (ICO) within 72 hours. This ensures individual privacy and can prevent heavy fines and reputational damage for non-compliance. 

Privacy Notices

We have four privacy notices: pupils, employees, governors/trustees and suppliers, contractors and volunteers.

• ELAN Privacy Notice - Employees V6 0 2025-26
• ELAN Privacy Notice - Governors and Trustees V6 0 2025-26
• ELAN Privacy Notice - Pupils V6 0 2025-26
• ELAN Privacy Notice - Suppliers Contractors and Volunteers V6 0 2025-26