Welcome to our Data Privacy and COVID Notice


Our school aims to ensure that all data collected about staff, pupils, parents and visitors is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) that came into force in May 2018.

This policy applies to all data, regardless of whether it is in paper or electronic format.

Legislation and Guidance

This policy meets the requirements of GDPR, and is based on guidance published by the Information Commissioner’s Office and model privacy notices published by the Department for Education.


Term Definition
Personal Data Data from which a person can be identified, including data that, when combined with other readily available information, leads to a person being identified
Sensitive Personal Data Data such as:

·       Contact details

·       Racial or ethnic origin

·       Political opinions

·       Religious beliefs, or beliefs of a similar nature

·       Where a person is a member of a trade union

·       Physical and mental health

·       Sexual orientation

·       Whether a person has committed, or is alleged to have committed, an offence

·       Criminal convictions


Processing Obtaining, recording or holding data
Data Subject The person whose personal data is held or processed
Data Controller A person or organisation that determines the purposes for which, and the manner in which, personal data is processed
Data Processor A person, other than an employee of the data controller, who processes their data


The Data Controller

Our school processes personal information relating to pupils, staff and visitors, and, therefore, is a data controller.

Data Protection Principles

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes (‘purpose limitation’);
  • adequate, relevant and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary
  • processed in a manner that ensures appropriate security of the personal data

Roles and Responsibilities

The governing board has overall responsibility for ensuring that the school complies with its obligations.  Day-to-day responsibilities rest with the headteacher, or the deputy headteacher.  The headteacher will ensure that all staff are aware of their data protection obligations, and oversee any queries related to the storing or processing of personal data. It is a legal requirement to appoint an independent Data Protection Officer. Lynette Cox has been appointed and is contactable via email Lynette.cox@e2e-education.co.uk.

Staff are responsible for ensuring that they collect and store any personal data in accordance with this policy.

Privacy/Fair Processing Notice

Pupils and Parents

We hold personal data about pupils to support teaching and learning, to provide pastoral care and to assess how the school is performing. We may also receive data about pupils from other organisations including, but not limited to, other schools, local authorities and the Department for Education.

This data includes, but is not restricted to:


  • Contact details
  • Results of internal assessment and externally set tests
  • Data on pupil characteristics, such as ethnic group or special educational needs
  • Exclusion information
  • Details of any medical conditions


We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.

We will not share information about pupils with anyone without consent unless the law and our policies allow us to do so. Individuals who wish to receive a copy of the information that we hold about them/their child should make their request in writing to the Head Teacher.

We are required, by law, to pass certain information about pupils to specified external bodies, such as our local authority and the Department for Education, so that they are able to meet their statutory obligations.

Data Storage and Security

Paper based records, digital records and portable electronic devices, such as laptops and hard drives that contain personal information, are compliant with GDPR and are regularly assessed by our DPO.  Destruction and archiving of Personal Data procedures are also aligned to GDPR.


COVID – 19

 Ysgol Golftyn is required to maintain class/bubble lists in response to the Covid-19 health emergency. The lists contain each pupil’s name, date of birth and address, along with the parents/guardian’s name, telephone number, address(es) and contact email. The processing of the class/bubble lists is necessary as part of our public task as set out in the Operational Public Health Advice Note for Welsh Government on the investigation and management of clusters and incidents of COVID-19 in educational and childcare settings.

Ysgol Golftyn will retain your data for as long as the child remains a pupil within the school or until the pandemic ends, whichever is sooner.

In the event of a positive Covid-19 case within the school, the class/bubble list will be shared with NHS Wales Test, Trace, Protect.


If you feel that Ysgol Golftyn has mishandled your or your child’s personal data at any time you can make a complaint to the Head Teacher by emailing gomail@hwbcymru.net by or phoning 01244 830569. For further information on our complaints procedure please follow this link http://golftyncp.wales/school-policies/complaints-policy-for-golftyn-cp-school/


Alternatively, you can contact our DPO to make a complaint, email lynette.cox@e2e-education.co.uk or contact the Information Commissioners Office by visiting their website (https://ico.org.uk/make-a-complaint/) or by calling their helpline on 0303 123 1113.


For further information about how Ysgol Golftyn processes personal data and your rights please see our privacy notice included in this document.