The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to individuals whose data is held by an organisation (data subjects). These rules are more detailed and specific than those in the Data Protection Act and place an emphasis on providing privacy information that is both clear and understandable to data subjects, and organisations are expected to take ‘appropriate measures’ to ensure that this is the case.
The GDPR says that the information provided to data subjects about how their personal data is processed data must be:
concise, transparent, intelligible and easily accessible;
written in clear and plain language, particularly if addressed to a child; and
free of charge.
Accordingly the School, as a data controller, has produced
a comprehensive, overarching privacy notice which deals with its detailed privacy responsibilities, and
summary privacy notices for each of the principal data subject groups with whom it deals including parents, pupils over the age of 13, staff, governors and alumni.