Privacy Notice

General Data Protection Regulations 2018

We, Verulam School, are a data controller for the purposes of the General Data Protection Regulations (GDPR).

Why do we collect and use student information?

Under Article 6 of the General Data Protection Regulation (GDPR), we collect and use information because we are legally required to collect some information about students and staff and we need to process this information due to our legal obligation to provide an education to our students. In addition, due to the safeguarding requirements of our school, we also collect information for the reason of vital interest: the processing is necessary to protect someone’s life, which includes CCTV footage. In the case of suppliers, we collect information based on a contract.

Under Article 6 and Article 9 of GDPR, where the above lawful basis does not allow us to collect essential personal information, we will use explicit consent or because the processing is necessary to protect the vital interests of the data subject.

We may receive information about them from their previous school, the Department for Education (DfE) and Hertfordshire County Council & Herts for Learning. We hold this personal data to:

  • support our students’ learning
  • monitor and report on student progress
  • provide appropriate pastoral care
  • assess the quality of our services
  • keep our students and staff safe
  • comply with the law regarding data sharing

The categories of student information that we collect, hold and share include:

Personal details (such as name, Unique Pupil Number and address), national curriculum assessment results, attendance information (such as sessions attended, number of absences and absence reasons), any exclusion information, where they go after they leave us, personal characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility), any special educational needs they may have as well as relevant medical information. CCTV is used for safeguarding purposes.

Collecting student information

Whilst the majority of student information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain student information to us or if you have a choice in this.

Storing data

We hold student data for up to two years after students leave us unless we are required by law to hold it for a longer period (SEN information for example). An annual sweep of the school network will be used to ensure that such data is protected and removed from general access where appropriate.

Data is backed up onsite daily. Data held in financial software (excludes student data) is held remotely in ‘the cloud’ with GDPR compliant companies.

Please refer to the school eSafety and Data Protection Policy regarding the creation and use of images/sound and video.

Data Retention

We this data until our students reach 25 years of age, or 30 years of age in the case of SEN students. Data will be securely deleted in the academic year of their 25th or 30th birthday.

Who do we share pupil information with?

We will not give information about you or your child to anyone without your consent unless the law and our policies allow us to.

Where our school is involved in collaborative delivery with other schools and learning providers, student information may also be shared to aid the preparation of learning plans and the use of data to achieve the objectives identified above or with schools that the student attends after leaving us. We need to share information, on occasion with Virtual Schools, Education Psychologist, transfer schools, Social Services Assessment Team, Children’s Services, local authority support services and other health related assessments including disability allowance paperwork. We are required, by law, to share some information about you to the Department for Education (DfE). This information will, in turn, then be made available for the use by the Local Authority. Additionally, the curriculum may require the use of third party web-based learning platforms, only if GDPR compliant.

Why we share student information

We are required to share information about our students with the (DfE) under regulation 4 and 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to

If you need more information about how our local authority and/or DfE collect and use your information, please visit:

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about students in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our students to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the student information we share with the department, for the purpose of data collections, go to

To find out more about the NPD, go to

The department may share information about our students from the NPD with third parties who promote the education or well-being of children in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested: and
  • the arrangements in place to store and handle the data

To be granted access to student information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

For information about which organisations the department has provided student information, (and for which project), please visit the following website:

To contact DfE:

Requesting access to your personal data

Under data protection legislation, parents and students (13+) have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact the school office or email the Data Protection Officer:

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations


Our website uses Cookies to track visits to our site but we do not use it to identify you or for marketing purposes. You do not have to use our website as the information can be provided to you by the school office at your request.


If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at

If a student (13+) wishes to access their personal data, or parent wishes to do so on their behalf, please contact the relevant organisation:

  • Verulam School, Brampton Road, St Albans, Hertfordshire AL1 4PR

Data Protection Officer at

  • LA’s Data Protection Office: Information Governance Unit, Room C1, County Hall, Pegs Lane, Hertford, SG13 8DQ, email:
  • QCA’s Data Protection Officer: 83 Piccadilly, London, W1J 8QA
  • DfE’s Data Protection Office Caxton House, Tothill St, London, SW1H 9NA
  • Ofsted Data Protection Office: Alexandra House, 33 Kingsway, London, WC2B 6SE

GDPR Policy

The Alban Academies Trust GDPR Policy can be read in full here.

This policy will be reviewed in full by the Governing Body every two years.