Data Protection Policy 


School of Coding collects and uses personal information about staff, pupils, parents and other individuals who come into contact with the school. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the school complies with its statutory obligations. 

Schools have a duty to be registered, as Data Controllers, with the Information Commissioner’s Office (ICO) detailing the information held and its use. These details are then available on the ICO’s website. Schools also have a duty to issue a Privacy Notice to all pupils/parents, which summarises the information held on living individuals, why it is held and the other parties to whom it may be passed on. 

The members of staff responsible for data protection are Mr M Athwal, Director.  However, all staff must treat all information in a confidential manner and follow the guidelines as set out in this document.

The school is also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided to them. The requirements of this policy are mandatory for all staff employed by the school and any third party contracted to provide services within the school. 



This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 2018, General Data Protection Regulations (GDPR) 2016, and other related legislation. It will apply the requirements to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically. 

All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines. 


What is Personal Information? 

Personal information or data is defined as data which relates to a living individual who can be identified from that data, or other information held. 


Data Protection Principles 

School of Coding will collect and process personal data in compliance with the data protection principles under Article 5 of the GDPR. This means personal data shall be:  

  • Processed lawfully, fairly and in a transparent manner – we evidence and explain what is being collected, why is it being collected, and how will it be used, who will it be shared with. We do this through the school privacy notice.   
  • Collected for specific, explicit and legitimate purposes – we will collect data for a legitimate purpose only.  
  • Adequate, relevant and limited – we will only collect what is needed and nothing more 
  • Accurate and kept up-to-date – We will ensure data is accurate and is kept up-to date  
  • Storage Limitation – We will only keep data for as long as is necessary and in accordance with relevant legislation. How we do this can be found on the school retention policy   
  • Security of information processed – the school will protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.  

School of Coding also recognises the rights of individuals in respect of information the school holds about them. Any requests to recognise these rights will be fully considered and evaluated so that the individual can be informed whether they can/cannot exercise the rights under their particular circumstances. These rights are:  

  • Right to be Informed – about how their data is being used 
  • Right of Access – to be able to access their data 
  • Right to Rectification – right to correct information about them that is incorrect 
  • Right to Erasure – to have their data erased when they no longer want it to be used 
  • Right to Restrict Processing – to restrict how their data is used 
  • Right to Data Portability – to move their data from one organisation to another 
  • Right to Object – to object to their data being used at all 
  • Right to Automated Decision making, including Profiling – sole automated decision making (where there is no human involvement) and profiling are restricted under the GDPR. The restriction can be lifted under three circumstances; (1) For a contractual basis; (2) For a legal basis; (3) based on individual’s explicit consent.  


Privacy Notice 

We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, parents and pupils prior to the processing of individual’s data. Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation. 

There may be circumstances where the school is required either by law or in the best interests of our students or staff to pass information onto external authorities, for example local authorities, Ofsted, Department of Education or the department of health. These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect. The intention to share data relating to individuals to an organisation outside of our school shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.  

Any proposed change to the processing of individual’s data shall first be notified to them. Under no circumstances will the school disclose information or data: 

  • that would cause serious harm to the child or anyone else’s physical or mental health or condition  
  • indicating that the child is or has been subject to child abuse or may be at risk of it, where the disclosure would not be in the best interests of the child  
  • that would allow another person to be identified or identifies another person as the source, unless the person is an employee of the school or a local authority or has given consent, or it is reasonable in the circumstances to disclose the information without consent. The exemption from disclosure does not apply if the information can be edited so that the person’s name or identifying details are removed  

For full details of our privacy notice please click on the following link see our website 


Data Security 

In order to assure the protection of all data being processed and make informed decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them. Risk and impact assessments shall be conducted in accordance with guidance given by the ICO. Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance. The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data. 


Subject Access Requests 

All individuals whose data is held by us, have a legal right to request access to such data or information about what is held. However, with children, this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The Director should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent an individual with parental responsibility or legal guardian shall make the decision on behalf of the child. The school is aware that in some cases it might not be appropriate to release the child’s information to the parents. The safety and wellbeing of the child will be the key determining factor in whether or not information can be disclosed. 

The GDPR allows exemptions as to the provision of some information, therefore all information will be reviewed prior to disclosure.   

No charge will be applied to process the request.  

To support subject access requests under the GDPR, requests: 

  • Should be in writing and be legible in order to correctly identify the requester. 
  • Must be specific with regards to records or data being requested in order to avoid excessive requests  
  • must follow the process of confirming identification 
  • must be made by the data subject or someone authorised to act on their behalf and • can be sent to/received by any part of the school 

Although we accept requests can be given verbally or via other mediums we will request that you please use and complete our form from the website to support this process and comply with the need to identify the requester and the data being requested. 

To be valid under the GDPR requests do not: 

  • have to be submitted on a specific form 
  • need to mention the GDPR of the term ‘subject access’   


Confirming Identity 

The school will take reasonable steps to confirm the identity of the requester. However the school will not make this identification process unnecessarily onerous and in cases where the requester is already known to the school (e.g. an existing member of staff, a known parent) formal identification will not be sought.  


Timing of Requests 

All requests will be responded to as promptly as possible, and in any event a response must be provided by no later than 1 month from the day of receipt, however the 1 month time limit will not commence until clarification of information and or identification is sought. Where the case is considered to be complex, the deadline can be extended to 60 days. The requestor should be kept informed of any delays.  


Access to Personal Data by an Authorised/ Legal Agent 

When an agent makes a request on behalf of a Data Subject, signed authorisation from the Data Subject will be required. The school may still check directly with the Data Subject whether he or she is happy with the agent receiving the personal data and should highlight the implications of the request. 

Any request received from an agent must be accompanied by signed Form of Authority [permission] from the Data Subject. No proof of identity for a Data Subject is required when the application comes from a professionally recognised agent such as Solicitor.  


Information Containing Third Party Data 

The school may refuse a subject access request where releasing that information would also involve disclosing information about another individual, except in cases where: 

  • That individual has consented to disclosure; or 
  • It is reasonable in all the circumstances to comply with the request without that individual’s consent. 

The school will seek to balance the rights of the requestor with the rights of the third party and only release information if, in all circumstances, it is reasonable to do so. 


Refusing a Request  

School of Coding uses the presumption of release as the starting point for all valid subject access requests. Where there is a legitimate reason why information should not be disclosed (e.g. the prevention or detection of crime) the applicant will be informed of the reasons why (except in circumstances where disclosure may prejudice the purpose of the exemption applied) and of their right to appeal. 


Amendments to Inaccurate Records 

The school acknowledges individual’s right to challenge the accuracy of the personal data held about them where they believe it to be inaccurate or misleading. Where information is found to be factually inaccurate it will be updated immediately, where there is dispute between the school and the data subject as to the accuracy of information, a note will be made on the record to that effect and both sets of information will be kept on the file. 


Objections to Processing 

Individuals have the right to request that the processing of information about them be restricted or ceased if they believe the information to be inaccurate or being held unnecessarily.  The school must investigate any such request and rectify if necessary.  The Data Subject should be informed before any restriction is lifted. 


Releasing personal information to prevent or detect crime 

It is school policy to cooperate wherever possible with requests for personal information for the prevention or detection of crime or identification or apprehension of suspects, but only after satisfactory checks have been completed to protect the rights of Data Subjects.  

Information will only be released where disclosure meets the criteria outlined in the GDPR 

Requests will only be considered from an agency with a crime or law enforcement function, including the Police, HMRC, The UK Border Agency, or the Benefit Fraud sections of DWP or other Local Authorities.  

Requests must be in writing and be clear on what is being asked for and why the release of the information is critical to the investigation.  

Only information directly relevant to the purpose stated will be released, and only the minimal possible to enable the law enforcement agency to do their job. The transfer of information will be via a secure channel (e.g. secure email or special delivery post). 


Sharing Personal Data with Third Parties 

Personal data about pupils will not be disclosed to third parties without the consent of the child’s parent or carer, unless it is obliged by law or in the best interest of the child. Data may be disclosed to the following third parties without consent:  

  • Other schools  

If a pupil transfers from School of Coding to another school, their academic records and other data that relates to their health and welfare will be forwarded onto the new school. This will support a smooth transition from one school to the next and ensure that the child is provided for as is necessary. It will aid continuation which should ensure that there is minimal impact on the child’s academic progress as a result of the move.  

  • Examination authorities  

This may be for registration purposes, to allow the pupils at our school to sit examinations set by external exam bodies.  

  • Health authorities  

As obliged under health legislation, the school may pass on information regarding the health of children in the school to monitor and avoid the spread of contagious diseases in the interest of public health. 

  • Police and courts  

If a situation arises where a criminal investigation is being carried out we may have to forward information on to the police to aid their investigation. We will pass information onto courts as and when it is ordered.  

  • Social workers and support agencies  

In order to protect or maintain the welfare of our pupils, and in cases of child abuse, it may be necessary to pass personal data on to social workers or support agencies. 

  • Educational division  

Schools may be required to pass data on in order to help the government to monitor the national educational system and enforce laws relating to education. 

Subject access requests should be made in writing to: Director (Mandeep Athwal), The School of Coding, Pendeford Business Park, Wolverhampton, WV8 5HB. 



Complaints about the above procedures should be made to the Chairperson of the Governing Body who will decide whether it is appropriate for the complaint to be dealt with in accordance with the school’s complaint procedure. 

Complaints which are not appropriate to be dealt with through the school’s complaint procedure can be dealt with by the schools Data Protection Officer.  Should you be dissatisfied with the response you receive from the schools Data Protection Officer. 


School of Coding Office

Newton Court


Pendeford Business Park 



Email Address – [email protected]

Telephone Numbers 

Calling from within the UK 01902 509209 


Photographs and Video  

Images of staff and pupils may be captured at appropriate times and as part of educational activities for use in school only.  

Unless prior consent from parents/pupils/staff has been given, the school shall not utilise such images for publication or communication to external sources.  

It is the school’s policy that external parties may not capture images of staff or pupils during such activities without prior consent. Parents are allowed to take photos of their child during such activities if it is only for their personal use. Where the image of another child is captured in the photo, it is prohibited for parents to make these public or post on social media.   


Data Disposal 

The school recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.  

All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services.  

All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process. Please refer to our retention policy. Disposal of IT assets holding data shall be in compliance with ICO guidance. 



This policy will be reviewed as it is deemed appropriate, but no less frequently than every 2 years. The policy review will be undertaken by the Director, or nominated representative. 



If you have any enquires in relation to this policy, please contact the Director or Office to speak to a member of Staff.


This page was last updated on 12/05/2021