Skip to content ↓

Ysgol Ty Coch School

Dysgu Gyda'n Gilydd


General Data Protection Regulation (GDPR) Policy

The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018.

Ysgol Ty Coch (including BYC) collects and uses personal information about staff, pupils, parents and other individuals who come in contact with the school. The information is gathered in order to enable the school to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure the school complies with its statutory obligations.

The school has a duty to inform individuals including parents and pupils of the information that it holds. This policy document should summarise why the data is held and any other parties to whom this information may be passed on to.


This policy is intended to ensure that personal information is dealt with correctly and securely in line with General Data Protection Regulations (GDPR). It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed and irrespective of what it is held in paper files or electronically. This policy should be read in conjunction with the following policies/documents

  • Online Safety Policy (including Bring your own device/working from home policy and acceptable use agreements
  • Social Media Policy
  • Data processing mapping exercise
  • GDPR compliance baseline
  • CCTV Policy

Our Commitment:

Ysgol Ty Coch is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the General Data Protection Regulations.

Legal Basis

Changes to data protection legislation (GDPR May 2018) shall be monitored and implemented in order to remain compliant with all requirements. The legal bases for processing data are as follows:

  • You must have a valid lawful basis in order to process personal data.
  • There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
  • Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.    
  • You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason.
  • Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
  • If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
  • If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
  • If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data

Please see GDPR Privacy Notice for Pupil Information at the bottom of this page for you to read.

Personal and Sensitive Data:

  • The school has a data map which details all data in use across the school. All data within the school’s control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.

  • Personal data only includes information relating to natural persons who:
    • can be identified or who are identifiable, directly from the information in question; or
    • who can be indirectly identified from that information in combination with other information
  • The principles of GDPR shall be applied to all data processed and are underpinned by 7 enforceable principles: The GDPR sets out seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

Roles and Responsibilities

The members of staff responsible for data protection are:

  • Julia Render – Senior Data Protection Coordinator
  • David Jenkins – Headteacher
  • Lyn Bundy – School Office Manager
  • Clare Williams –BYC Clerk
  • Ashlie Holland – Online Safety Coordinator
  • Chair of Governors – Janice Stuckey

Subject Access Requests:

All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing to:

David Jenkins, Headteacher, Ysgol Ty Coch

Lansdale Drive


CF38 1PG