This General Data Protection Regulation (“GDPR”) Policy applies to the personal data held by Saint Patrick’s Boys’ National School Hollypark (referred to hereafter as “the school”). The school takes its responsibilities under data protection law very seriously and is committed to fairness and transparency for all data processing activities which are undertaken. This GDPR Policy explains what data is collected by the school, why it is collected, for how long it will be stored, with whom it will be shared and how to access your data.
Data Protection Officer
A Data Protection Officer (“DPO”) has been appointed by the Board of Management of the school and acts as a representative for the school regarding its responsibilities as a data controller. Their role is to oversee and monitor the school’s data protection procedures and to ensure they are compliant with the GDPR. The DPO can be contacted at email@example.com.
Who processes your information?
The school is the data controller of the personal information you provide to us. This means the school determines the purposes for which, and the way any personal data relating to pupils and their families is to be processed.
What information does the school collect?
Where the school refers to “your information” this refers to information related to both pupils and their families. The categories of information that the school collects, holds and shares include the following:
- Pupil’s personal information e.g., names, pupil numbers and addresses, PPS numbers;
- Parent personal information e.g., names and contact details of parents;
- Characteristics e.g., ethnicity, language, nationality, country of birth, etc.;
- Attendance information e.g., number of absences and absence reasons;
- Assessment information e.g., national curriculum assessment results; school assessment information;
- Educational planning information e.g., Individual education plans, assessment reports, pupil support files;
- Relevant medical information;
- Other medical records e.g., records of any serious injuries/accidents;
- Behavioural / disciplinary information;
- Records of any reports the school may have made in respect of the student to State departments and/or other agencies under mandatory reporting legislation and/or child safeguarding guidelines (subject to the school’s Child Protection Policy and Procedures).
Why do we collect and use your information?
The school holds the legal right to collect and use personal data relating to pupils and their families, as well as receive information regarding them from the Department of Education. The various lawful basis for processing such information is detailed in Appendix A of this policy. The personal data of pupils and their families is collected by the school and used for the following reasons:
- To comply with legislative or administrative requirements;
- To ensure that the student meets the school’s admission criteria;
- To support pupil learning and enable each student to develop to their full potential;
- To monitor and report on pupil progress;
- To provide appropriate pastoral care
- To assess the quality of our service;
- To safeguard pupils;
- To enable Parents/Guardians to be contacted in the case of emergency or in the case of school closure or to inform parents of their child’s educational progress or to inform parents of school events etc.;
- To meet the educational, social, physical and emotional requirements of the student;
- To provide documentation/ information about the student to the Department of Education and Skills, the National Council for Special Education, TUSLA, and other schools etc. in compliance with law and directions issued by government departments
- To provide, when requested by the student (or their Parents/Guardians in the case of a student under 18 years) documentation/information/ references to second-level educational institutions (after enrolment).
Consent for non-mandatory processing
Whilst most of the personal data you provide to the school is mandatory, some is provided on a voluntary basis. When collecting data, the school will inform you whether you are required to provide this data or if your consent is needed.
Where consent is required, the school will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.
Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.
Information for which the school is NOT responsible:
The school is not responsible for and cannot take responsibility for the following types of school related information which is not directly processed by the school:
- Social media sites carrying information about, or photos of, school pupils with the exception of approved school activity related content.
- Any usage of references to the school on social media sites is not permitted by or endorsed by the school with the exception of approved school activity related content.
- Class representative communications (the school has no official class representative communications tools in use);
- Communication via these channels is at the sole discretion of those parents who wish to employ such tools.
Parents taking photos
- The school reminds parents, at appropriate times (e.g. Sports day) to always seek permission prior to taking of or posting photos/videos online or on social media during school related activities.
- Any sharing of images captured by parents who chose to ignore the above guidance is beyond the scope of the school's control.
Where we store your data
- All physical student records including Application/Enrolment Forms will be kept in secure, locked filing cabinets that only personnel who are authorised to use the data can access.
- Student attendance records, standardised test results, and end of year reports are kept on the Aladdin System and only personnel who are authorised to use the data can access it.
- Employees are required to maintain the confidentiality of any data to which they have access.
Photographs taken by the school during school related activities
Photographs and recorded images of students are taken to celebrate school achievements, compile yearbooks, establish a school website, record school events, and to keep a record of the history of the school. Such records are taken and used in accordance with the school’s Acceptable Use of Technology policy. Parental consent will be requested upon acceptance of a place for a pupil in Saint Patrick’s Boys’ National School Hollypark.
How long is your data stored for?
Personal data relating to pupils at the school and their families is stored in line with the school’s GDPR Data Protection Policy. The school does not store personal data indefinitely; data is only stored for as long as is necessary to complete the task for which it was originally collected and in line with our statutory requirements.
Will my information be shared?
While the information provided will generally be treated as private to the school and will be collected and used in compliance with the GDPR, from time to time it may be necessary for us to transfer your personal data on a private basis to other bodies. This may include:
- Department of Education & Skills;
- Department of Social Protection;
- An Garda Síochána;
- Health Service Executive;
- Tusla (CFA);
- Social workers or medical practitioners;
- National Educational Welfare Board;
- National Council for Special Education;
- Special Education Needs Organiser;
- National Educational Psychological Service;
- To another school (where a student is transferring).
The above information sharing is required on a statutory basis. Details of those circumstances are included at Appendix A.
Please be aware that CCTV is installed at the front of the school. This CCTV system may record images of staff, students and members of the public who visit the premises.
CCTV is implemented to support the safety and security of staff, students and visitors and to safeguard school property and equipment.
What are your rights?
Parents and pupils have the following rights in relation to the processing of their personal data. You have the right to:
- Be informed about how the school uses your personal data;
- Request access to the personal data that the school holds;
- Request that your personal data is amended if it is inaccurate or incomplete;
- Portability of your data (should a child transfer to another school);
- Request that your personal data is erased where there is no compelling reason for its continued processing;
- Request that the processing of your data is restricted;
- Object to your personal data being processed.
If you would like to exercise your rights, the DPO can be contacted at firstname.lastname@example.org to make such a request. Your requests will be responded to within the following timeframes:
- Within the school year (September to June): 30 days
- Outside the school year (July to August): 90 days
Subject Access Request
A subject access request is defined as a request for all of the information held by the school in relation to a student. A Parent/Guardian may make a subject access request to the school at any time during the period of the student’s attendance in school.
How to raise a concern
If you would like to raise a concern with the school directly the DPO can be contacted at email@example.com.
If you have a concern about the way the school or the Department of Education is collecting or using your personal data, you can raise a concern with the Office of the Data Protection Commissioner (“ODPC”). The ODPC can be contacted at firstname.lastname@example.org.
This notice will be reviewed regularly according to the ongoing schedule of review of school policies.
Review may commence earlier in the light of guidelines (e.g. from the ODPC, Department of Education, legislation and feedback from Parents/Guardians, pupils, school staff and others.
Appendix A – Lawful Basis for Processing the above information
- We collect and use the personal data of pupils and their families in order to meet legal requirements and legitimate interests set out in the GDPR and Irish law, including (but not limited to) the following:
- Article 6 and Article 9 of the GDPR
- -Under Section 20 of the Education (Welfare) Act, 2000, the school must maintain a register of all students attending the school
- Under Section 9(g) of the Education Act, 1998, the parents of a student, or a student who has reached the age of 18 years, must be given access to records kept by the school relating to the progress of the student in their education
- Under section 20(5) of the Education (Welfare) Act, 2000, a Principal is obliged to notify certain information relating to the child’s attendance in school and other matters relating to the child’s educational progress to the Principal of another school to which a student is transferring
- Under Section 21 of the Education (Welfare) Act, 2000, the school must record the attendance or non-attendance of students registered at the school on each school day
- Under Section 28 of the Education (Welfare) Act, 2000, the school may supply Personal Data kept by it to certain prescribed bodies (the Department of Education and Skills, the National Education Welfare Board, the National Council for Special Education, Túsla other schools, other centres of education) provided the School is satisfied that it will be used for a “relevant purpose” (which includes recording a person’s educational or training history or monitoring their educational or training progress in order to ascertain how best they may be assisted in availing of educational or training opportunities or in developing their educational potential; or for carrying out research into examinations, participation in education and the general effectiveness of education or training)
- Under Section 14 of the Education for Persons with Special Educational Needs Act, 2004, the school is required to furnish to the National Council for Special Education (and its employees, which would include Special Educational Needs Organisers (“SENOs”) such information as the Council may from time-to-time request.
- The Freedom of Information Act 1997 provides a qualified right to access information held by public bodies which does not necessarily have to be “personal data” as with data protection legislation. While schools are not currently subject to freedom of information legislation, if a school has furnished information to a body covered by the Freedom of Information Act (such as the Department of Education and Skills, etc.) these records could be disclosed if a request is made to that body
- Under Section 26(4) of the Health Act, 1947 a school shall cause all reasonable facilities (including facilities for obtaining names and addresses of pupils attending the school) to be given to a health authority who has served a notice on it of medical inspection, e.g. a dental inspection
- Under Children First: National Guidance for the Protection and Welfare of Children (2011) published by the Department of Children & Youth Affairs, schools, their boards of management and their staff have responsibilities to report child abuse or neglect to TUSLA – Child and Family Agency (or in the event of an emergency and the unavailability of TUSLA, to An Garda Síochána.
Ratified on: 5.10.2023
Review of Policy: October 2025