+353 (61) 397416 +353 (61) 397416

Data Protection Policy


St. Mary’s National  School’s data protection policy sets out in writing the manner in which personal data on Board of Management members, staff, students and parents is kept and how the data concerned is protected.

This policy was formulated with reference to:

  • New GDPR Procedures 25TH May 2018
  • A guide for Data Controllers- Data Protection Commissioner
  • The Data Protection Act 1988
  • The Data Protection ( Amendment) Act 2003
  • The Education Act 1998
  • Education Welfare Act 2000


The policy was formulated by the Principal and members of the Board of Management. This policy applies to the keeping and processing of personal data, both in manual form, on computer, and in the cloud and includes personal data on Board members, staff, parents and pupils of St. Mary’s National School. The school understands data to include any information that is kept relating to a living individual who is or can be identified from the data, or from the data in conjunction with other information that is in or is likely to come into the possession of the data controller. In order to properly understand the school’s obligations, there are some key terms which should be understood by all relevant parties.


Definition of Data Protection Terms

Data means information in a form that can be processed. It includes both automated data (e.g. electronic data) and manual data.

Automated data means any information on computer, or information recorded with the intention that it be processed by computer.

Manual data means information that is kept/recorded as part of a relevant filing system or with the intention that it form part of a relevant filing system.

Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily, quickly and easily accessible.

Personal Data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller i.e. the school.

Sensitive Personal Data refers to Personal Data regarding a person’s

  • racial or ethnic origin, political opinions or religious or philosophical beliefs
  • membership of a trade union
  • physical or mental health or condition or sexual life
  • commission or alleged commission of any offence or
  • any proceedings for an offence committed or alleged to have been committed by the person, the disposal of such proceedings or the sentence of any court in such proceedings, criminal convictions or the alleged commission of an offence.

Data Controller for the purpose of this policy is the Board of Management of St. Mary’s National School who delegate the responsibility for overseeing data protection on a day to day basis to the Principal.


To Whom this Policy Applies:

This policy applies to all school staff, the Board of Management, parents/guardians, students and others insofar as the measures in this policy relate to them.

St. Mary’s National  School understands that:

  • Schools are obliged to comply with the Data Protection Act (1988) and the Data Protection (Amendment) Act (2003).
  • Parents of students, and students that have reached their 18th birthday, must be given access to records kept by the school relating to the progress of the student in his/her education. (Education Act 1988).
  • The school must maintain a register of all students attending the school and must also maintain a record of attendance and non- attendance at the school on each school day. (Education Welfare Act 2000).
  • It is understood that the Freedom of Information Act (1997) does not currently apply to schools.


Aims of this Policy

The objectives of developing this policy include the following:

  1. To ensure that the school complies with the Data Protection Acts 1988 and 2003.
  2. To ensure compliance by the school with the eight rules of data protection as set down by the Data Protection Commissioner based on the Acts (see below).
  3. To ensure that the data protection rights of students, staff and other members of the school community are safeguarded.
  4. To provide clarity to all interested parties re the data protection protocols of the school.


Transfer of Personal Data

The data controller, (normally the Principal of the school or another person designated by the Principal or Chairperson of the Board) may supply data kept by him/her, or information extracted from such data, to the data controller of another prescribed body if satisfied it will be used for a relevant purpose only.


Examples of this are as follows:

  • The school may supply information to secondary schools into which pupils are enrolled regarding their performance in standardised tests. The NCCA designed Education Passport is now mandatory for schools to use as they transfer from primary to secondary.

Information required by other government bodies so that resources may be obtained for use by children with Special Educational Needs e.g. National Council for Special Education (N.C.S.E.) or National Education Psychological Service (N.E.P.S.).

  • The Department of Education and Skills.
  • Information regarding attendance/non Attendance of pupils may be given to TUSLA / National Education Welfare Board (NEWB).
  • The Health Service Executive (H.S.E).
  • Child and Family Services such as Lucena Services, CAMHS and the H.S.E.
  • The Gardaí.


The policy content is divided into two sections as follows:

  1. Details of all personal data which will be held, the format in which it will be held and the purpose(s) for collecting the data in each case.
  2. Details of the arrangements in place to ensure compliance with the eight rules of data protection.


Section A

The personal data records held by the school may include:

  • Staff Records
  • Name, address and contact details.
  • PPS number.
  • Original records of application and appointment.
  • Record of appointments to promoted posts.
  • Details of approved absences (career breaks, parental leave, study leave etc.).
  • Details of work record (qualifications, classes taught, subjects etc.).
  • Details of any accidents /injuries sustained on school property or in connection with the staff member carrying out their duties.
  • Records of any reports the school have made in respect of the staff member to the state department and/or other agencies under mandatory reporting legislation and or Child Safe-Guarding Guidelines which are subject to the DES Child Protection Procedures.
  • Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.
  • Note: a record of grievances may be maintained in a format which is distinct from and separate to individual personnel files.



Staff records are kept for the following purposes:

  • The management and administration of school business (now and in the future).
  • to facilitate the payment of staff, and calculate other benefits/ entitlements (including reckonable service for the purpose of calculation of pension payments, entitlements and/or redundancy payments where relevant).
  • to facilitate pension payments in the future.
  • human resources management.
  • recording promotions made (documentation relating to promotions applied for) and changes in responsibilities etc.
  • to enable the school to comply with its obligations as an employer including the preservation of a safe, efficient working and teaching environment (including complying with its responsibilities under the Safety, Health and Welfare At Work Act. 2005).
  • to enable the school to comply with requirements set down by the Department of Education and Skills, the Revenue Commissioners, the National Council for Special Education, TUSLA, the HSE, and any other governmental, statutory and/or regulatory departments and/or agencies for compliance with legislation relevant to the school.



In a secure, locked filing cabinet and on the administration laptops /computers in the office.



These records are kept as manual records in a secure /lockable filing cabinet in the Principal’s office that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. Some information is also stored on the office computers which are password protected and have firewall software such as Norton installed or downloaded. Such protective software is regularly updated. Information is also regularly backed up.

Each staff member has a personal file maintained in a locked filing cabinet in the office. Personal Contact details, PPS numbers, class records, duty lists and reports are stored on the office/Principal’s computer and in the cloud by Aladdin Systems. The School system is used to facilitate the payment of ancillary staff and payments for extracurricular actitivies or visiting teachers.

Records of promotions, career breaks, leave taken, illness etc, is available through the Department of Education and Skills On line Claims System (OLCS/Esinet).


Student Records

These may include:

  • Information which may be sought and recorded at enrolment, and which may be collated and compiled during the course of the student’s time in the school including: name, address and contact details, PPS number, names and addresses of parents/guardians and their contact details.
  • records of relevant special conditions (e.g. special educational needs, health issues/ care orders/custody arrangements etc.) which may apply.
  • H.S.E. Early intervention reports, psychological/ psychiatric and /or medical assessments
  • Information on previous academic record.
  • School relevant medical records.
  • Photographs and recorded images of students.
  • Attendance Records, class roll books/ Aladdin System/ Registers
  • Academic record – subjects studied, test results as recorded on official school reports.
  • Records of significant achievements.
  • Records of exemptions from Irish (letter of application from parents, copy of certificate granted, record on Aladdin).
  • Records of disciplinary issues and/or sanctions imposed.
  • Serious Injuries and accident reports.
  • Records of reports the school or its employees have made in respect of a student to State departments and or other agencies under mandatory reporting legislation and/ or child safe guarding Guidelines.
  • Records of meetings with Parents as part of the complaints procedures.
  • Permission slips e.g. AUP policy/school tours etc.


The information on students is stored in two formats: both manual files containing hard copy of forms signed etc. and on computer files backed up and stored via the Aladdin system or on the office administration computers.

The purpose for keeping student records includes the following:

  • to enable each student to develop his/her full potential.
  • to comply with legislative and administrative requirements.
  • to ensure that eligible students can benefit from the relevant additional teaching / resource/ financial supports.
  • to support the provision of support teaching.
  • to support the provision of religious instruction and sacramental preparation.
  • to ensure that the student fulfils the criteria for the exemption from Irish.
  • to enable parent/guardians to be contacted in the case of emergency/ school closure etc.
  • to ensure that the pupil meets the school’s admission criteria.
  • to maintain a record of the student’s progress through school.
  • to maintain accurate accident/incident reports.
  • to communicate clearly with all educational partners.
  • to support medical/special needs conditions within the school environment.
  • photographs and recorded images of students are taken to celebrate school achievements, compile yearbooks, establish a school website, record school events, and to keep a record of the history of the school. Such records are taken and used in accordance with the school’s photography policy ie: parents needs to give consent for photographs to be used.
  • to furnish documentation/ information about the student to the Department of Education and Skills, the National Council for Special Education, TUSLA, and other Schools etc. in compliance with law and directions issued by government departments.
  • to furnish, when requested by the student (or their parents/guardians in the case of a student under 18 years) documentation/information/ references to third-level educational institutions and/or prospective employers.


  • Location: Records are kept in a secure, locked filing cabinet that only personnel who are authorised to use the data can access. Additional Information is also stored on the Aladdin data system. Teachers have access via Aladdin to their own class data only. Employees are required to maintain the confidentiality of any data to which they have access. Confidential reports, child protection report forms, Continuum of Support documents are password controlled within the Aladdin system.


Board of Management records maintained include:

  • Name, address and contact details of each member of the Board of Management.
  • Records in relation to appointments to the board.
  • Minutes of board of management meetings.
  • Financial statements/ audits and certification of accounts.
  • Record of how funding from the DES is managed.
  • Correspondence to the board.


The purpose for keeping Board of Management records include:

  • A record of board appointments.
  • A record of how legislative requirements are carried out.
  • A record of staff appointments.
  • Documenting decisions made by the board.
  • A record of how enrolment to the school is managed.
  • A record of the financial management of the school.
  • A record of the development of the school.
  • A record of how health and safety issues within the school are managed.
  • A record of policy development within the school.
  • A record of insurance cover and related issues.
  • A record of capital development and building/grounds maintenance.
  • Documentation relating to grievance and disciplinary procedures.


Other Information that may be retained by the school includes:

The school will hold other records relating to individuals. The format in which these records will be kept are manual record (personal file within a relevant filing system), and/or computer record (database). Some examples of the type of other records which the school will hold are set out below (this list is not exhaustive):




Categories of data:

The school may hold some or all of the following information about creditors (some of whom are self-employed individuals):

  • Name, address, contact details, PPS number
  • Tax details, bank details and amount paid.


Purpose: This information is required for routine management and administration of the school’s financial accounts and complying with audits and investigations by the Revenue Commissioners.


 Location: In a secure, locked office that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. We use on-line banking in the school where possible so much of this detail is stored on this system. This is regulated by AIB online banking regulations.


CCTV images/recordings

(a) Categories: CCTV is installed in the schools, externally i.e. perimeter walls/fencing and internally as detailed in the CCTV Policy. These CCTV systems may record images of staff, students and members of the public who visit the premises.

(b) Purposes: Safety and security of staff, students and visitors and to safeguard school property and equipment.

(c) Location: Cameras are located externally and internally as detailed in the CCTV Policy. Recording equipment is located in the reception office of school.

(d) Security: Access to images/recordings is restricted to the principal & deputy principal of the school. Tapes, DVDs, hard disk recordings are retained for 28 days, except if required for the investigation of an incident (eg: vandalism, break-in). Images/recordings may be viewed or made available to An Garda Síochána pursuant to section 8 Data Protection Acts 1988 and 2003.


Local Contribution Payments/Donations


Categories of data:

The school may hold the following data in relation to donors who have made charitable donations to the school:

  • name and address
  • telephone number/ e mail


Purpose: The school may be entitled to avail of the scheme of tax relief for donations of money they receive.


Location: In a secure, locked office that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. Information is also stored electronically on the school’s administration computers.


Garda Vetting Information

All adults working with children in any capacity within the school must be Garda vetted. Completed vetting forms are sent to the Education Secretariat in Archbishop’s House and the results of vetting process are stored manually in a locked filing cabinet in the Principal’s office to which only authorised personnel may have access. Teachers are vetted through the Teaching Council and the vetting outcome is available through the Digitary Core which is password controlled by each individual teacher.


Rules of Data Protection

All personal data records held by the school are obtained, processed, used and retained in accordance with the following eight rules of data protection based on the Data Protection Acts.

  1. Obtain and process information fairly.
  2. Keep it only for one or more specified, explicit and lawful purposes.
  3. Use and disclose it only in ways compatible with these purposes.
  4. Keep it safe and secure.
  5. Keep it accurate, complete and up-to-date.
  6. Ensure that it is adequate, relevant and not excessive.
  7. Retain it for no longer than is necessary for the purpose or purposes.
  8. Give a copy of his/her personal data to that individual on request.

The minimum age at which consent can be legitimately obtained for processing and disclosure of personal data under rules 1 and 3 above is not defined in the Data Protection Acts. However, guidance material published on the Data Protection Commissioner’s website states the following:

“As a general rule in the area of education, a student aged eighteen or older may give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice.”

Appendix 1 has our data protection statement which is included with relevant forms when personal information is being requested.

Note: The statute of limitations in relation to personal injuries is currently two years. The limitation period for other causes of action varies, but in most cases is not greater than six years. A limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim. In the case of minors, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge postdates their 18th birthday. The school adheres to the retention schedule for schools which has been supplied via the Catholic Primary Schools Management Association.


Links to other Policies and to Curriculum Delivery

Relevant school policies already in place or being developed or reviewed, are examined with reference to the data protection policy and any implications which it has for them shall be addressed. The following policies may be among those considered:

  • Child Protection Policy
  • Anti-Bullying Policy
  • Code of Behaviour, including Mobile Phone Code
  • Attendance Policy
  • Supervision Policy
  • Admissions Policy
  • Substance Use/ Misuse Policy
  • ICT Acceptable Use Policy

Data in this school will be processed in line with the data subjects’ rights. Data subjects have a right to:

  1. Request access to any data held about them by a data controller.
  2. Prevent the processing of their data for direct-marketing purposes.
  3. Ask to have inaccurate data amended.
  4. Prevent processing that is likely to cause damage or distress to themselves or anyone else. Dealing with Data Access Requests Under Section 3 of the Data Protection Acts, an individual has the right to be informed whether the school holds data/information about them and to be given a description of the data together with details of the purposes for which their data is being kept. The individual must make this request in writing and the data controller will accede to the request within 21 days.
  • Individuals are entitled to a copy of their personal data on written request.
  • The individual is entitled to a copy of their personal data (subject to some exemptions and prohibitions set down in Section 5 of the Data Protection Act).
  • Request must be responded to within 40 days.
  • Fee may apply but cannot exceed €6.35.
  • Where a subsequent or similar request is made soon after a request has just been dealt with, it is at the discretion of the school as data controller to comply with the second request (no time limit but reasonable interval from the date of compliance with the last access request.) This will be determined on a case-by-case basis.
  • No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable would the school refuse to furnish the data to the applicant.


Providing Information over the Phone

In our school, any employee dealing with telephone enquiries is careful about disclosing any personal information held by the school over the phone. In particular the employee will:

  • Check the identity of the caller to ensure that information is only given to a person who is entitled to that information.
  • Suggest that the caller put their request in writing if the employee is not sure about the identity of the caller and in circumstances where the identity of the caller cannot be verified.
  • Refer the request to the Principal for assistance in difficult situations. No employee should feel forced into disclosing personal information.


Implementation Roles and Responsibilities

In our school the Board of Management is the data controller and the Principal will be assigned the role of co-ordinating implementation of this Data Protection Policy, and for ensuring that staff who handle or have access to Personal Data are familiar with their data protection responsibilities. The following personnel have responsibility for implementing the Data Protection Policy:

Name Responsibility
Board of Management   Data Controller
Principal     Implementation of Policy
Teaching personnel  Awareness of responsibilities
Administrative personnel   Security, confidentiality
IT personnel Security, encryption, confidentiality


Ratification and Communication

This Data Protection Policy has been ratified by the Board of Management of St. Mary’s National School, Croom, on__________________

Parents/guardians and students will be informed of the Data Protection Policy at the time of enrolment of the student (by inclusion of a statement…see Appendix1).

The policy will be available via the school’s website.


Monitoring the Implementation of the Policy

The implementation of the policy shall be monitored by the Principal. At least one annual report shall be issued to the board of management to confirm that the actions/measures set down under the policy are being implemented.


Reviewing and evaluating the policy

The policy should be reviewed and evaluated as the need arises but at least every second year. On-going review and evaluation will take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills), legislation and feedback from parents/guardians, students, school staff and others.

The policy should be revised as necessary in the light of such review and evaluation and within the framework of school planning.

Signed: Cn. Wm Fitzmaurice Chair Board of Management

Date: 21/5/2018



Appendix 1

Data Protection Statement for inclusion on relevant forms when personal information is being requested.

The information collected on this form will be held by St. Mary’s National School in manual and in electronic format. The information will be processed in accordance with the Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003.

The purpose of holding this information is for administration needs and to facilitate the school in meeting the student’s educational needs and legal commitments etc.

Disclosure of any of this information to statutory bodies such as the Department of Education and Skills or its agencies will take place only in accordance with legislation or regulatory requirements.

Explicit consent will be sought from Parents/Guardians or students aged 18 or over if the school wishes to disclose this information to a third party for any other reason.

Parents/Guardians of students and students aged 18 or over have a right to access the personal data held on them by the school and to correct it if necessary.


I consent to the use of the information supplied as described.

Signed Parent/Guardian: _________________________

We are using cookies to give you the best experience. You can find out more about which cookies we are using or switch them off in privacy settings.
AcceptPrivacy Settings


Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: Privacy Policy.