Data Protection and Record-keeping Policy

Printable Version



This policy has been formulated by the Board of Management of S. N. Mhuire, Barntown to ensure that data provided to the school is dealt with in accordance with The Data Protection Acts 1988 and 2003.



  • The purpose of data protection law is to protect the privacy of data subjects who provide their personal data to data controllers. The Board of Management as a data controller seeks to ensure that it ensures best practice in this regard.
  • Our school requests and holds personal data relating to a variety of individuals including pupils, employees, parents, volunteers, former pupils, members of the Parents Council and members of the Board of Management. A policy on data protection and record keeping is necessary to ensure that this data is administered correctly and that guidelines are available to staff regarding best practice.
  • It is necessary for the Board of Management to gather data for the following reasons:


    • To comply with legislative requirements such as; The Education Act, Section 9(g) requiring a school to provide access to records to students over 18/parents

The Education Welfare Act – requiring a school to report school attendance and transfer of pupils.

    • To comply with Department of Education and Skills requirements on pupil and staff information. 
  • For communication purposes.
  • To provide pupils with an appropriate education.
  • To ensure that eligible pupils can avail of additional supports.
  • To provide where required religious teaching and preparation for religious ceremonies.
  • To monitor and report on educational progress.
  • To ensure prospective employees, volunteers, parents are suited to working with children.


Relationship to School Ethos:

S.N. Mhuire, Barntown is a Catholic school which promotes a Christian ethos of openness and co-operation between staff, parents and pupils as a means towards providing the caring environment through which a child can develop and grow to his/her full potential.




  • To ensure the school complies with legislative requirements
  • To communicate how data is dealt with by the school.
  • To clarify the types of records maintained and the procedures relating to making them available to the relevant bodies
  • To put in place a proper recording and reporting framework on the educational progress of pupils
  • To establish clear guidelines on making these records available to parents and past pupils who are over 18
  • To stipulate the length of time records and reports will be retained.




Key Definitions

Data Controller: The data controller is the individual or legal person who controls and is responsible for the keeping and use of personal information on computer or structured manual files. In our school the Board of Management is the data controller. This responsibility on a day to day basis is devolved to the Principal, school secretary, teachers and SNAs.

Data: Data in this policy is understood to mean any automated data held on a computer or recorded for the purpose of being held at a later date on a computer. It also includes manual data comprising of any information kept as part of a relevant filing system i.e. is structured by reference to individuals so that specific information relating to a particular individual is readily accessible.

Personal Data: Data which relates to a living individual who is or can be identified either from the data itself or from the data in conjunction with other information that is in, or likely to come into, the possession of the data controller provided it personally relates to them.

Sensitive Personal Data: Data that reveals information about racial or ethnic origin, health, religious beliefs, trade union membership or information about the commission of an offence or an alleged offence.


Data Controller Responsibilities

The Board of Management as data controller recognizes the following eight fundamental obligations that must be observed in data protection:

  1. Obtain and process information fairly.

In this regard when the school requires information parents/guardians, staff, volunteers or others from whom the request is made will be asked to consent to providing the required information. The information will be processed fairly by school staff.

  1. Keep data for only one or more specified, explicit and lawful purpose.

Information is held on pupils in order to provide them with an appropriate education, to comply with legislative requirements, to ensure that eligible pupils can avail of supports, for communication purposes. As an employer the Board of Management holds details on employees for communication, for employment purposes as required by the law and as required by the Department of Education and Skills and the Collector General. Information on parents/guardians and volunteers is held for communication purposes and to ensure suitability for working with children where required.

  1. Use data and disclose it only in ways compatible with these purposes.

The Board will use data held in accordance with the stated purposes and will seek consent to disclose data before doing so should such an eventuality arise.

  1. Keep data safe and secure.

Access to pupil, employee, parent/guardian and volunteer data is on a need to know basis. All data is secured in the school/principal’s office which require access codes and all personal files in the office are secured in locked filing cabinets. Each class teacher has a lockable filing cabinet to secure any personal data within the classroom setting. All computer systems holding personal data are password protected. All waste documents containing personal data are shredded. All staff are made aware on an annual basis at the first staff meeting of the year of their responsibilities in this area and the principal monitors compliance during the year.

  1. Keep data accurate, complete and up to date.

Each year parents/guardians and staff are requested to update their details. Details of pupils are updated continuously throughout the year as different educational issues arise. Details of other individuals with whom the school has dealings are updated as the school is informed.

  1. Ensure that the data is adequate, relevant and not excessive.

The Board of Management reviews the gathering of data annually to ensure that the school is gathering adequate data to comply with legislation and to ensure the smooth running of the school. This also allows the Board to ensure the information being gathered is relevant and is not excessive.



  1. Retain it no longer than necessary for the purpose or purposes.

The Board of Management retains data on pupils while they are enrolled in our school and for eight years after they complete their primary education. This time frame covers most pupil’s secondary and tertiary education years, during which many former pupils and guardians make requests for academic records. Any parental information gathered is included in the pupils file. At the end of this timeframe the files are shredded. This timeframe also ensures compliance with health and safety legislation which requires schools to retain reports of accidents/dangerous occurrences for a period for seven years. Some records are retained indefinitely in line with Department of Education and Skills requirements. These include the school register and roll books. At enrolment the school informs parents/guardians of the length of time that pupils files are retained for.

With regard to data collected on employees the retention periods vary according to the requirements of legislation:

  • Records of payments to employees are kept for three years in line with The National Minimum Wage Act 2000
  • The Organisation of Working Time Act 1997 which governs working time and statutory leave entitlements requires records to be retained for a period of three years.
  • Employment contracts are kept for seven years from the date of conclusion of the contract as a civil claim for breach of contract can be brought for up to six years from the date of breach.
  • The Parental Leave Acts 1998 and 2006 require an employer to retain a record of any parental or force majeure leave for eight years.
  • Records of tax payments must be retained for a period of 6 years in accordance with the Companies Act and the Taxes Consolidation Act 1997
  • Health and safety legislation requires that reports of accidents and dangerous occurrences should be retained for 7 years.
  • Records of recruitment are held for 3 years.
  • Garda vetting disclosures are held for one year after which the form is destroyed and the school retains the reference number and date of disclosure for follow up with the Garda Vetting Unit should it be required.
  • The Board of Management is also required to provide data to the Department of Education and Skills regarding staff recruitment and absence. These records are not retained in the school and the Board view that the Department are the data controller in these instances.

On completion of these time frames the data is destroyed.

  1. Give a copy of his or her personal data to an individual on request.

Under Section 4 of the Data Protection Acts any individual (including employees, former employees, pupils, former pupils and parents/guardians) is entitled to request a copy of any information personally relating to them which is kept on computer or in a structured filing system. The Board of Management will respond to such requests within 40 days of receipt of such a request.


The Board of Management will deal with all data access requests in the same way mainly:

  • To review the terms of the data access request to establish what information is within the scope of the request.
  • Collate and categorise all of the data held by the Board of Management which personally relates to the individual.
  • Identify whether certain information should be withheld or redacted i.e. information relating to third parties, an opinion given in confidence or legally privileged information.
  • Redact any portions of the data which do not personally relate to the individual.
  • Redact information relating to third parties.
  • Send a copy of the information relating to the data access request with a cover note detailing the categories of data held, their purpose, the source of the data, categories of recipients to whom the data may be disclosed and stating that the individual has an entitlement to complain to the Data Protection Commissioner.


The data under the control of the Board of Management comes under the following headings.


  1. Personal Data:

This data relates to personal details of the students such as name, address, date of birth, gender, ethnic origin, nationality, religious belief, medical details, dietary information, PPSN, contact details and parents’ names. These are kept in the school office in a locked filing cabinet and are also kept in a computerized school management system which is password protected.



  1. Pupil Records:

Pupil records are held in each pupil’s file with certain categories held on computer. These records are held in locked filing cabinets or password protected computer. Individual class teachers also keep a class file where results of tests and classroom related issues are recorded. Each class has a lockable filing cabinet where these files are stored.


Pupil records may contain:


  • Personal details of the student
  • Medical data
  • School report cards
  • Psychological/Clinical/Occupational Therapy/Speech and Language Assessments
  • Standardised Test Results
  • Attendance Records
  • Screening Tests such as MIST and NRIT
  • Data Protection requests
  • Teacher – designed tests.  Each class teacher designs his/her own test template
  • Diagnostic Test Reports
  • Individual Education Plans
  • Learning Support/Resource Data such as records of permission/refusal to access LS/RT services in the school,
  • Portfolios of student work e.g. writing
  • Details of behavioural incidents or accidents.
  • Correspondence relating to the pupil.


  1. Staff Data

This data relates to personal and professional details of the Staff such as name, address, date of birth, contact details, payroll number, attendance records, qualifications, school records, sick leave, CPD, garda vetting, curriculum vitae, school returns, classes taught, seniority and supervision payments.


  1. CCTV Footage

A CCTV system is in operation in the school. Its purpose is to monitor the security of the school premises and to assist with health and safety. Notices are in place to inform all individuals entering the school grounds that CCTV is in operation. All recorded footage is held for 28 days after which the system self-deletes. Individuals are entitled to make a data access request for CCTV footage but must provide a specific timeframe of the recording being sought.


  1. Administrative Data:
  • Attendance Reports, Roll Book, Registers
  • Accident Report Book
  • Administration of Medicines Indemnity Form
  • Policies
  • HSE files
  • Board of Management files
  • Accounts


Access to Records:

The following will have access where relevant and appropriate to the data listed above;


  • Parents/guardians
  • Past pupils over 18
  • Health Service Executive
  • Designated school personnel
  • Department of Education & Skills
  • First and second-level schools (where relevant).


A parental authorisation form must be completed by parents in the event of data being transferred to outside agencies such as health professionals etc.  Outside agencies requesting access to records must do so in writing giving seven days’ notice. Parents/guardians or former pupils can request access in writing as per data access requests above.

The right to erasure or rectification is available to change any mistakes or inaccuracies by proper authorisation through the same procedures.


Success Criteria:


  • Compliance with Data Protection Act and Statute of Limitations Act
  • Easy access to records
  • Framework in place for ease of compilation and reporting
  • Manageable storage of records.


Roles and Responsibilities:

The school staff and Principal, under the direction of the Board of Management will implement and monitor this policy.  Individual teachers will design, administer and record all in-class testing.  The Principal will ensure records are maintained and stored in accordance with this policy.




This policy was ratified and reviewed on 27th June 2014 and is due to be reviewed again in the 2016/’17 school year.


This policy will be available on the school’s website or by request from the school office.