The School

Knebworth Primary and Nursery School is a community school maintained within the Hertfordshire Local Authority, serving pupils of nursery age to Year 6. The Head Teacher is the controller for the personal information we process, unless otherwise stated.

There are several ways you can contact us, including by phone, email, appointment, and post. More details can be seen here.

We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO. Our Data Protection Officer is Carole Connelly, whose contact details may be found here.

Why we collect data

As a community school, we provide a service in the public interest and are bound by the obligations and duties imposed by Acts of Parliament and related Statutory Instruments, and by the obligations imposed on other public bodies (such as the Local Authority).

To meet these obligations and duties we collect and process information where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (e)).

We may also collect information under the following lawful bases:

  1. where it is necessary for compliance with a legal obligation (Article 6 (c));
  2. where processing is necessary to protect the vital interests of the data subject or another person (Article 6(d));
  3. where we have your consent as the data subject (Article 6 (a))

Where the personal data we collect is sensitive personal data as defined in Article 9 (1), we will only process it where:

  • we have explicit consent (Article 9 (2) a)
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (Article 9 (2) c)

Where we need consent to collect data, we will make this clear when requesting the data. We will set out for what purpose the data will be processed. Consent may be withdrawn at any time.

How we collect data

Some data is collected electronically, for example data about pupils transferred from other schools or applications for employment.

Personal data is gathered from paper forms completed and returned to the school by, for example, parents/carers, volunteers, and (prospective) governors. Such data is usually transferred to electronic systems, but may (also) be stored securely in paper form.

Personal data is always collected when a pupil joins the school, and updated throughout a pupil's time at the school. Personal data is collected when a prospective employee applies for a role, is updated while they are employed at the school. This is also the case for governors, volunteers, third parties, and any others whose data we have a legal basis to process.  When there is no longer a legal basis or other justification to process the data (for example, a pupil has left the school), the data is destroyed in accordance with our data retention policy.

Why we process data

How and why we process the data we collect depends upon the type of person and the type of data.

We use data to support the functions of running a school, including but not limited to:

  • supporting learning;
  • monitoring and reporting on pupil progress;
  • providing appropriate pastoral care;
  • assessing the quality of our services;
  • compliance with the law regarding data sharing;
  • the protection and welfare of pupils and others in the school, including our safeguarding / child protection obligations;
  • the safe and orderly running of the school;
  • selecting, appointing, monitoring, and supporting staff and governors
  • selecting and contracting with service providers
  • promoting the school;
  • communication with parents, pupils, governors, "Friends", and third parties, including providing information about school events or activities, news, campaigns, appeals, and other fundraising activities;

Storage and retention of data

A significant amount of the personal data collect is stored electronically, for example, in our schools information management database.  Data stored electronically may be saved on a cloud based system which may be hosted in a different country.  

Some information may (also) be stored in hard copy format, and physically secured.

We retain personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, insurance or reporting requirements.  To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

In some circumstances we may anonymise personal data so that it can no longer be associated with a person, in which case we may use such information without further notice.

Sharing of data

Personal data is shared in order to pursue our public task as a maintained school or to meet legal obligations. Who we share personal data with, and whose data we share depends on the individual and type of data.  In the event that we share personal data with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data. 

We routinely share parent/carer and pupil information with schools that pupils attend after leaving us.

From time to time, we may also share information with other third parties including but not limited to: 

  • our local authority Hertfordshire County Council 
  • a pupil’s home local authority (if different); 
  • the Department for Education (DfE);
  • school governors; 
  • the Police and law enforcement agencies; 
  • NHS health professionals including the school nurse, educational psychologists; 
  • Education Welfare Officers; 
  • Courts, if ordered to do so; 
  • the Teaching Regulation Authority; 
  • Prevent teams in accordance with the Prevent Duty on schools; 
  • other schools, for example, if we are negotiating a managed move and we have your consent to share information in these circumstances; 
  • our legal advisors; 
  • our insurance providers; 
  • Where the nature of the service requires, organisations that contractually provide services to the school, in which case the school requires compliance with this notice. 

 Some of those we share data with are joint data controllers.

Changes to this notice

We reserve the right to update this privacy notice at any time, and we will publish a new privacy notice when we make any substantial updates. We may also notify individuals in other ways from time to time about the processing of their personal information. 

Subject Access Requests

Your individual rights as set out under the GDPR are described by the Information Commissioners Office.

To make a request for your personal data, please email the School Secretary and cc our Data Protection Officer, Carole Connelly.  Details are on our Contacts page.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. 

We may refuse your subject access request if your data includes information about another individual, except where:  

  • the other individual has agreed to the disclosure, or  
  • it is reasonable to provide you with this information without the other individual’s consent.  

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, if we believe that a request is, as the law states, “manifestly unfounded or excessive”, we can:  

  • request a reasonable fee to deal with the request, or  
  • refuse to deal with the request 

 In reaching this decision, we can take into account whether the request is repetitive. In either case we will give the reason for our decision.


You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can contact the Information Commissioners Office on 0303 123 1113 or via email  or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.