Effective Date: 01.09.2025

1. Purpose & Scope

This Protocol sets out how LPI Education Ltd handles, stores, shares and disposes of personal data when providing consultancy, safeguarding supervision, leadership supervision or audits to schools and multi‑academy trusts. It aligns with:

  • UK GDPR and the Data Protection Act 2018

  • Working Together to Safeguard Children (2023)

  • Keeping Children Safe in Education (current version)

  • ICO published standards and guidance

  • DfE record‑keeping and retention expectations for schools and academies

This Protocol should be read alongside LPI Education Ltd.’s Privacy Policy.

2. Legal & Statutory Framework

  • UK GDPR / DPA 2018: Requires lawful, transparent, minimal and secure processing, with accountability, data subject rights and breach reporting obligations.

  • Data Protection in Schools Guidance: Requires clear retention schedules, secure disposal, and appropriate management of subject access requests and breaches.

  • Keeping Children Safe in Education (Annex C): Requires child protection files to be kept separately, securely stored, transferred promptly to the next school, and retained until age 25 (or longer where required, e.g. historic abuse cases).

  • Working Together (2023): Supports lawful, necessary and proportionate safeguarding information sharing.

  • ICO “10‑Step Guide”: Provides a framework for assessing necessity, proportionality and security when sharing personal data.

  • DfE Record‑Keeping & Retention Guidance: Sets retention periods for staff, governance, finance and safeguarding records in line with statutory and limitation requirements.

3. Roles & Responsibilities

LPI Education Ltd (Consultant)

Acts as a Data Processor or Joint Controller, depending on the service.

Must:

  • process data securely and in line with this Protocol and the client’s policies

  • use encrypted storage and secure transfer methods

  • complete Data Protection Impact Assessments (DPIAs) where required

  • notify the school/trust of any data breach within 24 hours

  • support the school/trust with ICO reporting requirements (within 72 hours where applicable)

Designated Safeguarding Lead (DSL)

  • Provides the lawful basis for sharing safeguarding data

  • Ensures compliance with Annex C requirements

  • Oversees secure storage, access and transfer of child protection records

School/Trust Senior Team / Data Protection Officer (DPO)

  • Oversees internal compliance and training

  • Approves retention schedules

  • Reviews incident logs

  • Ensures secure disposal of records

4. Categories of Data

  • Standard pupil/staff personal data: Names, dates of birth, contact information, attendance, medical information, SEND information, etc.

  • Child protection / safeguarding records: Referrals, concerns, DSL notes, outcomes, agency involvement.

  • Consultancy and supervision records: Session notes, action plans, draft reports, anonymised themes, supervision agreements, attendance records.

Data not collected by LPI Education Ltd during supervision

In line with our Privacy Policy and supervision model, we do not collect:

  • identifiable pupil information

  • identifiable staff information

  • case details, chronologies or decision logs

  • safeguarding records

  • operational case management information

5. Collection & Lawful Processing

  • Only the minimum necessary data is collected for the agreed purpose.

  • Individuals must be informed via the school’s Privacy Notice or LPI Education Ltd.’s Privacy Policy.

  • When data is transferred to us by a school, we rely on the school’s lawful basis and extend this through our contractual agreement.

  • Lawful bases may include:

    • Public task (safeguarding)

    • Contractual necessity (consultancy, supervision)

    • Legitimate interests (quality assurance, minimal supervision notes)

    • Legal obligation (HMRC, safeguarding duties)

6. Secure Storage & Access Controls

Digital Records

  • Stored on encrypted drives or secure UK‑based cloud systems

  • Access restricted to named individuals

  • Multi‑factor authentication used where available

  • Access logs maintained where technically feasible

Physical Records

  • Stored in locked cabinets in secure areas

  • Access limited to authorised personnel

  • Digital copies created where appropriate; originals archived securely

Safeguarding Protocol Note

  • Child protection files must be stored separately from the main pupil file, in line with KCSIE

  • Access limited to the DSL or authorised deputy

7. Secure Sharing & Transfer of Data

  • Use encrypted email or password‑protected documents

  • Apply ICO’s 10‑Step Guide to assess necessity and proportionality

  • When transferring child protection files to a new school:

    • Transfer within 5 working days

    • Transfer separately from the main CTF/pupil file

    • Document the handover securely

8. Retention & Secure Disposal

  • LPI Education Ltd follows the school’s retention schedule or our own DfE‑aligned template.

  • Supervision‑related data is retained for 12–24 months and then securely deleted, as stated in our Privacy Policy.

  • Child protection records follow DfE Annex C retention requirements (usually until age 25).

9. Personal Data Breach Response

  • Consultant notifies the school/trust within 24 hours of any breach or suspected breach.

  • ICO notified within 72 hours where required.

  • High‑risk breaches communicated to affected individuals without undue delay.

  • Incident logs maintained, including cause, mitigation and outcome.

10. Accountability & Audit

  • LPI Education Ltd maintains an Article 30 Record of Processing Activities.

  • Schools/trusts may conduct annual audits of shared data and consultancy records.

  • DPIAs completed for high‑risk processing (e.g., sensitive safeguarding information).

11. Training & Awareness

  • Consultant staff complete annual data protection and safeguarding record‑keeping training.

  • Training logs or certificates are retained.

12. Review & Updates

This Protocol is effective from 01.09.2025 and will be reviewed annually or sooner if legislation or DfE/ICO guidance changes.

Updates will be communicated to partner schools and trusts in writing.

Important Notes

  • This Protocol provides operational guidance and is not legal advice.

  • Schools and trusts should ensure alignment with their own policies and governance requirements.

  • The governing body’s approved Privacy Notice must always be used when collecting personal or sensitive data.

Secure Data Handling Protocol