Effective Date: 01.09.2025
1. Purpose & Scope
This Protocol sets out how LPI Education Ltd, when providing consultancy, safeguarding supervision or audits to schools and multi-academy trusts, will handle, store, share and dispose of personal data, including where child protection records are involved. It aligns with UK GDPR, the Data Protection Act 2018, DfE statutory Safeguarding guidance (e.g. Keeping Children Safe in Education 2025), Working Together to Safeguard Children (2023) and ICO published standards.
2. Legal & Statutory Framework
UK GDPR / DPA 2018: Ensures lawful, transparent, minimal and secure data processing, with accountability and breach reporting obligations.
Data Protection in Schools Guidance: Requires a retention schedule, secure disposal, and management of breaches and subject access.
Keeping Children Safe in Education (Annex C): Requires separate child protection files, secure storage, audit, transfer to next school and retention until age 25 (or 75 for abuse cases).
Working Together (2023) and ICO’s “10‑step guide” support lawful safeguarding information sharing and accountability process.
DfE Record‑keeping & retention information for academies: Sets retention periods (e.g. staff files, governance, finance) compliant with Limitation Act and statutory guidance.
3. Roles & Responsibilities
Consultant (LPI Education Ltd):
Acts as Data Processor (or Joint Controller if applicable).
Must: encrypt data, follow client policy or our protocol, conduct Data Processing Impact Assessments (DPIA) if needed, notify breaches within 72 hrs.
Designated Safeguarding Lead (DSL)
Provides legal basis for sharing safeguarding data, monitors adherence to record-keeping standards, ensures child protection records follow DfE Annex C requirements.
School/Trust Senior Team / Data Protection Officer
Oversees internal compliance and training, approves data retention schedule, reviews incident logs, ensures secure disposal.
4. Categories of Data
Standard pupil/staff personal data: names, dates of birth, contact information, medical info, special educational needs, etc.
Child protection / safeguarding records: referrals, concerns, outcomes, DSL notes.
Consultancy records: session notes, action plans, draft/advice reports.
Each category requires an appropriate legal basis: public task, contractual necessity, legitimate interest, or consent. In practice: safeguarding often uses public task, consultancy uses contract or legitimate interest/disclosure consent.
5. Collection & Lawful Processing
Collect only what is a minimum necessary for agreed purposes.
Inform individuals (pupils, parents, staff) via Privacy Notice including who we are, legal basis, how long data will be kept. Transparency is a core GDPR requirement.
If transferred to us by the school, we rely on the school’s lawful basis and provide a clear extension via our agreement.
6. Secure Storage & Access Controls
Digital Records
Store on encrypted drives or secure cloud with UK‑based hosting.
Access restricted to named staff; multi‑factor authentication recommended.
Maintain record access logs (who accessed what, when).
Physical Records
Child protection files or signed documents stored in locked cabinets within secure areas under limited access.
Digital copies should be scanned if feasible; original file marked as “securely archived”.
Safeguarding Protocol Note
Child protection files should be held in separate envelopes from the main pupil file (as per KCSIE), and access limited to DSL or their authorised deputy.
7. Secure Sharing & Transfer of Data
When collaborating with the school/trust, use secure email (encrypted e‑mail service or password-protected PDFs).
Use the ICO’s 10‑Step Guide to assess the necessity and proportionality of any sharing outside the trust or with external agencies.
If child protection records need to be transferred (e.g. when a pupil changes schools):
Provide within 5 working days (DfE standard), transfer separately from main CTF/pupil file, and document the handover securely.
8. Retention & Secure Disposal Timetable
Consultant will follow the school’s retention schedule, or own template aligned with DfE retention guidance, with any exceptions agreed in writing.
9. Personal Data Breach Response
Consultant must inform the school/trust within 24 hours of discovery of any breach or suspected breach.
Report to ICO within 72 hours, if breach likely to result in risk to individual rights or freedoms; if high risk, also notify affected individuals without undue delay.
Keep detailed incident logs including cause, mitigation steps, notifications, outcome.
10. Accountability & Audit
Consultant will keep records of all processing activities (“Article 30 Register”), detailing categories of data, purposes, third-party disclosures, retention periods.
School or Trust may conduct annual audit of data shared and consultancy records to verify compliance.
Any Data Protection Impact Assessment (DPIA) will be completed if high‑risk processing (e.g. student mental health data, handling sensitive safeguarding history).
11. Training & Awareness
Consultant staff must complete annual data protection refresher training, including child protection record-keeping standards (e.g. KCSIE / DSL expectations).
Maintain certificates or logs of training completion.
12. Review & Updates
This protocol is effective 01.09.2025 and will be reviewed annually or sooner if national legislation or Department for Education guidance changes (e.g. DfE, ICO updates).
Updates will be communicated in writing to all partner schools/trusts.
Important Notes:
This Protocol provides operational data protection practice but is not legal advice. Organisations and schools may wish to have it reviewed by their legal or DPO team to align with their own internal policies and liabilities.
Always use the governing body approved Privacy Notice when collecting personal or sensitive school data.