GDPR Policy

In compliance with General Data Protection Regulation (School) effective 25 May 2018


‘The Carlow Academy’ Data Protection Policy applies to personal data held by the school and which is protected by the General Data Protection Regulation.

This policy applies to all staff, parents/guardians, students and others (including prospective or potential students and their parents/guardians and applicants for staff positions within the school) insofar as the measures under the policy relate to them. Data will be stored securely so that confidential information is protected in compliance with the school and relevant legislation. This policy sets out the manner in which personal data and sensitive personal data will be protected by the school.

Article 5 of the GDPR sets out principles relating to the processing of personal data.  These include:

  1. The processing of personal data must be lawful, fair and transparent
  2. Personal data is collected for specified, explicit and legitimate purposes.
  3. Personal data held must be adequate, relevant and limited.
  4. Personal data held must be accurate.
  5. Personal data is retained and stored for no longer than is necessary.
  6. Personal data is processed in a manner that is safe, secure & confidential.

The Academy will process all data in compliance with these principles as outlined in the school.

Legal Obligations

Implementation of this policy takes into account the school’s legal obligations and responsibilities. Some of these are directly relevant to data protection.

  • Under Section 9(g) of the Education Act, 1998, the parents of a student, or in the case of a student who has reached the age of 18 years, the student, must be given access to records kept by the school relating to the progress of the student in their education
  • Under Section 21 of the Education (Welfare) Act, 2000, the Academy must record the attendance or non-attendance of students registered on each school day
  • Under Section 28 of the Education (Welfare) Act, 2000, the Academy may supply Personal Data to certain prescribed bodies (the Department of Education and Skills, the Child and Family Agency (TUSLA), the National Council for Special Education, other schools, third level institutions or other centres of education) provided the Academy is satisfied that it will be used for a ‘relevant purpose’
  • Under the Children First Act 2015 and Department of Education and Skills Child Protection Procedures for Primary and Post Primary schools 2017, the Academy is obliged to report suspected child abuse or neglect to TUSLA (or in the event of an emergency to An Garda Síochána).

Irish Office of the Data Protection Commissioner Guidance

Implementation of this policy also takes into account the Academy’s obligations and responsibilities to students who are data subjects.  In particular, the Irish Office of the Data Protection Commissioner’s guidance is that:

‘Legal guardians can make an access request on behalf of a child. However, once a child is capable of understanding their rights to privacy and data protection, the child should normally decide for himself or herself whether to request access to data and make the request in his or her own name.

Where an organisation receives an access request from a legal guardian on behalf of a child who has had direct interaction with that organisation, and/or where that child is capable of understanding his or her own rights to privacy and data protection, the organisation must take account of child’s rights in deciding how to respond to the access request.

Personal Data

The Personal Data records held by the Academy may include:

Staff records:


As well as existing and former members of staff, these records may also relate to applicants for positions within the Academy.

These staff records may include:

  • Name, address, contact details and PPS number
  • Original records of application and appointment to posts
  • Details of approved absences
  • Details of work record
  • Details of any accidents/injuries sustained on the premises or in connection with the staff member carrying out their duties


Staff records are held in both manual and electronic form. Such files are kept in secure filing cabinets that only personnel who are authorised to use the data can access or in electronic form that is password protected.  Employees are required to maintain the confidentiality of any data to which they have access.

Pupil Records:


These may include:

  • Information sought and filed on a Registration Form, Application Form or Pupil Details form (completed on admission/booking)

These records may include:

  • Name, address, contact details and school details
  • Date and place of birth
  • Names and addresses of parents/guardians and contact details (including any special arrangements with regard to guardianship, custody or access)
  • Religious affiliation
  • Information collated and compiled during the course of the student’s time in the Academy including:
  • Attendance records
  • Photographs and recorded images of student
  • Records of significant achievements
  • Records of disciplinary issues/investigations and/or sanctions imposed
  • Records of meetings or interactions with staff
  • Medical records
  • Photographs and articles recording student endeavour and success which may appear in publications or on the website


The purposes for keeping student records are:

  • To enable each student to develop to their full potential
  • To comply with legislative or administrative requirements
  • To enable parents/guardians to be contacted in the case of emergency or in the case of closure or to inform parents of their child’s educational progress or to inform parents of the Academy’s events etc.
  • To meet the educational, social, physical and emotional requirements of the student
  • To ensure that the student meets the Academy’s admission criteria
  • To ensure that students meet minimum age requirements courses
  • To furnish, when requested by the student (or their parents/guardians in the case of a student under 18 years) documentation/information/ references to third-level educational institutions and/or prospective employers.
  • To celebrate pupil achievements in the Academy, compile publications, yearbooks, update the website, record events, and to keep a record of the history of the Academy.


Pupil records are held in both manual and electronic form. Such files are kept in secure filing cabinets that only personnel who are authorised to use the data can access or in electronic form that is password protected.  Employees are required to maintain the confidentiality of any data to which they have access.

Parent Records

The Academy does not keep personal files for parents or guardians. However, information about, or correspondence with, parents may be included in the files for each student. This information shall be treated in the same way as any other information in the student file and may be accessed similarly.

The Academy keeps financial records which include records of fees paid. These records are administered by ‘The Carlow Academy’ and are treated as strictly confidential. 


CCTV is installed in ‘The Carlow Academy’. The CCTV systems may record images of staff, students and members of the public who visit the premises.


For the safety and security of staff, students and visitors and to safeguard pupil property as well as the Academy’s property and equipment.


Cameras are located in the study centre, grinds classrooms; chill out areas, computer area, toilet corridors, kitchenette area and outside the property itself on Tullow Street and Charlotte Street.


Access to images/recordings is restricted to the Director of Education & Studies and relevant staff. Recordings are retained for approximately 14 days, except if required for the investigation of an incident. Images/recordings may be viewed or made available to An Garda Síochána.


Requests for access to personal data may be made by completing a school Data Request Form. Individuals are entitled to a copy of their personal data on written request in compliance with Article 15 of the GDPR.

Where a subsequent or similar request is made soon after a request has just been dealt with the school may charge a fee to cover administrative costs.

No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Such consent must be given in writing to the Director of the Academy.

Data will be carefully redacted to omit references to any other individual and where it has not been possible to redact the data to ensure that the third party is not identifiable the school will refuse to furnish the data to the applicant.

In compliance with the GDPR, ‘The Carlow Academy’ may refuse to grant an access request where such a request is deemed manifestly unfounded or excessive.

For and on behalf of The Carlow Academy