Privacy Policy

Stairways Music School collect and process certain types of personal data about staff, pupils, parents and other individuals who come into contact with the School in order to provide education and associated functions.

Stairways Music School may be required by law to collect and use certain types of data to comply with statutory obligations related to employment, education, and safeguarding.

This policy is intended to ensure that personal data is dealt with properly and securely and in accordance with the UK General Data Protection Regulation (UK GDPR) and other related legislation, including the Data Protection Act 2018 (DPA 2018). 

Personal Data 

‘Personal data’ is information that identifies a living individual and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain,

personal data revealing racial or ethnic origin;

• personal data revealing political opinions;

• personal data revealing religious or philosophical beliefs; 

• genetic data; • biometric data (where used for identification purposes);

• data concerning health; given special protection, and additional safeguards apply if this information is to be collected and used.

Stairways Music School does not intend to seek or hold Special Category Data (previously known as sensitive personal data) about staff or pupils except where the School has been notified of the information, or it comes to the Schools attention via legitimate means (e.g. a grievance) or needs to be sought and held in compliance with a legal obligation or as a matter of good practice.

Staff or pupils are under no obligation to disclose to Stairways Music School their racial or ethnic origin, political or religious beliefs, or details of their sexual life (save to the extent that details of marital status and / or parenthood are needed for specific safeguarding reasons.

Information relating to criminal convictions shall only be held and processed where there is legal authority to do so. 

A ‘Data Subject’ is someone whose details the School gather or process for any reason. The data subject has rights under the UK GDPR. In some cases, the obligations of the School to share data with other organisations, including but not limited to the Department for Education (DfE) and the Local Authority (LA) may override these rights under the GDPR For the purpose of this policy Stairways Music School is the ‘Data Controller’

The ‘Data Controller’ has overall responsibility for the personal data gathered and processed, and has responsibility for ensuring compliance with the relevant legislation.

For the purpose of this policy, the ‘Data Processor’ will be allocated members of staff employed by Stairways Music School, namely Mr John Bushell, Mrs Lungi Bushell.

The ‘Data Controller’ has overall responsibility for the personal data gathered and processed, and has responsibility for ensuring compliance with the relevant legislation.


The data protection principles as laid down in the GDPR are followed at all times:

Personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met;

Personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes;

Personal data shall be adequate, relevant, and limited to what is necessary for 5 the purpose(s) for which it is being processed;

Personal data shall be accurate and, where necessary, kept up to date; 

Personal data processed for any purpose(s) shall not be kept in a form which permits identification of individuals for longer than is necessary for that purpose / those purposes;

Personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Appropriate measures and records must be in place to be able to demonstrate compliance with the other principles. In addition to this, Stairways music School is committed to ensuring that at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law

Stairways Music School is committed to complying with the principles as set out above at all times. This means that Stairways Music School will:

Inform individuals about how and why we process their personal data 

Be responsible for checking the quality and accuracy of the information; 

Regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with the records retention policy;

Ensure that when information is authorised for disposal it is done so appropriately;

Ensure appropriate security measures to safeguard personal information held on our computer system, and follow the relevant security policy requirements at all times;

Share personal information with others only when it is necessary and legally appropriate to do so;

Set out clear procedures for responding to requests for access to personal information (known as subject access requests);

Report any breaches of the GDPR in accordance with policy and procedure 

The personal data held regarding pupils includes contact details, attendance information, characteristics such as ethnic group, special educational needs, any relevant medical information, and photographs or video, including CCTV.

The data is used in order to support the education of the pupils, to monitor and report on their progress, to provide appropriate pastoral care whilst in attendance, and to assess how well the School as a whole is doing, together with any other uses normally associated with this provision in a school environment.

Stairways Music School may make use of limited personal data (such as contact details) relating to pupils, and their parents or guardians for contact, fundraising, marketing or promotional purposes and to maintain relationships with pupils of the School, but only where consent has been provided to this. 

Any wish to limit or object to any use of personal data should be notified to the Data Protection Officers, Mr John Bushell. Contact details provided at the end of the policy.

The personal data held about staff will include contact details, employment history, information relating to career progression, employment references, information relating to DBS checks, absence records, disciplinary records, photographs and videos, including CCTV.

The data is used to comply with legal obligations placed on Stairways Music School in relation to employment, and the education and safeguarding of children in a school environment.

Stairways Music School may pass information to other regulatory authorities where appropriate and may use names and photographs of staff in publicity and promotional material. Personal data will also be used when giving references. 

Staff should note that information about disciplinary action may be kept for longer than the duration of the sanction. Although treated as “spent” once the period of the sanction has expired, the details of the incident may need to be kept for a longer period, for example where safeguarding rules require this. 

Any wish to limit or object to any use of personal data should be notified to the Data Protection Officers.

Information relating to DBS checks:

DBS checks are carried out on the basis of Stairways Music School's legal obligations in relation to the safer recruitment of staff as stipulated in the Independent School Standards Regulations, and the DBS information (which will include personal data relating to criminal convictions and offences) is further processed in the substantial public interest, with the objective of safeguarding children. Retention of the information is covered by the Records Retention Policy. 

Access to the DBS information is restricted to those staff who have a genuine need to have access to it for their job roles. In addition to the provisions of the GDPR and the Data Protection Act 2018, disclosure of this information is restricted by section 124 of the Police Act 1997 and disclosure to third parties will only be made if it is determined to be lawful.

Stairways Music School may hold personal information in relation to other individuals who have contact with the school, such as volunteers, job applicants and guests. Such information shall be held only in accordance with the data protection principles and shall not be kept longer than necessary. 


Stairways Music School will take reasonable steps to ensure that members of staff will only have access to personal data where it is necessary for them to carry out their duties. All staff will be made aware of this policy and their duties under the GDPR.

Stairways Music School will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.


The following list includes the most common reasons that Stairways Music School will authorise disclosure of personal data to a third party – this list is not exhaustive:

To give a confidential reference relating to a current or former employee, volunteer or pupil; 

for the prevention or detection of crime;

for the assessment of any tax or duty;

where it is necessary to exercise a right or obligation conferred or imposed by law upon the School (other than an obligation imposed by contract);

for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);

for the purpose of obtaining legal advice;

for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress);

to disclose details of a pupil’s medical condition where it is in the pupil’s interests to do so and there is a legal basis for doing so, for example for medical advice, insurance purposes or to organisers of school gigs.

The legal basis will vary in each case but will usually be based on explicit consent, the vital interests of the child or reasons of substantial public interest (usually safeguarding the child or other individuals); 

to provide information to the relevant Government Department concerned with national education. At the time of the writing of this policy, the Government Department concerned with national education is the Department for Education (DfE).

All requests for the disclosure of personal data must be sent to the Data Protection Officers, who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of that third party before making any disclosure.


Where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents or guardian, the School will maintain confidentiality unless it has reasonable grounds to believe that the pupil does not fully understand the consequences of withholding their consent, or where the School believes disclosure will be in the best interests of the pupil or other pupils. Disclosure for a safeguarding purpose will be lawful because it will be in the substantial public interest.


Anybody who makes a request to see any personal information held about them by the School is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure, provided that they constitute a “filing system” 

The individual’s full subject access right is to know:

• whether personal data about them are being processed

• the purposes of the processing

• the categories of personal data concerned

• the recipients or categories of recipient to whom their personal data have been or will be disclosed

• the envisaged period for which the data will be stored or where that is not possible, the criteria used to determine how long the data are stored

• the existence of a right to request rectification or erasure of personal data or restriction of processing or to object to the processing

• the right to lodge a complaint with the Information Commissioner's Office

• where the personal data are not collected from the individual, any available information as to their source

• details of the safeguards in place for any transfers of their data to locations outside the European Economic Area. 

All requests should be sent by the person who received the request to the Data Protection Officer within three working days of receipt and must be dealt with in full without delay and at the latest within one month of receipt. Where an individual does not have sufficient understanding to make his or her own request (Usually where the individual is under 12 years of age, or where the individual is 12 years or older but is understood to lack the mental capacity to consent for example, where there is evidence of special educational needs which effects the individual’s mental capacity to understand their rights), a person with parental responsibility can make a request on their behalf.

The Data Protection Officer or their delegate must, however, be satisfied that:  the child or young person lacks sufficient understanding; and the request made on behalf of the child or young person is in their interests. 

Any individual, including a child or young person with ownership of their own information rights, may appoint another person to request access to their records. In such circumstances the Trust must have written evidence that the individual has authorised the person to make the application and the Data Protection Officer, or their delegate must be confident of the identity of the individual making the request and of the authorisation of the individual to whom the request relates.

Access to records will be refused in instances where an exemption applies, for example, information sharing may place the individual or another individual at risk of significant harm or jeopardise police investigations into any alleged offence(s). Where small amounts of exempt data are included in other records, the data shall be obscured or copied or retyped if this is more sensible

The School may ask for any further information reasonably required to locate the information or to authenticate the request.

An individual only has the automatic right to access information about themselves, and care needs to be taken not to disclose the personal data of third parties where consent has not been given, or where seeking consent would not be reasonable, and it would not be appropriate to release the information. Particular care must be taken in the case of any complaint or dispute to ensure confidentiality is protected. 

All files must be reviewed by the Data Protection Officer or their delegate before any disclosure takes place. Access will not be granted before this review has taken place.

Where all the data in a document cannot be disclosed a permanent copy should be made and the data obscured or copied or retyped if this is more sensible. A copy of the full document and the altered document should be retained, with the reason why the document was altered.


We may not disclose information if it would reveal that the child is being or has been abused, or is at risk of abuse, where the disclosure of that information would not be in the child’s best interests

We may not disclose information if it is part of certain sensitive documents, such as those related to crime, immigration, legal proceedings or legal professional privilege. There are other exemptions from the right of subject access. If we intend to apply any of them to a request then we will usually explain which exemption is being applied and why.


Stairways Music School has an obligation to comply with the rights of individuals under the law, and takes these rights seriously. Stairways Music School will comply with the rights to:

object to processing



data portability

Right to object to processing 

An individual has the right to object to the processing of their personal data on the grounds of pursuit of a public interest or legitimate interest where they do not believe that those grounds are adequately established. 

An individual has the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, it should be sent to the Data Protection Officer whereby the data shall be amended as soon as reasonably practicable, and the individual notified.

Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data, and communicated to the individual. The individual shall be given the option of an appeal direct to the Information Commissioner. 

An individual also has a right to have incomplete information completed by providing the missing data, and any information submitted in this way shall be updated without undue delay.

Right to erasure - Individuals have a right, in certain circumstances, to have data permanently erased without undue delay. This right arises in the following circumstances: where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed; where consent is withdrawn and there is no other legal basis for the processing; where an objection has been raised under the right to object, and found to be legitimate; where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met); where there is a legal obligation on the School to delete.

Right to portability If an individual wants to send their personal data to another organisation they have a right to request that the School provides their information in a structured, commonly used, and machine readable format. 

Stairways Music School may use CCTV at location to ensure student safety. Stairways Music School will adhere to the ICO’s (Information Commissioner’s Office) code of practice for the use of CCTV. Any enquiries about CCTV systems should be directed to the Data Protection Officer in the first instance. 


If anyone has any concerns or questions in relation to this policy they should contact the Data Protection Officers Mr John Bushell. The Data Protection Officers can be contacted via email: