[CFS PLAYBOOK] DATA PROTECTION

[CFS POLICY] DATA PROTECTION

1.0 POLICY STATEMENT

Compass Forest School promotes a transparent, secure, and legally compliant approach to data protection that upholds the privacy, dignity, and rights of its Tribe and Crew. To achieve this, Crew:

• Process personal and special category data lawfully, fairly, and transparently for explicit and legitimate purposes, ensuring it is adequate, relevant, limited to what is necessary, and retained only as long as required.
  

• Protect personal data through appropriate technical and organisational measures, maintaining the integrity and confidentiality of both digital systems and field-based records.
  

• Uphold the full statutory rights of individuals, while ensuring that data protection never compromises safeguarding responsibilities.

1.1 DEFINITION OF TERMS

The below table sets out a number of terms and definitions used within this document and connected documents:

Data Protection;  The legal framework and set of practices used to ensure that personal information is kept safe, used fairly, and remains private.

Special Category Data; Highly sensitive personal information that requires extra protection including medical records, SEND requirements, ethnicity and any history of safeguarding.

Data Controller ; The organisation that determines why and how personal data is processed. 

Data Breach ; Any incident where personal information is lost, stolen, destroyed, or shared with someone who shouldn't see it.

Child/ren ; A person under the age of 18.

Tribe ; The Compass Forest School community which includes all those directly connected - staff members, schools, parents, families and children

Parents ; Adults in a parenting role; e.g birth parents, step-parents, foster carers, adoptive parents, LA corporate parents

Crew ;  All those working for or on behalf of the school, full or part time, temporary or permanent, in either a paid or voluntary capacity

1.2 LEGAL FRAMEWORK AND STATUTORY GUIDANCE

Compass Forest School Playbooks are informed by statutory guidance, legislation and government standards that ensure the safe and effective delivery of Alternative Provision. Each Playbook interprets and applies these documents in ways specific to its area of practice.

Alternative Provision And National Standards

• Non‑School Alternative Provision Voluntary National Standards (2025/26) – The benchmark for quality, safety and outcomes in non-school settings.

• Arranging Alternative Provision (DfE) – Statutory guidance for LAs and schools on commissioning and reintegration.

• Education Acts 1996 & 2002 (Parts 3, 6, 7) – Legal duties for suitable education and pupil registration.

• School Attendance (Pupil Registration) (England) Regulations 2024 – Mandatory requirements for daily attendance reporting and digital registers.

Safeguarding And Child Welfare

• Keeping Children Safe in Education (KCSIE 2026) – Primary statutory guidance for safeguarding, including Operation Encompass and Filtering/Monitoring duties.

• Working Together to Safeguard Children (2026) – Multi-agency guidance for identifying, responding to and preventing harm.

• Children Act 1989, 2004, 2006 – Core legal frameworks for care and protection of children.

• SEND Code of Practice (2015) – Guidance for supporting children with Education, Health and Care Plans (EHCPs) and SEMH needs.

• Prevent Duty (Counter-Terrorism and Security Act 2015) – Duty to protect children from radicalisation and extremism.

• Female Genital Mutilation (FGM) Act 2003, Section 5B – Duty to report FGM in girls under 18.

Behaviour, Restraint And Seclusion

• The Schools (Recording and Reporting of Seclusion and Restraint) Regulations 2025 – Statutory Duty (Effective April 2026): Mandatory same-day written reporting to parents for any restrictive intervention.

• Education and Inspections Act 2006 (Section 93A) – The legal power to use reasonable force, strictly governed by the 2026 statutory duty.

• Education and Inspections Act 2006, Sections 88–94 – Legal requirements for behaviour, engagement, prevention of bullying and discipline policies.

Health, Safety And Medical Management

• Health and Safety at Work etc. Act 1974 – General duty of care for staff, pupils and visitors.

• Management of Health and Safety at Work Regulations 1999 – Requirement for robust risk assessments, preventive measures, appropriate information, instruction and training.

• Supporting Pupils with Medical Conditions (DfE Statutory Guidance) – Requirements for Individual Healthcare Plans (IHPs) and the safe administration/storage of medication.

• Health and Safety (First-Aid) Regulations 1981 – Provision of first-aid equipment, trained personnel and procedures.

• Work at Height Regulations 2005 – Safe practice for climbing, ropes and platform work.

• RIDDOR 2013 – Mandatory incident reporting and record-keeping of serious injuries and dangerous occurrences.

• Control of Substances Hazardous to Health (COSHH) Regulations 2002 – Safe handling, storage and use of hazardous substances (fuels, cleansers, etc.)

Environmental Stewardship

• Environmental Protection Act 1990 (Section 34) – Duty of Care: Legal responsibility for safe waste management and fire safety (ash/embers/waste).

• Wildlife and Countryside Act 1981 – Legal duty to protect habitats, nesting birds, and protected species during sessions.

• Regulatory Reform (Fire Safety) Order 2005 – Fire risk management and outdoor campfire precautions.

• DfE Health and Safety Guidance (2022) – Managing fire risks, emergency procedures and staff responsibilities.

Compliance And Governance

• School Staffing (England) Regulations 2009 – Safer recruitment and Single Central Record (SCR) duties.

• Childcare Act 2006 – Legal framework for Ofsted registration and compliance with the Compulsory and Voluntary Childcare Register including written procedures for handling complaints and maintaining records of complaints.

• Rehabilitation of Offenders Act 1974 – Governs employment eligibility and the filtering of people with convictions.

Compass Forest School works in line with the safeguarding arrangements agreed and published by the local safeguarding partners. Statutory guidance identifies three safeguarding partners with responsibility for making arrangements to safeguard and promote the welfare of children within a local area.

These partners work together to identify and respond to the needs of children at risk of harm:

• The local authority (LA)

• An integrated care board for an area within the LA

• The chief officer of police for a police area in the LA area

Keeping Children Safe in Education makes clear that schools placing children into Alternative Provision retain responsibility for safeguarding those children.

Client schools must ensure that the provision is suitable, meets the child’s needs and provides appropriate safeguarding arrangements, with regular oversight, communication and review.

Compass Forest School supports this responsibility through transparent communication and timely sharing of safeguarding information with Client schools.

1.3 DATA PROTECTION

Compass Forest School processes personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and related legislation. Personal information is collected, stored, used and shared lawfully, securely and proportionately, in accordance with statutory guidance and Data Protection Playbook.

Crew are responsible for ensuring that personal data is handled accurately, confidentially and on a need-to-know basis. Safeguarding and public interest considerations may override confidentiality where this is lawful, necessary and proportionate.

1.4 DISCLOSURE OF INFORMATION

Any use or disclosure of information held by Compass Forest School must have a clear and lawful basis. Unauthorised or unlawful disclosure of personal data may constitute a criminal offence under the Data Protection Act 2018.

All Crew must understand their responsibilities in relation to confidentiality, lawful information sharing and subject access rights under UK GDPR. Information will be shared without consent where there is a lawful basis to do so.

The Data Protection Act 2018 and UK GDPR are not barriers to sharing information where there is a concern that a child may be at risk of significant harm. Where there is uncertainty about whether information should be shared, advice must be sought from a senior leader or Designated Safeguarding Lead before disclosure.

1.5 STATEMENT OF EQUALITY

Compass Forest School is committed to equality, diversity and inclusion in accordance with the Equality Act 2010. Discrimination, harassment and victimisation are not tolerated. Many children attending Compass Forest School experience additional vulnerabilities or barriers to participation, safety or wellbeing.

These may include special educational needs or disabilities, experiences of discrimination, family or environmental adversity, risk of exploitation or abuse, being looked after or previously looked after, or instability in education or care arrangements.

Crew proactively identify and reduce inequality by making reasonable adjustments, adapting practice and ensuring that decisions are fair, proportionate and responsive to individual need. All children and Crew are treated with dignity and respect and are supported to feel safe, valued and heard.

[CFS PROCESSES] DATA PROTECTION

2.0 PROCESSES STATEMENT

Compass Forest School recognises that effective data protection is essential to maintaining trust, protecting individual rights and ensuring safe, lawful and professional practice. As an Alternative Provision working with children, families, schools and professionals, the organisation handles personal and special category data that must be managed with the highest standards of care, security and accountability.

Data protection at Compass Forest School is not treated as an administrative exercise. It is embedded within daily operations, decision-making and organisational culture. Crew are expected to handle information responsibly, maintain confidentiality, apply professional judgement and ensure that personal data is used only where there is a clear and lawful purpose.

Compass Forest School identifies six core processes that support Crew in meeting policy aims and statutory responsibilities surrounding Data Protection. These are:  Defined Roles And Responsibilities, Data Protection Training For Crew,   Lawful Processing and Privacy Information, Information Security, Access Control and Confidentiality, Information Sharing and Safeguarding, Individual Rights Requests, Retention and Secure Disposal and Data Breaches and Incident Management.

Each process is underpinned by clear procedures that provide practical guidance and ensure a consistent, proportionate and effective approach to Data Protection management.

2.1 DEFINED ROLES AND RESPONSIBILITIES

Clear roles and responsibilities help Crew act quickly, confidently and consistently when everyone understands what they must do and who to pass concerns to. Issues are then identified earlier, decisions are made properly, actions are recorded accurately and effective oversight is maintained at every level of the company.

Defined responsibilities sit with the owner, relevant senior leaders, the Designated Safeguarding Lead (DSL) and all Crew. While some roles carry additional authority and accountability, responsibility is shared. No concern is ever “someone else’s job”. No child or adult should be left at risk because someone assumed another person would act.

Everyone has a duty to speak up, pass on concerns and challenge unsafe practice, poor judgement or wrongdoing in a professional and respectful way. This shared responsibility is critical to identifying risks early and preventing harm wherever reasonably practicable. Within an Alternative Provision context, Compass Forest School places strong emphasis on prevention.

Crew support children to develop the skills, confidence and understanding needed to stay safe and thrive. This is reinforced through clear Playbooks, training, consistent day-to-day practice and oversight by the Designated Safeguard Lead and Deputy. Arrangements are reviewed regularly and updated in line with statutory guidance to ensure practice remains current, effective and proportionate.

2.2 DATA PROTECTION TRAINING FOR CREW 

Crew receive data protection training appropriate to their role and responsibilities. Training begins at Onboarding and is refreshed regularly to reflect legal updates, emerging risks and changes in practice. This includes confidentiality, secure handling of information, cyber awareness, phishing risks, safeguarding-related information sharing and the safe use of technology.

Data protection is reinforced through everyday expectations, leadership oversight and a culture of professional responsibility.

2.3 LAWFUL PROCESSING AND PRIVACY INFORMATION

Personal data is processed lawfully, fairly and transparently for explicit and legitimate purposes. Only information that is adequate, relevant and limited to what is necessary is collected. Where required, privacy information is provided so individuals understand what data is collected, why it is needed, how it is used, who it may be shared with and how long it will be retained.

Special category data is handled with additional care and processed only where a valid lawful basis and condition for processing applies.

2.4 INFORMATION SECURITY

Crew maintain appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. This includes secure digital systems, password protection, controlled access permissions, secure devices and safe working practices for mobile and remote working.

Field-based records or paper documents used within the forest school environment are kept secure, transported carefully and returned to secure storage as soon as practicable.

2.5 ACCESS CONTROL AND CONFIDENTIALITY

Access to personal data is limited to those who need it for their role. Crew do not access information out of curiosity or share it inappropriately. Confidential information is discussed only with authorised individuals and in suitable settings. Care is taken to prevent accidental disclosure through conversations, emails, printed documents or visible screens.

Crew understand that confidentiality remains essential, while recognising that information must be shared where necessary to protect a child or meet legal obligations.

2.6 INFORMATION SHARING AND SAFEGUARDING

Effective safeguarding and partnership working may require information to be shared with schools, local authorities, health professionals, social care, the police or other relevant agencies. Information sharing is carried out lawfully, proportionately and on a need-to-know basis.

Crew understand that data protection legislation does not prevent the sharing of information where this is necessary to safeguard a child or another person. Where appropriate, decisions to share information are recorded, including the rationale for doing so.

2.7 INDIVIDUAL RIGHTS REQUESTS

Compass Forest School upholds the statutory rights of individuals under data protection law. This includes the right to access personal data, request rectification, request erasure where applicable, restrict processing, object to certain processing and request data portability where relevant.

Requests are handled promptly, fairly and within statutory timescales. Identity may be verified before information is disclosed. Where an exemption applies, or a request cannot be fully met, this will be explained clearly and lawfully.

2.8 RETENTION AND SECURE DISPOSAL

Personal data is retained only for as long as necessary, in line with legal, safeguarding, operational and regulatory requirements. When information is no longer required, it is securely deleted, destroyed or anonymised so that it cannot be recovered or misused. Retention decisions are guided by the organisation’s retention arrangements and relevant statutory expectations.

2.9 DATA BREACHES AND INCIDENT MANAGEMENT

Any actual or suspected personal data breach, including loss, unauthorised disclosure, cyber incident or accidental sharing, must be reported without delay. Incidents are assessed promptly to identify risk, contain harm, recover information where possible and determine whether notification is required to affected individuals or the Information Commissioner’s Office. All breaches, near misses and lessons learned are used to strengthen systems and reduce future risk.

2.10 RECORD KEEPING

High-quality record keeping underpins safeguarding, accountability and continuous improvement across Compass Forest School. Crew maintain accurate, timely and secure records of concerns, incidents, accidents, decisions and actions to ensure risks are identified, managed and reviewed effectively.

Records are factual, clearly dated, and attributable, written in professional, objective language. They distinguish facts, professional judgement, and actions taken, avoiding assumptions, emotive language, or unsubstantiated conclusions. All relevant matters are recorded without delay on Compass Forest School’s secure 'LearnTrek' system.

Records may support the identification of patterns, trends or emerging risks to inform learning, oversight and proactive planning. Crew are expected to seek guidance from the relevant Designated Lead if unsure whether to record an issue. Records are stored and managed in line with UK GDPR, the Data Protection Act 2018, and other applicable legislation.

Access is restricted to those with a legitimate professional role and information is shared strictly on a need-to-know basis. Records are retained in accordance to statutory requirements and recognised best practice. They are reviewed regularly to support transparency, learning, accountability and the continuous improvement. Crew are accountable for maintaining records that reflect the highest professional standards.

2.11 WHISTLEBLOWING

Compass Forest School creates a culture where concerns can be raised openly, honestly and in good faith, without fear of reprisal or victimisation. Crew have a professional duty to report concerns about the conduct, behaviour or practice of colleagues or the organisation where children, Crew or others may be at risk.

Safeguarding concerns must be reported immediately to the Designated Safeguarding Lead (DSL) or Deputy DSL. If the concern relates to the DSL, it must be raised via the independent whistleblowing service, SafeCall (0800 915 1571). Crew must never investigate concerns themselves or delay reporting. Failing to report, regardless of personal relationships or perceived seriousness, may be regarded as condoning unsafe practice.

Where appropriate, concerns should be documented factually before or during reporting. All reports are treated seriously, confidentially and investigated promptly. Whistleblowing is a vital safeguarding mechanism and forms part of Compass Forest School’s commitment to transparency, accountability, and child-centred practice.

2.12 MONITORING ARRANGEMENTS

This Playbook is reviewed at least annually by the Owner and Designated Safeguarding Lead to ensure it remains effective, compliant and aligned with best practice and statutory guidance. Reviews also consider feedback from Crew, families and Client schools. Playbooks are updated immediately in response to changes in legislation or guidance. Monitoring ensures the Playbook continues to support safe, personalised, and effective provision for all learners.

2.13 LINKS TO OTHER PLAYBOOKS OF RELEVANCE

Compass Forest Schools Data Protection Playbook links to the following Playbooks :

Safeguarding and Child Protection

Safer Recruitment

Managing Allegations

Health And Safety