Data Protection Policy


The River Bank School is committed to protecting all personal and sensitive information relating to staff, pupils, parents and governors. This document is a statement of the aims and principles of the School, for ensuring the confidentiality of sensitive information relating to all stakeholders in our institution. RiverBank School collects pertinent information about all stakeholders in order to measure important performance metrics such as assessment, achievements, health & safety. This data protection policy ensures that all information collection and processing comply with the data protection principles set by the Nigerian Personal Information and Data Protection Bill 2008.

Data Protection Principles – The Data Protection Bill 2008 establishes eight principles that must be adhered to at all times. In summary, the Data protection act stipulates that all personal data must;

1. Be processed fairly and lawfully;

2. Be obtained only for one or more specified and lawful purpose;

3. Be adequate, relevant and not excessive;

4. Be personal data shall be accurate and where necessary, kept up to date;

5. Not be kept for longer than necessary for that purpose or those purposes;

6. Be processed in accordance with the rights of data subject under the Data Protection Act

7. Be kept secure from unauthorized access i.e. protected by an appropriate degree of security;

8. Not be transferred to a country or territory outside Nigeria, unless that country or territory ensures an adequate level of data protection.

Status of the Policy – In order to ensure that all staff involved in the collection and processing of data adhere to the principles of the data protection act, River Bank School has developed this Data protection policy. This policy does not form part of the contract of employment for staff, but it is a condition of employment that employees will abide by the rules and policies made by the School from time to time. Any failures to follow the policy can, therefore, result in disciplinary proceedings in accordance with the staff disciplinary policy.

The Data Controller and the Designated Data Controllers – The School has two Designated Data Controllers: They are the Head of School and the appointed Data Manager.

Any member of staff, parent or other individuals who consider that the Policy has not been followed in respect of personal data about himself or herself or their child should raise the matter with the appropriate Designated Data Controller, who would be: The Head of School.

Responsibilities of Staff

All staff are responsible for:

  1. Ensuring that all information they provided in regards to their employment is accurate and up-to-date.
    II. Update the School of any changes to information that they have provided, e.g. change of address, either at the time of appointment or subsequently. The School cannot be held responsible for any errors unless the staff member has informed the School of such changes.
    III. Handling all personal data (e.g. – pupil attainment data) with reference to this policy.

Data Security

All staff are responsible for ensuring that:

  1. Any personal data that under their protection are securely kept.
    II. Personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorized third party. Staff should note that unauthorized disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

Personal information should:

  1. Be kept in a locked filing cabinet, drawer, or safe; or
    II. coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up
    III. Be kept on removable storage media that media must itself be kept in a locked filing cabinet, drawer, or safe.

Processing Sensitive Information

All sensitive information such as health or criminal records about a pupil or a staff must be processed in order to ensure that the school is a safe place for everyone. The school reserves the right to withdraw offers of employment if an individual refuses to consent to this without good reason.

Publication of School Information

In order to meet the legitimate needs of parents and enquirers interested in the school, certain generic personal information relating to School staff will be made available on the school’s website.

Retention of Data

The School has a duty to retain some staff and student personal data for a period of time following their departure from the School, mainly for legal reasons, but also for other purposes such as being able to provide references or academic transcripts. Different categories of data will be retained for different periods of time.


Complaints will be dealt with in accordance with the school’s complaints policy.


A policy to be reviewed will be undertaken by the Headteacher and a nominated representative as it is deemed appropriate, but no less frequently than every year.


In compliance with the Data Protection Bill 2008, any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or even to a criminal prosecution.

To Top