Data Sharing Agreement

Data Sharing Agreement

Click here to download a pdf copy of the Education Data Sharing Agreement

Click here to download a pdf copy of the Education Data Sharing Agreement Appendix



1.  Parties to this agreement


School Name






Responsible Manager



Contact Details






Authorised Signatory/Date

(Caldicott Guardian, SIRO, Chief Executive, Director etc).



Organisations Name


Bradford Metropolitan District Council (BMDC)



Margaret McMillan Tower, Princes Way, Bradford, BD1 1NN

Responsible Manager


Jonny Trayer

Contact Details


Telephone: 01274 439646





Authorised Signatory/Date

(Caldicott Guardian, SIRO, Chief Executive, Director etc).



Date of Agreement




2.  Specific purpose for which the data sharing is required

One of the five priorities for Bradford is to provide a great start and good schools for all our children.  This agreement supports this ambition by enabling the effective and necessary sharing of information between Bradford schools and the local authority (BMDC).  Good information is necessary for promoting the wellbeing of children and young people and to ensure that statutory responsibilities to safeguard and promote the welfare of children are fulfilled.

Sharing information helps mitigate risks to vulnerable children and young people.  Appropriate and timely sharing aids the effective identification of need and facilitates integrated responses to the address these needs.  This is relevant to individual cases and in terms of how we respond as a city to shared challenges.

Schools are at the heart of our partnership efforts.  This agreement relates to information sharing between schools and the local authority.  The administrative effort will be a consideration in all requests and we will continue, especially around the use of secure  technology, to minimise the effort needed to share information.

The purpose of this information sharing agreement is to enable BMDC to fulfil its statutory duties for all children and schools in the Bradford district. Paramount amongst these duties is the need to meet the Authority’s safeguarding requirements, and to enhance the ability of partner organisations to support the learning and welfare of children and young people through the exchange of data and use of information where there is a statutory requirement to do so. There is statutory duty on BMDC to ensure there are sufficient school places in their area, promote high educational standards, ensure fair access to educational opportunity and promote the fulfilment of every child’s educational potential. BMDC must also promote diversity and increase parental choice

Sharing information between BMDC and schools will:

  • Enable BMDC to carry out and conduct its statutory and core services for all children and schools
  • Improve the outcomes for all children, especially the vulnerable
  • Promote the welfare of the child and family and to safeguard the most vulnerable through the timely identification of need and targeting of integrated support.
  • Contribute to a shared understanding of need across the city
  • Continue to provide high quality services to children, including high quality education provision
  • Provide complete key stage outcome data for comparison purposes
  • Reduce administrative burden on schools  avoiding duplication and ensure systems are accurate and up to date
  • Assist in the improvement, where necessary, of the quality of data held by schools
  • Assist in the support and challenge of schools in the authority

Information will be managed in line with Bradford Metropolitan District Council policy and guidelines on the safe and secure management and use of information.

3.  Type and status of data shared

Is the data ‘person identifiable’?


    Has explicit consent been given and recorded?


    Has implied consent been recorded?


    Is the subject aware that sharing will take place?




Is the data anonymised?



4.  Legal basis for sharing where no consent is given

Under the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (GDPR) when this replaces the DPA the parties to the agreement are defined as data controllers and therefore must comply fully with the DPA/GDPR and must be registered with the Information Commissioner ( In addition schools must notify parents and young people of the reasons why information is processed by the school, which is called a privacy notice – see appendix 1.

Under the DPA Personal Data may be shared without a Data Subject’s consent where one of the processing conditions from the following list is met:

                 I.          the sharing is necessary to comply with any non-contractual legal obligation of the Data Controller;

               II.          the sharing is necessary to protect the vital interests of the Data Subject;

              III.          the sharing is necessary for the administration of justice, to comply with a statute or for exercising functions of a public nature; or

             IV.          the sharing is necessary for the legitimate interests of the Data Controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the Data Subject.

Schedule 2 6 (1) of the Data Protection Act 1998

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.


The information to be shared may be regarded as ‘sensitive’ in accordance with the Data Protection Act and therefore the following schedule 3 condition is also satisfied;

  • Schedule 3, 7(1)(b)The processing is necessary—for the exercise of any functions conferred on any person by or under an enactment.

General Data Protection Regulation (GDPR)

Under the GDPR Personal Data may be shared without a Data Subject’s consent where one of the the following lawful processing conditions set out in Article 6(1) is met

  • 6(1)(a) – Consent of the data subject
  • 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • 6(1)(c) – Processing is necessary for compliance with a legal obligation
  • 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
  • 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

The GDPR refers to sensitive personal data as special categories of data and the conditions for special categories of data are set out in Article 9(2)

Conditions for special categories of data

  • 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
  • 9(2)(b) – Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
  • 9(2)(c) – Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
  • 9(2)(d) – Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
  • 9(2)(e) – Processing relates to personal data manifestly made public by the data subject
  • 9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
  • 9(2)(g) – Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
  • 9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
  • 9(2)(i) – Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
  • 9(2)(j) – Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)

The following provide justification of the legal gateways for sharing information between schools and BMDC for the purposes set out below:

Education Act 1996 (2002 & 2011)

  • Section 14 of the Education Act 1996 requires local authorities to provide sufficient schools and equipment for pupils of all different ages, abilities and aptitudes and for the different periods for which they may be expected to stay at school.  Provision must include practical instruction and training appropriate to the pupils’ different needs and must secure diversity in the provision of schools and to increase opportunities for parental choice.
  • Section 15 of the Education Act 1996 requires local authorities to provide the provision for their area of education suitable to the requirements of persons over compulsory school age who have not attained the age of 19.

School Standards & Framework Act 1998

  • Section 5 of the School Standards & Framework Act 1998 requires local authorities to promote high standards in primary and secondary education.

Education & Skills Act 2008

  • Section 10 of the Education & Skills Act 2008 requires local authorities in England must ensure that its functions are exercised so as to promote the effective participation in education or training of persons belonging to its area.

In addition the sharing can be justified for the following purposes in accordance with the following legal gateways:

Section 10 of the Children Act 2004

This requires Children’s Service Authorities and their relevant partners to cooperate in order to improve the well-being of children and young people in relation to the following:

  • physical and mental health and emotional well-being
  • protection from harm and neglect
  • education, training and recreation
  • the contribution made by them to society
  • social and economic well-being

Section 11 of the Children Act 2004

Duty on key persons and bodies to make arrangements to ensure their functions are discharged with regard to the need to safeguard and promote the welfare of children.

Section 47 Children Act 1989

Section 47 places a duty on local authorities to make enquiries where they have reasonable cause to suspect that a child in their area may be at risk of suffering significant harm. Local authorities shall make, or cause to be made, such enquiries as they consider necessary to enable them to decide whether they should take any action to safeguard or promote the child's welfare.

Section 17 Children Act 1989

Local authorities have duties to safeguard and promote the welfare of children within their area who are in need and so far as is consistent with that duty, to promote the upbringing of such children by their families by providing a range and level of services appropriate to those children's needs.

Working together to safeguard children 2013

This statutory guidance sets out how inter-agency organisations and individuals should work together to safeguard and promote the welfare of children.

BMDC may from time to time share information with third party organisations where there is an appropriate legal gateway or a statutory requirement to do so.                                                                                                                      

5.  Data Items shared

Service User Data


Information Required

Core Learner Data

Basic details on the children and young people in Bradford schools

Attendance including exclusions and alternative provision

To support safeguarding, we know where our children are, and to help ensure all children are getting their full learning entitlement.  Will provide a basis for more targeted work around attendance at various levels.

Post 16 including destinations

To help ensure Bradford’s young people are participating in learning post 16

Children looked after

Sharing pupil details with the corporate parent to ensure looked after children are in appropriate education and attending and then are making good progress in their learning


To submit returns to the DfE e.g. school census, end of key stage tests/assessments, school workforce census

Locally Required

Information to support shared Bradford priorities e.g. Provisional KS4 & KS5 examination results


A more detailed breakdown of the data that is collected by BMDC from schools is included in appendix 2.

The information collected from schools is processed by BMDC, and the following information is shared with schools:

  • Contextual Analysis
  • End of Key Stage Assessment Performance
  • Pupil Progress
  • Attendance
  • Core Pupil Data

6.  Protective Marking

Is Protective marking/Classification relevant to this information?




If Yes, to what level


  1. Top Secret


  1. Secret


  1. Confidential



7.  Data Transfer Method

All parties to this agreement are responsible for ensuring that appropriate security and confidentiality procedures are in place to protect the transfer, storage and use of the shared, person identifiable data.    

Each partner will make sure that personal data shall be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures in accordance with principle 7 of the DPA/Article 5(1)(f) of the GDPR. BMDC and schools must make sure they have procedures in place to prevent:

  • Accidental compromise or damage during storage, handling, use, processing, transmission or transport;
  • Deliberate compromise or opportunist attack;
  • Unauthorised disposal or destruction of the data;
  • Unauthorised access;
  • Accidental loss of personal data should be avoided through the implementation of appropriate security procedures.

Where BMDC requests information from schools we will ensure we prescribe the manner of the delivery in an appropriate secure method. The data transfer method may change depending on the information to be provided, however BMDC will provide a secure alternative where necessary. BMDC will ensure information is collected and maintained in a secure manner compliant with the DPA/GDPR obligations.                            

Give full details of how the transfer will be made and what security measures will be in place e.g. encryption, business secure mail or recorded signed for etc.

Face to face





  • Named point of contact at BMDC and school

Safe haven fax (or faxed following procedure)


Electronically (state method)


  • Bradford Schools Online (Encrypted)
  • Groupcall Xporter

Secure E Mail      


  • Encrypted or password protected Email

Secure Mail



Secure Courier



Encrypted Removable Media


·        Very occasionally





Has a risk assessment been carried out on the chosen methods of transfer?



What are the identified risks?


Slight due to encrypted method of data transfer.


8. Audit and Review

Organisations Name

City of Bradford Metropolitan District Council



2nd Floor

Margaret McMillan Tower

Princes Way



Responsible Manager

Jonny Trayer

Contact number

01274 439646

Review Date

1st September 2018



Any incidents occurring as a result of this agreement should be reported to the signatories of all affected organisations. They will then pass on the information

in accordance with incident reporting procedures within their own organisation

if appropriate. Organisations will agree to share information in order to help investigate any such incidents


Subject Access Requests Will Be Directed To


Information Governance Officer

City of Bradford Metropolitan District Council

1st Floor

Britannia House

Hall Ings



Special Arrangements For Subject Access Requests


Schools and BMDC will answer any requests they receive and ensure all subject access requests are handled in line with DPA 1998/GDPR.



Retention Period For Data


DOB of the pupil + 25 years

Disposal Method For Data


Secure disposal - Electronic Database Management


Page owned by Jonny Trayer, last updated on 19/10/2018. This page has been viewed 13,016 times.