Back to all policies

Policy

Data Protection Policy

Taqwa Institute processes personal data about the children, families and staff associated with its programmes.

Organisation

Taqwa Institute

Data Controller

Taqwa Institute, Crossbank Street, Oldham, OL8 1HE

ICO Registration

Registered with the ICO

Policy Owner

Principal / Board of Trustees

Last Updated

2026

1. Introduction

Taqwa Institute processes personal data about the children, families and staff associated with its programmes. This policy sets out our obligations under:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018 (DPA 2018)
  • ICO Children's Code (Age Appropriate Design Code)
  • Online Safety Act 2023

Given that Taqwa Institute serves children aged 4–16, we apply a higher standard of care when processing children's personal data, in line with the ICO's Children's Code and KCSiE 2024.

2. Data Protection Principles

All personal data processed by Taqwa Institute must be:

  1. Processed lawfully, fairly and in a transparent manner
  2. Collected for specified, explicit and legitimate purposes only
  3. Adequate, relevant and limited to what is necessary (data minimisation)
  4. Accurate and kept up to date
  5. Kept no longer than necessary (storage limitation)
  6. Processed securely to protect against unauthorised access, loss or destruction

3. What Data We Collect

  • Children: name, date of birth, address, medical/health information, attendance records, educational assessments, photographs/videos
  • Parents/Carers: name, address, contact details, emergency contact information
  • Staff/Volunteers: name, address, DBS certificate details, qualifications, next of kin, payroll data

Given our work with children aged 4–16, we apply the heightened protections required by the ICO's Children's Code:

  • We do not use children's data for profiling or targeted advertising
  • We collect only the minimum data necessary for educational purposes
  • We do not sell children's personal data to third parties
  • Parental consent is obtained before any non-essential processing of children's data

4. Lawful Basis for Processing

  • Legitimate interests: operational and educational administration
  • Legal obligation: safeguarding referrals, DBS checks, statutory reporting
  • Vital interests: emergency medical situations
  • Consent: photography, newsletters, non-essential communications
  • Contract: employment and service agreements

Consent from children: Where we rely on consent for processing children's data, we seek this from a parent or carer for children under 13. Children aged 13–16 may provide consent subject to our assessment of their understanding and maturity.

5. Individual Rights

Data subjects have the following rights under UK GDPR:

  • Right to be informed — via privacy notices
  • Right of access — subject access request (SAR) within one calendar month
  • Right to rectification — correction of inaccurate data
  • Right to erasure ('right to be forgotten')
  • Right to restriction of processing
  • Right to data portability
  • Right to object — including to automated decision-making
  • Right to withdraw consent at any time

6. Data Security

  • Password-protected digital systems and encrypted devices
  • Locked physical filing for paper records
  • Role-based access controls
  • Staff training on data protection as part of induction
  • Secure disposal of redundant data (shredding / secure deletion)
  • Third-party processors subject to data processing agreements (DPAs)

7. Data Breaches

A data breach must be:

  1. Reported to the Principal / Data Protection lead immediately
  2. Investigated promptly
  3. Reported to the ICO within 72 hours if likely to result in risk to individuals
  4. Communicated to affected individuals if likely to result in high risk

ICO contact: www.ico.org.uk | 0303 123 1113

8. Retention Schedule

Data TypeRetention Period
Pupil educational records7 years after leaving (25 years for LAC)
Safeguarding / child protection records35 years from date of birth
Staff employment records6 years after employment ends
CCTV footage31 days unless required for investigation
Consent formsDuration of consent period plus 3 years

9. Sharing Data with Third Parties

Taqwa Institute may share personal data with:

  • Oldham Children's Services — safeguarding referrals
  • Police — child protection or legal obligations
  • DBS service — pre-employment checks
  • HMRC — payroll and Gift Aid reporting
  • ICO — data breach notification
  • External tutors / programme partners — under data processing agreements

We do not sell, trade or share personal data for commercial purposes.

10. Online Services & Children's Code Compliance

Taqwa Institute's website and any digital platforms used for learning comply with the ICO's Children's Code:

  • Default privacy settings are set to high for any online service accessible by children
  • No tracking or profiling of children for commercial purposes
  • Privacy information provided in clear, age-appropriate language
  • Data minimisation applied to all services directed at children

11. Policy Review

Reviewed annually. Queries: office@taqwainstitute.org

Next review: Academic Year 2026–2027

Taqwa Institute | Crossbank Street, Oldham, OL8 1HE | Charity No: 1131176 office@taqwainstitute.org | 0161 633 3626 | www.taqwainstitute.org