Is your school registered as a Data Controller?
It should be!
Register of data controllers - Search here
Data Protection Guidance for Education Establishments - ICO
Notification under the DPA - Must I notify and how do I maintain my register entry?
"Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissionerís Office (ICO), unless they are exempt. Failure to notify is a criminal offence.
Notification is the process by which a data controller gives the ICO details about their processing of personal information. The ICO publishes certain details in the register of data controllers, which is available to the public for inspection.
The main purpose of the public register is transparency and openness. The register includes the name and address of data controllers and a description of the kind of processing they do"
In other words, to cover youself under the DPA, your school MUST register with the ICO or your school is breaking the law.
I've just checked our registration and it's fine, but two near neighbours in the independent sector are not. Both have changed hands in recent years and I think that's where the slip has happened.
I can see schools falling foul of this particularly with Academy Conversions. It is easily missed.