Data Protection Policy


The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act, (Cap 586) and pertinent subsidiary legislation regulate the processing of personal data whether held electronically or in manual form.  The Processing of data shall be in accordance with the Education Act.

In applying for the free transport service Parents/Guardians have submitted personal data pertaining to themselves and their respective children. This data consists of:

  • Parent / Legal guardian details:  ID Number, Name, Surname, Address, Email, Mobile Number
  • Child details:  ID Number, Name, Surname, Address, School, School Year and preferred pickup/drop off point 
  • In cases where provided, details required specific transportation is also processed, depending on the information submitted by the parent / legal guardian.
  • The number of times the particular student makes use of the free transport.

This Policy sets out the manner in which personal data of students, making use of the State School Transport Service is processed fairly and lawfully. This information is gathered in order to enable it to provide free trasport for State Schools.

MFED (School Transport Section) is a data controller and must therefore comply with the Data Protection Principles in the processing of personal data, including the way in which the data is obtained, stored, used, shared, disclosed and destroyed.


This Policy will ensure:

That MFED ( School transport Section) and contracted data processing providers process personal data fairly and lawfully and in compliance with the Data Protection Principles. 

That all staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities under this policy.

That the data protection rights of those parents/ guardians and their respective children involved with the School Transport Service  are safeguarded.

Confidence in the MFED( School transport Service) ’s ability to process data fairly and securely. 


This Policy applies to:

  • Personal data of all parents/guardians and their respective children who of those who have applied for the School Transport Service. 
  • The processing of personal data, both in manual form and on computer. 
  • All staff of data controller  and data processors.

The Data Protection Principles

The School will ensure that personal data will be:

1. Processed fairly and  lawfully.

2. Collected for the specified, explicit and legitimate purpose  and not further processed for other purposes incompatible with these purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.

4. Accurate and, where necessary, kept up to date.

5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

6. Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Data Controller will be able to demonstrate compliance with these principles.

MFED ( School Transport Service)  will have in place a process for dealing with the exercise of the following rights of students and parents/guardian

  • to be informed about what data is held, why it is being processed and who it is shared with;
  • to access their data;
  • to rectification of the record;
  • to erasure;
  • not to be subject to automated decision-making including  profiling.  

Roles and Responsibilities

The Data Controller, Data Processors and Data Protection Officer (MFED) and are responsible for implementing good data protection practices and procedures within this service provisional and for compliance with the Data Protection Principles.

It is the responsibility of all staff to ensure that their working practices comply with the Data Protection Principles.

Disciplinary action may be taken against any employee who breaches any of the instructions or procedures forming part of this policy

The Data Protection Officer (MFED) , will have responsibility for all issues relating to the processing of personal data and will report directly to the Data Controller (MFED).

 The Data Protection Officer will comply with responsibilities under the GDPR and will see that subject access requests, requests for rectification and erasure, data security breaches are dealt with diligently. Complaints about data processing will be dealt with in accordance with the MFED Complaints Policy.  

Data Security and Data Security Breach Management

All staff are responsible for ensuring that personal data which they process is kept securely and is not disclosed to any unauthorised third parties.

Access to personal data should only be given to those who need access for the purpose of their duties. 

Data will be destroyed securely on the elapse of the retention policy not later than two months after the end of the current scholastic year.

All data breaches are to be reported to the Data Protection Officer (MFED)

Serious breaches where there is a high risk to the rights of the individual will be reported to the Information and Data Protection Commissioner in compliance with the GDPR. 

Subject Access Requests

Requests for access to personal data (Subject Access Request (SAR)) will be processed by the Data Protection Officer.  A SAR will be processed within the GDPR statutory time period  one calendar month of receipt of the request. Records of all requests will be maintained.  

Sharing data with third parties and data processing undertaken on behalf of MFED ( School Transport Section).

Personal data will only be shared with appropriate authorities according to law and with data processing providers contracted for the purpose. Any sharing will be undertaken by trained personnel using secure methods. The third party undertaking data processing on behalf of MFED (School Transport Section)  MFED will ensure that there is a written agreement requiring the data to be processed in accordance with the Data Protection Principles.  

Ensuring compliance

  • Training and guidance will be available to all existing staff. 
  • The School advises the Parents/Guardians of students whose personal data is held, the purposes for which it is processed.
  •  Contact Data Controller and Data Protection Officer  on [email protected] t. 25981223