1. General Statement of the Duties of the Centre for Young Musicians (CYM)
    • The City of London Corporation, PO Box 270, Guildhall, London EC2P 2EJ (‘the City Corporation’) is the Data Controller for personal data processed by the CYM (‘the CYM’). The City Corporation’s Data Protection Officer is the Comptroller and City Solicitor and can be contacted at officer@cityoflondon.gov.uk. For any queries regarding this Policy, please contact Elaine Lewis (elewis@cym.org.uk)
  • The City Corporation, and the CYM, are required to process personal data regarding pupils, their parents and guardians as part of their operation, and shall take all reasonable steps to do so in accordance with this Policy, and data protection legislation i.e. the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 (‘the DPA’).
  • The City Corporation and the CYM are committed to ensuring that they protect the rights and freedoms of all individuals with respect to the personal data they hold about them and aim to have transparent systems for processing personal data.
  • This Policy applies to all current, past or prospective pupils at the CYM and their parents and guardians. Anyone who works for, or acts on behalf of, the CYM (including staff, volunteers, governors and service providers) must be aware of and comply with this Policy.
  1. Data Protection Legislation
    • The City Corporation and the CYM have the responsibility to comply with data protection legislation which applies to information relating to both “Personal Data” and “Special Categories” of personal data of a “Data Subject”. These terms are defined below.
  • Personal Data is defined in the GDPR as information relating to and identifying a living individual who can be identified from the data. The CYM may process a wide range of personal data of pupils, their parents or guardians, as part of their operation, for example, names and contact details, date of birth, financial details; academic information, disciplinary, admissions and attendance records; references; and examination scripts and results, information stored in virtual learning environments, CCTV recordings etc.
  • Special Categories of Personal Data is defined in the GDPR as personal data which is highly sensitive which details racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric and health data, and data concerning a natural person’s sex life or sexual orientation. For example, the CYM may process personal data relating to pupil special educational needs, safeguarding and medical history. (Any reference to personal data in this Policy includes reference to ‘Special Categories’ of personal data, previously ‘sensitive personal data’).
  • Data Subject is defined as a natural (living) person whose personal data is processed. In this Policy, any reference to Data Subject means pupils (including current, past or prospective), parents and guardians.
  • Processing is defined very broadly and encompasses collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, combining, restricting, erasing and destructing. In effect, any activity involving personal data falls within the scope of the DPA and GDPR.
  1. Data Protection Principles
    • In order to comply with the data protection legislation, the CYM must comply with the six Data Protection Principles set out below:

Personal data must be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject;
  2. collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  4. accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
  5. not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed. Personal data may be stored for longer periods provided it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This is subject to the implementation of appropriate data security measures designed to safeguard the rights and freedoms of data subjects; and
  6. be processed in a manner that ensures its appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
  7. Conditions for Processing of Personal Data
    • There are a number of conditions set out in Article 6 of the GDPR which allow the CYM and its staff to process personal data. At least one of the following conditions must apply for the CYM to lawfully process personal data about Data Subjects:
  8. Consent: the Data Subject has given clear consent to process their personal data for a specific purpose. This may apply if for example, the CYM asks pupils for consent to use their photographs in CYM publications and on the CYM website or to carry out marketing for fundraising campaigns.

The CYM will rely on parental or guardian consent to process data relating to pupils under the age on 13. Parents should be aware that if their child is aged 13 or over, they may not be consulted.

NB: if relying on consent, it must be voluntarily given, specific, informed and unambiguous. Data Subjects must be able to easily withdraw consent at any point.

  1. Contract: the processing is necessary for a contract with the Data Subject, or because they have requested specific steps before entering into a contract. For example, any contracts that are in place with parents or guardians and any other associated agreements concerning personal data of pupils and parents i.e. the CYM’s terms and conditions.
  2. Legal obligation: the processing is necessary in order to comply with the law (not including contractual obligations). For example, the CYM may have a legal obligation to provide certain personal data about pupils to the Department for Education (DfE).
  3. Vital interests: the processing is necessary to protect someone’s life. This would apply where the Data Subject is physically or legally incapable of giving consent.
  4. Public task: the processing is necessary to perform a task in the public interest or for official functions, where the task or function has a clear basis in law.
  5. Legitimate interests: the processing is necessary in the CYM’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the Data Subject’s personal data which overrides those legitimate interests. This condition cannot be relied on by a public authority but shall apply to Independent Schools.
  • Where the CYM is processing special category data, set out in Article 9 of GDPR, it must ensure that a further condition for processing applies. A full list of these further conditions is available on request or otherwise at Article 9(2) of GDPR.
  1. Disclosure of Personal Data to Third Parties
    • The CYM may receive requests from third parties (i.e. those other than the Data Subject, the CYM, and employees of the CYM) to disclose personal data it holds about pupils, their parents or guardians. This information will not generally be disclosed unless one of the conditions at section 5 apply.
  • The following are the most usual reasons that the CYM may have for passing personal data to third parties:
  • to give a confidential reference relating to a pupil;
  • to give information relating to outstanding fees or payment history to any educational institution which it is proposed that the pupil may attend;
  • to publish the results of public examinations or other achievements of pupils of the CYM;
  • to disclose details of a pupil’s medical condition where it is in the pupil’s interests to do so, for example for medical advice, insurance purposes or to organisers of CYM trips;
  • to provide information to another educational establishment to which a pupil is transferring;
  • to provide information to the Examination Authority as part of the examinations process; and
  • to provide information to the relevant Government Department concerned with national education. At the time of the writing of this Policy, the government Department concerned with national education is the Department for Education (DfE). The Examination Authority may also pass information to the DfE.
  • The DfE uses information about pupils for statistical purposes, to evaluate and develop education policy and to monitor the performance of the nation’s education service as a whole. The statistics are used in such a way that individual pupils cannot be identified from them. On occasion the DfE may share the personal data with other Government departments or agencies strictly for statistical or research purposes.
  1. Security of Personal Data
    • The City Corporation and the CYM will take reasonable steps to ensure that members of staff will only have access to personal data relating to pupils, their parents or guardians where it is necessary for them to do so. All staff will be made aware of this Policy and their duties under the Data Protection Legislation. The City Corporation and the CYM will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
  1. Retention of Personal Data
    • The CYM will have retention policies in place to ensure that personal data processed for any specified purposes shall not be kept for longer than is necessary for those purposes.
  2. Data Subject Rights
    • Under the GDPR, Data Subjects have several rights, including, but not limited to the right to:
  3. Be provided with an age-appropriate Privacy Notice containing certain information about the processing activities (Right to be Informed);
  4. Confirmation of whether the CYM processes personal data about them and the right to access the personal data processed and obtain certain information about the processing activities (Subject Access Request) please see below at paragraph 9 for further information;
  5. Correct inaccurate personal data (Rectification);
  6. Have personal data erased under certain circumstances (Erasure);
  7. Restrict the processing of personal data under certain circumstances (Restriction);
  8. Receive a copy of the personal data the data controller holds under certain circumstances and transfer the personal data to another data controller (Data Portability);
  9. Object to processing of personal data (Right to Object);
  10. Not be subject to a decision based solely on automated processing, including profiling (Automated Decisions).
  1. Requests for Access to Personal data (Subject Access Requests)
    • A subject access request must be made in writing and is free of charge. Where the request is not complete or clear, or satisfactory identification has not been given, The CYM will seek clarification from those making the request without undue delay.
  • All requests for access to personal data must be placed on the relevant pupil’s file, and the City Corporation’s Data Protection Officer (who at the time of writing is the Comptroller and City Solicitor) informed that the request has been received.
  • All requests for access to personal data must be passed to the Administrator of the CYM without undue delay.
  • The CYM Head of Centre or, in their absence, the Administrator, must authorise the applicant’s request for access before any personal data is disclosed. The CYM may also wish to seek advice from the Data Protection Officer in relation to disclosure.
  • A written response acknowledging the request must be sent to the applicant within 5 working days of the request.
  • The GDPR requires a response to a request to be given within one month of the written request being received. The one month period does not begin until:
  • a written application is received by anyone within the City of London Corporation (not when it has been passed on to and received by the CYM, or the Data Protection Officer);
  • the CYM has received sufficient information to enable it to identify the individual who is seeking access; and
  • the CYM has received sufficient information to enable it to identify and access the personal data requested.
  • The one month period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The CYM should inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
  • Where the conditions set out above are fulfilled, in responding to the request, the CYM must provide confirmation as to whether or not personal data is being processed and where that is the case, access to the personal data and the following information:
  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of other rights in respect of the personal data (see section 8);
  6. the right to lodge a complaint with the Information Commissioner’s Office;
  7. where personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling and reasons for carry out such processing.
  • Data subjects are not entitled to information where restrictions to the right of access apply. The restrictions are set out in Article 23 of GDPR. Moreover, in these circumstances, the CYM must only give a notification to the data subject that no information has been identified which is required to be supplied under the GDPR.
  1. Authorisation of Access to Personal Data on Behalf of a Child or Young Person
    • A child or young person may appoint a person with parental responsibility for him or her to request access to their personal data. In such circumstances the CYM must have written evidence that the child or young person has authorised the person with parental responsibility to make the application.
  • The Head of Centre or, in their absence, the Administrator will determine what information will be shared with the person with parental responsibility. Access to personal data will be refused in instances where, for example, disclosure may place a child at risk of significant harm or jeopardise police investigations into any alleged offence(s).
  • Where a child or young person does not have sufficient understanding to make his or her own request, a person with parental responsibility can make a request on their behalf. The Head of Centre or, in their absence, the Administrator must, however, be satisfied that:

the child or young person lacks sufficient understanding; and

  • the request made on behalf of the child or young person is in their interests.
  • The CYM will only grant to pupils access to their personal data if the child is aged 13 or over and is satisfied that the child is competent to exercise their own rights.
  • Where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents or guardian, the CYM will maintain confidentiality unless it has reasonable grounds to believe that the pupil does not fully understand the consequences of withholding their consent, or where the CYM believes disclosure will be in the best interests of the pupil or other pupils. This will be assessed on a case by case basis.
  1. Disclosure of Personal Data
    • If the request is made electronically, the information should be provided in a commonly used electronic format, unless:
  • the supply of such a copy is not possible;
  • supplying it in permanent form would involve disproportionate effort (in which case another way of viewing the data must be agreed with the applicant); or
  • the data subject agrees otherwise.
  • Only relevant documents from the pupil’s file will be duplicated and disclosed to the applicant who, if requested, should be given a copy of the duplicated document. The CYM may charge a reasonable fee based on administrative costs for duplicate copies.
  • An individual is not entitled to information where:
  • restrictions to the right of access apply, or
  • another person, including any family member, has not given their written consent to disclose information that identifies them (see below).
  • Information contained in the Data Subject’s records is likely to contain personal data about other individuals. Information about or identifying another individual must not be disclosed to the Data Subject seeking access to the information without that other individual’s written consent.
  • In deciding whether it is reasonable to disclose information to the Data Subject without consent from the other individual, the CYM must not adversely affect the rights and freedoms of other individuals, and have regard to all relevant circumstances, including:
  • The type of information that would be disclosed;
  • Any duty of confidentiality;
  • Any steps taken by the CYM with a view to seeking the consent of the other individual;
  • Whether the other individual is capable of giving consent;
  • Any express refusal of consent by the other individual
  • There is also a general presumption in favour of disclosing personal data relating to employees, where this information is integral to the personal data of the applicant. So, the records kept by teachers in the course of their employment in respect of pupils may be disclosable.
  • Any request by an individual for access to their personal data must be complied with subject to this paragraph and to the restrictions and exemptions set out in paragraphs 12.1.-12.5. The CYM may, however, make a request for more specific details of the information sought.
  • A request for access to personal data without the permission of the individual must be directed to the Data Protection Officer.
  • A record of the personal data disclosed in response to a request for access should be kept on the pupil’s file, including details of any restrictions or exemptions to disclosure relied upon.
  1. Restrictions and Exemptions to Access by Data Subjects
    • Confidential references given, or to be given by the CYM, are exempt from access. The CYM will therefore treat as exempt any reference given by them for the purpose of the education, training or employment, or prospective education, training or employment of the Data Subject.
  • It should be noted that confidential references received from other parties may also be exempt from disclosure, under the common law of confidence. However, such a reference can be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent, or where disclosure is reasonable in all the circumstances.
  • Examination scripts, that is information recorded by pupils during an examination, are exempt from disclosure. However, any comments recorded by the examiner in the margins of the script are not exempt even though they may not seem of much value without the script itself.
  • Examination marks do not fall within an exemption as such. However, the one month time limit for responding to a request is extended in relation to examination marks to either five months from the day on which the CYM received the request, or 40 days from the announcement of the examination results, whichever is the earlier.
  • Where a claim to legal professional privilege could be maintained in legal proceedings, the information is exempt from disclosure.
  1. Manifestly Unfounded or Excessive Requests
    • Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the CYM may either:
  2. charge a reasonable fee taking into account administrative costs of providing the information or taking the necessary action; or
  3. refuse to act on the request.


  1. Complaints
    • If a Data Subject believes that the CYM has not complied with this Policy or acted in accordance with the GDPR or the DPA they should utilise the CYM’s complaints procedure.
  • If the Data Subject is still not satisfied, they may make representations to the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel (01626) 545 700.


Last reviewed: 4 May 2018