Following the Data Protection Act 1998, the General Data Protection Regulation (GDPR) 2018 came into force on 25 May 2018. The GDPR only applies to personal information, ie, information about identifiable living individuals and to anyone who processes, stores or is the subject of personal data.
The Regulation lays down rules relation to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data:
- It protects the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
- Anyone who records and uses personal information (data controllers) must be open about how the information is used and must follow the six principles of ‘good information handling’.
- All individuals (data subjects) have the right to see information that is held about them and the right to have information corrected if it is incorrect.
- The Regulation applies to all electronic records that contain information about living and identifiable individuals and extends data protection to manual files where the personal data of a data subject is readily accessible (a structured filing system).
- The main aim of the Regulation is to protect data from unnecessary, unauthorised or harmful use and to provide individuals with some control over the use of their personal data. Individuals have the right to take action for compensation caused by inaccurate, lost or destroyed data or unauthorised disclosure of information. They also have the right to complain to the Information Commissioner who may serve an enforcement notice and, in some circumstances, impose a financial penalty.
In collecting, using, storing and disposing of data, the Trust or an individual Academy will comply with the requirements of the GDPR that govern the processing of personal data. Under these requirements, information will be collected and used fairly, stored safely and not disclosed to any other person where to do so would be in breach of those requirements or would otherwise be unlawful.
If a request is made for information, in the majority of circumstances the issue will be resolved without reference to the GDPR. If a Data Subject specifically makes a request under this Regulation, then a formal procedure must be followed (see SARs below).
Please see the documents detailed below for more information on our Privacy Notices.
- Trust Privacy Notice for Parents and Pupils
- Trust Privacy Notice for Staff
- Trust Privacy Notice for Governance and Volunteers
- Trust Privacy Notice for Visitors and Contractors
- Trust Privacy Notice for Job Applicants
Please also read our Data Protection Policy detailed below.
Subject Access Requests
Please read the attached policy below for information and procedures to follow should you wish to make a Data Subject Access Request.
Individuals have a right to access the personal data and supplementary information the Trust may hold about them. This right applies to everyone whose personal data the Trust holds, including pupils, volunteers, staff, and Trust Governance
- Must provide free of charge
- Must comply within 1 month
- Should provide information in a commonly used electronic format, if the request is made electronically
Refusing a request Main reasons for refusal:
- Unfounded, excessive or repeated requests
- Concerns about "serious harm". If sharing the information could cause serious physical or mental health issues to the individual
- Information that includes others' personal data
For further information on Subject Access Request's please see the policy below and the attached Subject Access Request Form (SAR).
Data Protection Officer
The Data Protection Officer is responsible for overseeing data protection within the school so if you do have any questions in this regard, please do contact them on the information below:
Data Protection Officer: Judicium Consulting Limited
Address: 72 Cannon Street, London, EC4N 6AE
Telephone: 0203 326 9174
Lead Contact: Craig Stilwell