The General Data Protection Regulation

Community First Academy Trust is committed to being transparent about how it collects and uses data in order to meet its data protection obligations under the General Data Protection Regulations (GDPR).

We’ve spent a lot of time reviewing our responsibilities under GDPR and like to think we’ve been thoughtful about its intent and meaning. Our policies and data mapping was last reviewed in February 2019. Our next review is scheduled to take place in February 2020. 

Now that the UK has a Withdrawal Agreement with the EU, there will be a transition period until the end of 2020 to allow time to negotiate a new relationship with the EU. During the transition period the GDPR will continue to apply in the UK and you won’t need to take any immediate action. We will continue to follow existing guidance on the GDPR.

Our policies relating to data and the GDPR are listed at the footer of this page, however, the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. We undertook a full information audit and dat mapping exercise (Jan 2018) across the organisation and will continue to do so in order to maintain a record of all of our processing activities. 

Trust Data Protection Officer (DPO)

The Trust has appointed Craig Holden as its data protection officer (DPO). The role of the DPO is to inform and advise the Trust on its data protection obligations. The DPO can be contacted at Questions about our policies, or requests for further information, should always be directed to the data protection officer in the first instance.

If you require any additional guidance then please do not hesitate to contact a member of the GDPR protection team.

  • Craig Holden – Data Protection Officer
  • Carol Brockbank - Deputy Data protection Officer 

The DPO is supported through a team of Data Guardians who help develop our group personal data compliance approach within their specific teams. They engage with their team colleagues on key change projects, assisting in the management of the privacy network, data incidents, development of training and data protection related policies and processes. 

  • Martin Haskayne – Data Guardian – Platt Bridge Community School | Pre-School
  • Jo Robinson - Data Guardian - Platt Bridge Start Well Family Centre 
  • Carly Lomax - Data Guardian - Kingsbridge Teacher Training | Apprenticeships 

The team can be contacted by email or by phone 01942 487999 or by letter to our registered office. Please note that the charitable trust may from time to time, be required to share personal information or process data 'without consent' about its employees, service users, pupils or initial teacher training trainees/apprentices with other organisations, mainly; Pubic Health England, the Police, the Local Authority, Department for Education or other schools / educational bodies etc.

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:          

 (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

 (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

 (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

 (d) Vital interests: the processing is necessary to protect someone’s life.

 (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

 (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The trust has drafted a number of policies to ensure all staff, SCITT trainees, trustees and governors are aware of their responsibilities and outlines how the trust complies with the following core principles of the GDPR.

The trusts general policies relating to data protection are:

1. HR Related GDPR Policy

2. Data Protection GDPR Policy

3. ICT Acceptable User Policy

4. Kingsbridge SCITT - use of ITT Trainee Data Policy

5. GDPR - Exams Policy 

6. Model Publication Scheme 

6.1 The school’s ‘guide to information’

Trust Privacy Notices:

1. School Workforce Privacy Notice

2. Student / Pupil and their families Privacy Notice

3. Child Friendly Privacy Notice 

4. Parent/Carer Privacy Notice 

5. Customer Privacy Notice (including Kingsbridge & Institute of Learning)

6. DfE's Privacy Notice: Initial Teacher Training Trainees

7. Privacy Notice for Prospective Employees

8. Privacy notice for Trustees and Governors

9.  Privacy Notice for Volunteers

10. Covid-19 Privacy Notice Addendum – School and workplace temperature screening

Seeking consent: 

We've added the following form for parents/carers (Primary aged pupils) to consent to the processing of their child's data.

1. Consent form for processing pupils’ personal data (primary phase)

2. Advice from Public Health England on health data collections (primary phase)

Should you wish to withdraw consent please complete the following form:

Withdraw Consent

  • We regularly review consents to check that the relationship, the processing and the purposes have not changed.
  • We have processes in place to refresh consent at appropriate intervals, including any parental consents.
  • We consider using privacy dashboards or other preference-management tools as a matter of good practice.
  • We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
  • We act on withdrawals of consent as soon as we can.
  • We don’t penalise individuals who wish to withdraw consent.  



All rights reserved. No part of our policies may be reproduced, stored in a retrieval system, or be transmitted in any form or by any means, electronically, mechanic, photocopying, recording or otherwise without the prior written permission of the copyright owners – Community First Academy Trust.