General Data Protection Regulations (GDPR)

The General Data Protection Regulations (GDPR) came into force on 25th May 2018.  These regulations changed the rules around data protection and strengthened the rights of those who provide personal data to the Academy. A copy of the Trust GDPR Policy can be downloaded here.

Sacred Heart Secondary Catholic Voluntary Academy has been working with the wider Nicholas Postgate Academy Trust to ensure that private information about parents and students stays safe, and how we deal with it complies with the new regulations.

At the beginning of each academic year we issue a privacy notice to parents/carers to inform them of what personal information is held within the Academy, why it is collected and who we share it with.  A privacy notice from the Nicholas Postgate Academy Trust has been written to comply with the new regulations.  A copy can be downloaded here.  We also show you, via a SIMS data form, what information is held by the Academy about you and your child.  You can amend or remove items of data from this form at any time by contacting the Academy.  Parents/Carers are asked to ensure they have sought consent from the personal data owner before providing information on emergency contacts to the Academy.  Anyone who believes that the Academy holds emergency contact information in error can apply to have this information deleted from our records.

The Academy will act in accordance with the Trust's GDPR Policy with regard to consent as follows:

  • Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes.
  • Consent will only be accepted where it is freely given, specific, informed and an unambiguous indication of the individual’s wishes.
  • Where consent is given, a record will be kept documenting how and when consent was given.
  • The Academy will ensure that consent mechanisms meet the standards of the GDPR.
  • Where the standard of consent cannot be met, an alternative legal basis for processing the data must be found, or the processing must cease.
  • Consent accepted under the DPA will be reviewed to ensure it meets the standards of the GDPR; however, acceptable consent obtained under the DPA will not be re-obtained.
  • Consent can be withdrawn by the individual at any time. Where a child is under the age of 13 (or any other such age as is confirmed by the Government under the Data Protection Bill) the consent of parents will be sought prior to the processing of their data, except where the processing is related to preventative or counselling services offered directly to a child.