General Data Protection Regulations


What is G.D.P.R?

The current law protects the data that others obtain, process, store and destroy about us. This is called the

Data Protection Act 1998.

A newer law, which is broader and stronger, known as GDPR, is came into effect on 25th May 2018.

As a result, we are now required to carefully consider the way in which information and permissions are obtained from you and why we need that information and then what we do with it when we have it.


This new set of rules gives a clear set if rights to everyone in society as well as making clear the responsibilities of organisations which handle or process information about people (or 'Data Subjects' as they are known).  GDPR applies to 'Data Controllers' and 'Data Processors'.  

-  A 'Data Controller' determines the purposes and means of processing personal data

-  A 'Data Processor' is responsible for processing personal data on behalf of a controller.

Bevendean Primary School is a Data Controller as we collect or generate data about pupils, parents/carers, staff and visitors.


Data Subjects' rights under GDPR:

- Right to be informed

- Right of access

- Right to rectification

- Right to object

- Right to restriction of processing

- Right to erase

- Right to data portability

- Rights relating to automated decision making including profiling


Public Authority

As a school we are classed as a public authority and much of the data we gather about you/your children will be under this legal basis: and the use of your data must have a clear basis in law.

We are required to process your child’s personal data to meet our statutory duties under safeguarding law.  We also need this data to ensure children are placed in the right year group and have access the appropriate curriculum.  Also, we may need to report on individual circumstances to access funding to meet individual specific needs.  Without this data we cannot meet our core function, which is educating children.

We already have very robust security measures in place to keep your data safe and secure: this new GDPR legislation will enhance our current procedures and processes.

We will continue to obtain your consent when taking children on trips or whenever they are involved in workshops to enhance their learning. This aspect will also be audited, so it is our duty to ensure that we have clear evidence of your permission. We are working out ways of doing this so you will only have to do it once.

No personal information of yours will be used for marketing and / or fund- raising activities unless we have obtained your permission first.

The above reasons for data processing are not exhaustive and we are developing a set of privacy notices that will give you more information. Our findings will be published on the school’s website in due course.


What happens next?

We will be updating our privacy notices and posting these on our website.  We will be asking you to review the information we hold on you and your child and asking you to confirm its accuracy.

We will also seek your consent for any other data processing requirements we may have.


What is a breach?

A ‘breach’ happens when data has been lost by us, or any organisation that holds your data.  Under the new legislation, we will have to notify the Information Commissioner’s Office (ICO) if and when this happens.  If any individuals are affected by the breach, we will have to notify them as well, especially if there is a high risk to their rights and freedoms.


If you have any questions, then please contact our Data Protection Officer (DPO) James England:

Eco-Schools Bronze Award
Eco-Schools Silver Award
Healthy Schools Cornwall