What is GDPR?

GDPR stands for: General Data Protection Regulation and new regulations in relation to your personal data come into effect from 25th May 2018.

Aquila, The Diocese of Canterbury Academies Trust will ensure across the Trust that personal data is protected and kept safely and securely. It will ensure that its policy for data protection is used as the basis for collecting, storing, accessing, sharing and deleting personal data. The Trust will use the UK General Data Protection Regulations (UK GDPR) as the benchmark for its standard for protecting personal data.


  1. To ensure that decision makers and key people in school comply with the UK GDPR
  2. To ensure that there will be regular reviews and audits of the information we hold to ensure that we fully meet the UK GDPR statutory requirements.
  3. To document the personal data we hold, where it came from and with whom it will be shared.
  4. To ensure that data collection, data handling, data storage and data disposal procedures are in line with the UK GDPR and cover all the rights individuals have, including how personal data is deleted and destroyed.
  5. Where there is a personal data breach the procedures used to detect, report and investigate it will meet the requirements of the UK GDPR.
  6. The systems the school puts into place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity will meet the standard set in the UK GDPR.
  7. Data protection by design and data protection impact assessments will meet with the ICO’s code of practice on privacy impact assessments as well as with the latest guidance.
  8. The Trust will have a Data Protection Officer who will be given responsibility for data protection compliance and a data protection lead will be in each school.
  9. When schools requests data we will provide appropriate privacy notices to explain why data is being and the purposes for which it is used.


The requirements of the UK GDPR will be met by the Trust as the basis for collecting, storing, accessing, sharing and deleting personal data. Data will be processed fairly lawfully and in a transparent manner. It will be used for specified, explicit and legitimate purposes in a way that is adequate, relevant and limited. It will be accurate and kept up to date and kept no longer than is necessary. Data will be processed in a manner that ensures appropriate security of the data.

To contact the Trust DPO please email 

Data Protection Policy

Data Retention Policy

Email Policy

Data Protection Impact Assessment (DPIA)

What are Data Protection Impact Assessments?

Data Protection Impact Assessments (DPIAs) are structured assessments of the potential impact on privacy for high risk processes, and help us to identify the most effective way to comply with data protection obligations. The DPIA should form part of the overall risk assessment of the process or project.

A DPIA helps us to:

  • Anticipate and address the likely impacts
  • Identify privacy risks to individuals
  • Foresee problems and negotiate solutions
  • Avoid unnecessary costs
  • Protect the organisation’s reputation
  • Offer assurance to stakeholders
  • Meet legal requirements

The DPIA process is not only a legal requirement, but is also an important tool to help you identify and minimise the data protection risks of a project that involves processing personal data.

The DPIA process is relevant to initiatives involving the use of personal data and is particularly important when a new business process or technology initiative involves the collection, recording, sharing or retention of personal data.

The DPIA enables privacy and data protection considerations to be made in the early stages of a project, where any identified problems can be easier to resolve, rather than late or retrospective considerations where solutions can be costlier or delay implementation. A DPIA can also identify whether the project should be continued, when balanced with the rights and interests of persons affected.

The DPIA process will consider privacy in the way individual’s personal data is used. This can involve privacy about: the integrity of the individual, the person, their personal information, their personal behaviour and their personal communications.

What is high risk?

A high risk is considered to exist when particularly sensitive personal data is processed, a large volume is held, CCTV is in place, or any factor exists where personal data may be breached. High risk can result from a high probability of some harm, or a lower probability of serious harm.

Particularly sensitive data or ‘special category data’ includes:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life; or
  • sexual orientation


Subject Access Request Policy

Freedom of Information Publication Scheme