Skip to content ↓

Data Protection

Following the Data Protection Act 1998, the General Data Protection Regulation (GDPR) 2018 came into force on 25 May 2018.  The GDPR only applies to personal information, ie, information about identifiable living individuals and to anyone who processes, stores or is the subject of personal data.

The Regulation lays down rules relation to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data:

  • It protects the fundamental rights and freedoms of natural persons and, in particular, their right
    to the protection of personal data.
  • Anyone who records and uses personal information (data controllers) must be open about how the information is used and must follow the six principles of ‘good information handling’.
  • All individuals (data subjects) have the right to see information that is held about them and the right to have information corrected if it is incorrect.
  • The Regulation applies to all electronic records that contain information about living and identifiable individuals and extends data protection to manual files where the personal data of a data subject is readily accessible (a structured filing system).
  • The main aim of the Regulation is to protect data from unnecessary, unauthorised or harmful use and to provide individuals with some control over the use of their personal data. Individuals have the right to take action for compensation caused by inaccurate, lost or destroyed data or unauthorised disclosure of information. They also have the right to complain to the Information Commissioner who may serve an enforcement notice and, in some circumstances, impose a financial penalty.

In collecting, using, storing and disposing of data, the Trust or an individual Academy will comply with the requirements of the GDPR that govern the processing of personal data. Under these requirements, information will be collected and used fairly, stored safely and not disclosed to any other person where to do so would be in breach of those requirements or would otherwise be unlawful.

If a request is made for information, in the majority of circumstances the issue will be resolved without reference to the GDPR.  If a Data Subject specifically makes a request under this Regulation, then a formal procedure must be followed (see SARs below).

Click on the following links for more information:

Data Protection Policy

CCTV and Surveillance Policy


Pupil Privacy Notice

Parent Privacy Notice

Workforce Privacy Notice

Recruitment Privacy Notice

If you require further information about the GDPR, this is available on the Information Commissioner's website at

The Trust has appointed Ruth Jarvis as its Data Protection Officer (DPO). The role of the DPO is to inform and advise the Trust on its data protection obligations. The DPO can be contacted at

We keep a record of when and how we got consent from the individual to process their personal data. Should you wish to withdraw consent please contact the DPO advising of the consent you wish to withdraw -


Please read the attached policy below for information and procedures to follow should you wish to make a Data Subject Access Request.Data Subject Access Request Policy 

Data Subject Access Request Form   

Whilst Data SARs can be made verbally, we will always ask for confirmation of the request in writing so that we can keep an accurate record of the information requested.

Once complete, the standard form should be either posted to the Data Protection Officer, Exceed Academies Trust, Dawnay Road, Bradford, BD5 9LQ or emailed to: