The European General Data Protection Regulation (GDPR) law came into effect on 25 May 2018. The objective of this law is to ensure all personal data relating to living EU citizens (including the UK citizens) is protected and that those who are entrusted with such data are held accountable for its protection.

Following the UK’s departure from the EU (January 2020) the GDPR has been retained in UK law as the UK GDPR and will apply alongside the Data Protection Act 2018.

The City Learning Trust (CLT) and its member academies are committed to data privacy and protection and we have robust systems in place to ensure GDPR compliance. The GDPR principles are embedded in our data processing so that parents/carers, pupils/students, staff, governors/trustees, volunteers and visitors are assured that we handle their personal data respectfully, and in-line with the law. Our practice to ensure compliance is detailed below.

The Trust’s Data Protection Policy is written in line with GDPR and it drives the highest standards of privacy and protection of personal data rights across the Trust. It includes our policy on data breaches and subject access requests. The policy is reviewed bi-annually.

We keep a record of our processing activities to ensure all data held and processed is complaint with current regulations. We record:

  • The nature and purpose of processing.
  • Categories of data subjects.
  • Types of personal data held and processed.
  • The lawful basis for all our personal data processing.
  • The retention period for all data.
  • How data will be securely stored and disposed of.
  • Who we share data with.
  • Privacy notices for staff, pupils/students, parents/carers, volunteers and governors/trustees align with GDPR guidelines, are made available and reviewed annually.
  • Data Protection Impact Assessments, Contracts and Employees of the Trust.
  • We will implement, when necessary, Data Protection Impact Assessments for projects that may involve high risk processing as covered under GDPR.
  • We add addendums to contracts with contractors to ensure all parties take account of their respective obligations and responsibilities under GDPR.
  • All staff are well informed of the legislation. GDPR awareness training is included in the Trust’s annual training cycle.
  • We have a Data Protection Officer.
  • All procedures align with the individual’s rights as specified under GDPR.
  • Our Subject Access Request procedure, to manage requests for data, is in line with GDPR.
  • Any data breaches are handled and reported in line with GDPR
  • Seeking, recording and managing consent is in line with GDPR.
  • Privacy Notices are in line with GDPR.
  • GDPR Audit Cycle.
  • We conduct a thorough audit of our GDPR processes and procedures annually to ensure compliance with current regulations.
  • GDPR Roles and Responsibilities.
  • Our Date Protection Officer and Executive Director – Estates and Risk have implemented, and maintain a system that ensures the Trust meets its obligations under the GDPR. They are responsible for promoting awareness of the GDPR across the Trust, assessing compliance, identifying gap areas, including employee awareness and training and the updating of policies, privacy notices and procedures, including GDPR audits.

Download documents:

The City Learning Trust (CLT) and its member academies are committed to data privacy and protection and we have robust systems in place to ensure GDPR compliance."