GDPR and Data Protection

Data Controller


Ormiston Academies Trust is the organisation which is in charge of personal information – Data Controller


The postal address of the Academy Trust is:

Ormiston Academies Trust

Ormiston House

144, Newall Street


B3 1RY


The Data Protection Officer (DPO) for the Trust is James Miller. He can be contacted via / 0121 262 4725


The Data Protection Lead (DPL) at the Academy is Ro Johnson – Data and Admin Officer


Data Protection Policies

Privacy Notice for Pupils/Parents, detailing how we use information and what we do with it can be found by clicking here


Data Protection Policy – Click here

Records & Retention Policy – Click here

Photography and video  policy – Click here

Photography and video consent form  – Click here

Technology acceptable use policy- Foundation KS1 Pupil sept 18

Technology acceptable use policy- KS2 Pupil sept 18

OAT Privacy notice for pupils and parents (3)

OAT Email Retention Policy

General Data Protection Regulation (GDPR)


On 25th May 2018, the General Data Protection Regulation (GDPR) will become law in all European member states, including the United Kingdom who will still be a member at that time.

The new Regulation will replace the Data Protection Act 1998 (DPA) which was developed at a time when most data processing was still paper-based. There was also a limited understanding of the impact that technology would have on the way we process data.


The purpose of the GDPR is to:


  • harmonise the EU’s laws surrounding data protection
  • protect all EU citizens’ data privacy
  • re-shape the way organisations across the region approach data privacy


In drafting it, the EU’s aim was to design it as a living document and future-proof the wording. They have also made it ‘technology neutral’ which means that the same regulatory principles apply regardless of the technology used.

If you hold information which falls within the scope of the Data Protection Act 1998, it will also fall within the scope of GDPR. The GDPR principles are similar to the DPA, but there is a new accountability requirement – you will have to demonstrate how you comply.



The following terminology will be used in this course.


Data subject means the person whose personal data is being processed.


Personal data means any information relating to a natural person or data subject that can be used directly or indirectly to identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking sites or a computer IP address. Sensitive personal data includes information about racial or ethnic origin, political opinions, medical information and genetic and biometric data where it is used to uniquely identify an individual.


Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is to be processed.


Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.


Processing information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organising, adapting or altering it
  • retrieving, consulting or using the information or data
  • disclosing the information or data by transmission, dissemination or otherwise making it available
  • aligning, combining, blocking, erasing or destroying the information or data