Home Page

General Data Protection Regulations (G.D.P.R)

Data Protection 


The Cathedral School of St Peter and St John currently processes data in line with the Data Protection Act 1998, and is registered with the Information Commissioner's Office (ICO) on their register of data controllers.


What does ICO do?

  • ICO is the UKs independent body set up to uphold information rights

  • It enforces and regulates freedom of information and data protection laws

  • Provides information and advice

  • Promotes good practice


The Data Controller for this school is the Head Teacher Mrs Diane Hanley.




On 25th May 2018, the new General Data Protection Regulations (GPDR) came into force and these will apply to all schools adding extra responsibilities to those of the Data Protection Act 1998. Schools will have to ensure that the strategies they currently have in place for data protection are compliant and failure to do so could result in very heavy fines for breaches. Accountability is central to GPDR.


The 6 Principles of GPDR

Data will be:

1. Processed fairly lawfully and in a transparent manner

2. Used for specified, explicit and legitimate purposes

3. Used in a way that is adequate, relevant and limited

4. Accurate and kept up to date

5. Kept no longer than is necessary

6. Processed in a manner that ensures appropriate security of the data


We will be working to ensure school is compliant with the new regulations. Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act. However, there are new elements and significant enhancements so we will have to do some new things for the first time and change the way do some existing things. In order to identify fully what needs to be done school will be undertaking a full review/audit of existing data held in school. Training will be taking place to raise awareness of staff to the new regulations regarding data protection.


The GDPR explicitly states that children’s personal data merits specific protection and also introduces new requirements for the online processing of a child’s personal data.


It will be good practice to consult with children themselves when we design our processes going forwards so they can provide feedback. This will help us to identify risks, design safeguards and assess understanding. It is also consistent with the UN Convention on the rights of a child, which (Article 12) says that every child has the right to express their views, feelings and wishes in all matters affecting them, and to have their views considered and taken seriously. Our children will be involved in the creation of a new privacy notice that is child friendly and age appropriate.


Policy for Data Protection for The Cathedral School of St Peter and St John RC Primary


The school will ensure that personal data is protected and kept safely and securely. It will ensure that its policy for data protection is used as the basis for collecting, storing, accessing, sharing and deleting personal data. The school will use the General Data Protection Regulations (GDPR) as the benchmark for its standard for protecting personal data.


  1. To ensure that decision makers and key people in school comply with the statutory changes to the GDPR coming into force on 25th May 2018.
  2. To ensure that there will be regular reviews and audits of the information we hold to ensure that we fully meet the GDPR statutory requirements.
  3. To document the personal data we hold, where it came from and with whom it will be shared.
  4. To ensure that data collection, data handling, data storage and data disposal procedures are in line with the GDPR and cover all the rights individuals have, including how personal data is deleted and destroyed.


  1. Data access request procedures will be handled within the timescales set out in the GDPR and we provide any additional information in line with the GDPR guidance.
  2. The processing of personal data will be carried out on a lawful basis as required by the GDPR.
  3. Where the school needs to seek consent, it will do so in a manner that meets GDPR standards.
  4. Any records of consent and the management of the process for seeking consent will also meet the GDPR standard.
  5. Where there is a personal data breach the procedures used to detect, report and investigate it will meet the requirements of the GDPR.
  6. The systems the school puts into place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity will meet the standard set in the GDPR.
  7. Data protection by design and data protection impact assessments will meet with the ICO’s code of practice on privacy impact assessments as well as with the latest guidance.
  8. There will be a senior member of staff designated as the Data Protection Officer who will be given responsibility for data protection compliance.
  9. When the school requests data we will provide appropriate privacy notices to explain why data is being requested and the purposes for which it is used.



The requirements of the GDPR will be met by this school as the basis for collecting, storing, accessing, sharing and deleting personal data. Data will be processed fairly lawfully and in a transparent manner. It will be used for specified, explicit and legitimate purposes in a way that is adequate, relevant and limited. It will be accurate and kept up to date and kept no longer than is necessary. Data will be processed in a manner that ensures appropriate security of the data.


Schools must have a Data Protection Officer (DPO).  The DPO is responsible for overseeing data protection within the school so if you have any questions in this regard, please do contact them on the information below: 


Data Protection Officer:  Craig Stilwell

Company:                         Judicum Consulting Ltd

Address:                                 72 Cannon Street.  London.  EC4N 6AE

Email:                                      dataservices@judicium .com

Telephone:                            0203 326 9174





The General Data Protection Regulation (‘GDPR’) and relates to the processing of personal data whether by automated means (i.e. by computer) or non-automated, for example paper-based files.


CPOMS Systems Limited (CPOMS) is committed to maintaining compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR).


CPOMS Current GDPR Position


CPOMS is registered with the UK Information Commissioner’s Office both as a Data Processor for our customers’ data and as a Data Controller for our own company’s data. We are also accredited for both ISO 27001 and UK Government ‘Cyber Essentials’ which are reviewed each year. We also subject our systems and networks to regular independent penetration testing to ensure the security of our schools’ data.


We also hold the UK Government’s ‘Cyber Essentials’ certification, against which we are independently audited on an annual basis.


Following our own assessment and the independent inspections that we have undergone, we are confident that our systems and operations are fully compliant with current Data Protection Act legislation and that we are already compliant with the GDPR.


Steps we have taken to achieve compliance


Full awareness programme for all CPOMS personnel

A review of the impact of GDPR on our customers and our own staff, systems and procedures

Working with our suppliers to ensure that their GDPR compliance projects underpinned our own

Commissioning of a new customer contract and Service Level Agreement (SLA) to meet the requirements of GDPR. This is currently being sent out to all our customers

Provision of a new GDPR compatible End User Licence Agreement (EULA) to each of our customers under the terms of which they authorise our data extraction processor to provide CPOMS with the appropriate schools’ MIS data

A full audit of historical customer contact data, contacting schools to gain their consent to retain such data or to delete where appropriate

Our Senior Information Risk Officer (SIRO) is Tony Wild, Executive Vice Chairman. Tony has Executive Board responsibility for all CPOMS security and data protection arrangements.


For further information please contact us at

We treat all personal information as private and confidential.  We understand the trust you place on us to handle and store this information securely and confidentially.

Pupil data is essential for the schools’ operational use. Whilst the majority of pupil information you provide to us is mandatory, some of it requested on a voluntary basis. In order to comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this.

We collect and use pupil information for the following purposes:

a) to support pupil learning
b) to monitor and report on pupil attainment progress
c) to provide appropriate pastoral care
d) to assess the quality of our services
e) to keep children safe (food allergies, or emergency contact details)
f) to meet the statutory duties placed upon us for DfE data collections

At The Cathedral School of St Peter and St John RC Primary we have a Data Protection Officer who monitors how we handle, process and store the data we have in school. 

Data Protection Officer Details:

The Data Protection Officer is responsible for overseeing data protection within the School
so if you do have any questions in this regard, please do contact them on the information
below: -

Data Protection Officer: Craig Stilwell
Company: Judicium Consulting Ltd

Judicium Consulting Ltd
72 Cannon Street

Telephone:  0203 326 9174


Copies of our current Data Protection Policy and our Records Management Policy are available on our policies page

  • The Cathedral School of St Peter and St John R.C. Primary
  • Mount Street, Salford, M3 6LU (Sat Nav M3 6AY)
  • Email : stpeter&
  • Telephone : 0161 834 4150
We've had 4 7 0 0 2 visitors