Items : 0
Subtotal : £0.00
View CartCheck Out
Items : 0
Subtotal : £0.00
View CartCheck Out

GDPR Policy

Data Protection & GDPR Policy

1.  Policy introduction

Data Protection legislation exists to protect individuals from the abuse of personal information.  It covers both computerized and written information and the individual’s right to see such information.

The General Data Protection Regulation (GDPR) forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25th May 2018.


Detailed information on the Act may be found at




2.  How GDPR affects The Palmer School of Excellence CIC

The Palmer School of Excellence must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data, these are:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary to you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  (This cannot apply if you are a public authority processing data to perform your official tasks).


The Palmer School of Excellence CIC must ensure that they do not do anything with the data in breach of any other laws.  This relates to statute and common law obligations, whether criminal or civil.  If processing involves committing a criminal offence, it will obviously be unlawful.  However, processing may also be unlawful if it results in:

  • A breach of a duty of confidence
  • Your organisation exceeding its legal powers or exercising those powers improperly
  • An infringement of copyright
  • A breach of an enforceable contractual agreement
  • A breach of industry-specific legislation or regulations
  • A breach of the Human Rights Act 1998


The Palmer School of Excellence CIC must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.


BHB must be clear, open and honest with people from the start about how you will use their personal data.


3.  Data Protection registration

The Palmer School of Excellence CIC is registered with the Information Commissioner’s Office (ICO) under the process formally known as ‘notification’.


  1. National Data Guardian’s Data Security Standards

The National Data Guardian for Health and Social Care is an independent, non-regulatory, advice giving body in England.

These Standards are clustered under three leadership obligations:


Leadership Obligation 1: People: ensure the staff and volunteers are equipped to handle information respectfully and safely, according to the Caldecott Principles.


Data Security Standard 1.  All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.  Personal confidential data is only shared for lawful and appropriate purposes

Data Security Standard 2.  All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.

Data Security Standard 3.  All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit (NHS Data Security and Protection Toolkit).



Leadership Obligation 2: Process: ensure the organization proactively prevents data security breaches and responds appropriately to incidents or near misses.


Data Security Standard 4.  Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required.  All access to personal confidential data on IT systems can be attributed to individuals.

Data Security Standard 5.  Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.

Data Security Standard 6.  Cyber-attacks against services are identified and resisted and advice from Crius Tech is responded to.  Action is taken immediately following a data breach or near miss, with a report made to the Chair within 12 hours of detection.