General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

The Harmony Trust is committed to protecting and managing the data we hold. 

The Harmony Trust aims to ensure that all personal data collected about staff, pupils, parents/carers, trustees, visitors and other individuals is collected, stored and processed in accordance with the Data Protection Act 2018 (DPA 2018) and the UK GDPR (2021).

Our policies and procedures meet the requirements of the GDPR and provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO).

Some Key Definitions

Personal Data

  Any information relating to an identified, or identifiable, living individual. This may include the         individual’s:

  • Name (including initials)
  • Identification number
  • Location data
  • Online identifier, such as a username, IP address or cookie

  It may also include factors specific to the individual’s physical, physiological, genetic, mental,   economic, cultural or social identity.

Special Categories Of Personal Data

  Personal data which is more sensitive and so needs more protection, including information about   an individual’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetics
  • Biometrics (such as fingerprints, retina and iris patterns), where used for

    identification purposes

  • Health – physical or mental
  • Sex life or sexual orientation

Data Processing

  Anything done to personal data, such as collecting, recording, organising, structuring, storing,   adapting, altering, retrieving, using, disseminating, erasing or destroying. Processing can be   automated or manual.

Data Controller

  The identified or identifiable individual whose personal data is held or processed.

Data Protection Officer

  A person whose role is to oversee data compliance, advise and recommend improvements and be   the point of contact for data protection. The DPO has overall responsibility and oversight but does   not carry out all duties personally.

Data Protection Lead

  A person in each school with responsibility, delegated by the DPO and Principal, for data protection   compliance. Whilst the Data Protection Lead manages the day to day data protection compliance,   the overall responsibility for the school remains with the Principal and the Trust.

Data Breach

  A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised   disclosure of, or access to, personal data.

Subject Access Requests

  Under the Data Protection Act 2018 and UK GDPR legislation, individuals have a right to request   access to information the school holds about them. This is known as a subject access request.

  Subject access requests may be submitted in any form, but The Harmony Trust and its entities will   be able to respond to requests more quickly if they are made using the Subject Access Request   Form provided online.

  The Harmony Trust and its entities may not reveal information in response to subject access   requests for a variety of reasons – these could include:

·        Information that might cause serious harm to the physical or mental health of the pupil or          another individual

·        Information that would reveal that the child is being or has been abused, or is at risk of abuse, where disclosure of that information would not be in the child’s best interests

·        Information that would include another person’s personal data that cannot reasonably be anonymised, and the other person has not given their consent, and it would be unreasonable to proceed without it

·        Information that is part of a certain sensitive document, such as those related to crime, immigration, legal proceedings or legal professional privilege, management forecasts, negotiations, confidential references, or exam scripts



We want to keep you informed about what we do with your child’s data and the rights you have under the law. To help with this, we have produced a series of simple Fact-Sheets which provide information on a number of areas of data management.

You can download copies as PDF’s by clicking at the bottom of the page. 

Parents Guide to Subject Access Requests

Parents Guide to Data Breaches

Parents Guide to the Role of the DPO

Parents Guide to Data Management In Our Schools

Pupil Leavers Data Privacy Notice

What Is Personal Information ?

Key Contacts :

Our Data Protection Officer

The Information Commissioner’s Office

Illuminate Education Services UK Ltd

E :

T : 08458621967

Wycliffe House

Water Lane,

Cheshire SK9 5AF.

Or via their website :

Updated 13th September 2021 


20th January 2022 : Derby City LA High School Transition 2022

To assist schools with the transfer of pupil data when Year 6 children move to high schools in September 2022, Derby City LA will be utilising an online portal called ‘Transition’. To comply with our legal duty and commitment to openness and transparency we have decided to provide the parents of children in Year 6 with the data privacy statement they have provided. Download document - Derby Schools Transition Portal Data Statement.  

Files to Download

Head Office - Alderson Street, Oldham, OL9 6DY
Office Hours - Monday - Friday 8.00am - 4.00pm
Chief Executive Officer - Antony Hughes
Chair of Trustees - Anne Weinstock
SEND Trustee - Ian Robinson
Safeguarding Trustee - Graham McGuffie