All schools must comply with the UK GDPR and data protection Act 2018 to ensure that personal data for pupils, staff, parents and visitors is processed lawfully, securely and transparently. The Data (Use and Access) Act 2025 updates these laws to offer clearer rules on Subject Access requests (SARs) and strengthening protection for children’s online privacy.
Data Controller
NPAT is the data controller and responsible for compliance under UK GDPR.
Data Protection Officer (DPO)
Our Data Protection Officer is our designated expert responsible for overseeing and ensuring our compliance with GDPR and other laws. Our Trust DPO can be contact by email at:
Rights of individuals
The UK GDPR provides the following rights for individuals:
- Right to be informed;
- Right of access (to receive copies of their personal data known as Subject Access Request);
- Right to rectification (correcting data if inaccurate);
- Right to erasure (to request that data is deleted);
- Right to restrict processing (to request you do not use their data in a certain way);
- Right to data portability.
- Right to object.
- Right to have explained if there will be any automated decision-making, including profiling, based on the data and that they have the right to meaningful information about the logic behind this.
To exercise any of these rights, please contact your school office.
Policies and Privacy notices
Our privacy notices have been developed to inform pupils, staff, parents and visitors about how their personal data is collected, used, shared and stored.
Our Trust data protection policies and privacy notices can be found below.
Data Protection and the GDPR Documents
NPAT Appropriate Policy Document
NPAT Freedom of Information Policy
NPAT Freedom of Information Publication Scheme Guidance
