Data Protection and General Data Protection Regulations


Cidari Multi Academy Trust is committed to being transparent about how it collects and uses data in order to meet its data protection obligations under the General Data Protection Regulations (GDPR).

We have spent recent months working hard to understand the data we hold and undertaking a full data audit and mapping excercise across the entire organisation to get a clear picture of our processing activities.

The Trust has appointed Matt McIver as its data protection officer (DPO). The role of the DPO is to inform and advise the Trust on its data protection obligations. The DPO can be contacted at Questions about our policies, or requests for further information, should always be directed to the data protection officer in the first instance.

As part of its normal operation, the Trust will be required to share personal information about its employees, parents, pupils, volunteers, job applicants, governors and trustees with other organisations, mainly the Local Authorities, Department for Education, Education & Skills Funding Agency, Blackburn Diocese, other schools / educational bodies or potentially social services etc. This is classed as lawful basis to process personal data. For all our key stakeholders the Trust has a Privacy Notice explaining the type of data we hold, the reasons why and how it is processed. The privacy notices can be found through the menu links on this page or by clicking here.


What are the lawful bases for processing?

 The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:          

 (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

 (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

 (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

 (d) Vital interests: the processing is necessary to protect someone’s life.

 (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

 (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The trust has drafted a number of policies to ensure all staff, trustees and governors are aware of their responsibilities and outlines how the trust complies with the following core principles of the GDPR. These policies are available on the menu links through this page or by clicking here.


How does Cidari Multi Academy Trust protect personal data?

Data Protection legislation requires the Trust and its Academies to keep personal data safe and to have appropriate systems, policies and procedures in place to enable them comply with their data protection responsibilities. The Trust has updated its Data Protection Policy to reflect the GDPR requirements and combined with other relevant polcies to ensure your data is protected and processed correctly.



Academies are reponsible for getting consent for data outside of the lawful basis for processing. This consent can include permission for photographs or joining a mailing list. You can withdraw consent at anytime. To do this please contact the Academy directly.

Diocese of Blackburn