Home Page

Third Party Compliance

Our principal database is our Management Information Service called SIMS:



Purpose of data: administrative data such as name, address, dob, contact details of parents and other relevant adults, medical and dietary needs, SEND information to ensure the safe and smooth running of the school

Location of server: on site

Key information held: child information submitted by parents/carers on entry to the school (and updated at least annually)

Data is held until the child/ex pupil has reached 25 years of age and is then deleted.


Third parties (online)

Where we use third parties online, for record keeping or curriculum services for example, we have checked GDPR compliance and we are able to share their data protection statements. We have stated the key information that each service will hold. In addition to this, they may collect records of things such as IP addresses and web browsers of the computers that visit their services:


Parent Pay

Purpose of data: Online payment system. This requires us to use family details to set up accounts. Family bank details are added by families themselves and school does not have access to it.

Location of server: European Economic Area (EEA). Hosting company is ISO27001 accredited.

Key information held: child name, siblings, contact details

Parent Pay privacy notice:

Parent Pay and GDPR:


Tapestry (Early Years)

Purpose of data: record of observations of children’s learning. Holding this information online provides information to parents and allows them to be more involved in their child’s early education.

Location of server: TBC

Key information held: child name, child’s progress through the Early Years Foundation Stage profile inc photos. With consent, Tapestry will hold parents’ email adresses for updates to the child’s record.


CPOMs (whole school)

Purpose of data: The purpose of this data is to keep children safe and protect their well-being. This is an electronic database of child protection records and pastoral records. Holding this data electronically improves efficiency and appropriate sharing of information. Only the child protection team can view child protection records, and this is protected through two factor authentication. Teachers can view pastoral records and records of communication with parents, again via two factor authentication. Information may be shared with another school on transition.

Location of server: UK

Key information held: child information submitted by parents/carers on entry to the school (and updated at least annually); behaviour incidents (perpetrator or linked); medical records where this a healthcare plan or medical issues have been highlighted on the admission form or annual data collection sheet; records of communication or meetings with families; pastoral concerns.

Statement from CPOMS:

“With specific regard to The British Standards Institute (BSI) code of practice on legal admissibility (DISC PD 0008:2004), I will summarise how CPOMS conforms to the code of practice in the 4 key areas:

  1. The record is accurate, i.e. it is a complete and unaltered representation of the information; – Once are record is entered into CPOMS it cannot be deleted. A soft editing feature allows our high level admin users to edit information such as amending typos, adding additional information but all such changes are recorded within the system and an unedited version of the original kept for legal purposes. If one needed to get back to an original entry, one could do so at all times.
  2. The record is authentic, i.e. that it is what it purports to be; – The original ‘authentic’ record is always kept within the system, it cannot be changed.
  3. The records has not been tampered with; – As per 1 above, any ‘editing’ of a record would in essence create a new version of that record with the original being kept for legal admissibility purposes. One cannot tamper with a record within CPOMS in the same way in which they might be able to destroy/ replace a paper record. A full un-editable audit log details all user interactions within the system.
  4. The record is stored in a system that has been secure throughout the record’s lifetime. The security of your data is our prime concern once it is entered onto CPOMS. To summarise:
  1. All data is encrypted both at source and in transit
  2. Each school resides on its own database, not a database which is shared with other schools
  3. The data is held within UK based Tier 3 Data Centres
  4. Users allowed to see detailed information within CPOMS require 2 factor authentication (2FA) via either the CPOMS Authenticator App or a MeriLock Key
  5. A full uneditable audit log details all interactions with the system

As a high quality provider of IT services, Meritec takes its’ Security, Quality, and Data Protection responsibilities very seriously. We currently hold accreditations for Information Security (ISO27001) and Quality (ISO 9002) and are registered with the ICO (Information Commissioners Office) for Data Protection. In addition CPOMS has completed the DfE’s checklist for cloud services. Meritec wishes to reassure existing and future customers that we are currently involved in a major exercise to ensure that our practices and procedures are updated in line with ICO guidelines to be compliant with the requirements of GDPR before the planned introduction of GDPR legislation on 25th May 2018.” John Wild, Business Manager

GDPR statement:


Mathletics (Y2-6)

Purpose of data: Mathletics is a curriculum support website to promote learning of maths

Location of server:

Key information held: names and ages of pupils; progression through the maths activities on the site

Mathletics privacy policy