Our principal database is our Management Information Service called SIMS:
Purpose of data: administrative data such as name, address, dob, contact details of parents and other relevant adults, medical and dietary needs, SEND information to ensure the safe and smooth running of the school
Location of server: on site
Key information held: child information submitted by parents/carers on entry to the school (and updated at least annually)
Data is held until the child/ex pupil has reached 25 years of age and is then deleted.
Third parties (online)
Where we use third parties online, for record keeping or curriculum services for example, we have checked GDPR compliance and we are able to share their data protection statements. We have stated the key information that each service will hold. In addition to this, they may collect records of things such as IP addresses and web browsers of the computers that visit their services:
Purpose of data: Online payment system. This requires us to use family details to set up accounts. Family bank details are added by families themselves and school does not have access to it.
Location of server: European Economic Area (EEA). Hosting company is ISO27001 accredited.
Key information held: child name, siblings, contact details
Parent Pay privacy notice: https://www.parentpay.com/privacy-policy/
Parent Pay and GDPR: https://www.parentpay.com/parentpay-and-gdpr/
Tapestry (Early Years)
Purpose of data: record of observations of children’s learning. Holding this information online provides information to parents and allows them to be more involved in their child’s early education.
Location of server: TBC
Key information held: child name, child’s progress through the Early Years Foundation Stage profile inc photos. With consent, Tapestry will hold parents’ email adresses for updates to the child’s record.
CPOMs (whole school)
Purpose of data: The purpose of this data is to keep children safe and protect their well-being. This is an electronic database of child protection records and pastoral records. Holding this data electronically improves efficiency and appropriate sharing of information. Only the child protection team can view child protection records, and this is protected through two factor authentication. Teachers can view pastoral records and records of communication with parents, again via two factor authentication. Information may be shared with another school on transition.
Location of server: UK
Key information held: child information submitted by parents/carers on entry to the school (and updated at least annually); behaviour incidents (perpetrator or linked); medical records where this a healthcare plan or medical issues have been highlighted on the admission form or annual data collection sheet; records of communication or meetings with families; pastoral concerns.
Statement from CPOMS:
“With specific regard to The British Standards Institute (BSI) code of practice on legal admissibility (DISC PD 0008:2004), I will summarise how CPOMS conforms to the code of practice in the 4 key areas:
As a high quality provider of IT services, Meritec takes its’ Security, Quality, and Data Protection responsibilities very seriously. We currently hold accreditations for Information Security (ISO27001) and Quality (ISO 9002) and are registered with the ICO (Information Commissioners Office) for Data Protection. In addition CPOMS has completed the DfE’s checklist for cloud services. Meritec wishes to reassure existing and future customers that we are currently involved in a major exercise to ensure that our practices and procedures are updated in line with ICO guidelines to be compliant with the requirements of GDPR before the planned introduction of GDPR legislation on 25th May 2018.” John Wild, Business Manager
GDPR statement: http://www.cpoms.co.uk/gdpr/
Purpose of data: Mathletics is a curriculum support website to promote learning of maths
Location of server:
Key information held: names and ages of pupils; progression through the maths activities on the site