Executive Head: Dame Naila Zaffar
Rainbow Primary School, Nelson Street, Bradford, BD5 0HD
Phone: 01274 221400
Email: info@rainbowschools.org.uk



By this statement Rainbow Primary School is seeking to inform employees, pupils, parents, business partners and suppliers of its commitment to good data protection practice and its ongoing GDPR compliance.

The EU General Data Protection Regulation (GDPR) became effective on 25 May 2018. The GDPR has brought considerable changes to data protection law both in the UK and across the European Economic Area.

Rainbow Primary School has always sought to ensure compliance with data protection law. The school is in a position to confirm that it has:

  • A registered Data Protection Officer
  • Embedded GDPR requirements into policies and day-to-day activities.
  • Implemented technical measures to ensure GDPR compliance.
  • Documented and recorded compliance measures.
  • Scheduled comprehensive internal training for GDPR compliance.
  • Audited data protection measures with audit results used to implement compliance.

The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

There are 6 key principles to the GDPR that the school is accountable for:

  • There must be a lawful reason for collecting personal data and it must be done in a fair and transparent way.
  • Data must only be used for the reason it is initially obtained.
  • No more data than is necessary should be collected.
  • Data has to be accurate and there must be mechanisms in place to keep it up to date.
  • Data should not be retained for longer than is necessary.
  • The protection of personal data must be upheld.

Key Protection Measures

The school has put a variety of measures in place to ensure that all personal data is protected. These include;

  • Storing all pupil and staff personal data with the School Information Management System (SIMS) that is password protected and access to data is strictly limited to a needs to know basis.
  • Data stored on the school Server is password protected and access rights for individual staff members is linked to their role within school. The retention of data on the server is governed by the Data Protection Policy, which is enforced by the School Data Protection Officer.
  • All passwords are changed every 42 days across the school server, SIMS and email system, whilst also having a criteria of things that must be included to make passwords robust.
  • No passwords are stored by automated means on any school equipment on or off site.
  • No portable USB sticks or hard drives are permitted within school and no personal data is removed off the school site.
  • All visitors and staff use a digital sign in system, which ensures that no personal information is visible to other visitors. Pupils are signed in by the admin staff.

Key Terminology

There is a range of terminology that is used to refer to aspects of GDPR that schools must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.

  • Data Controller – the holder and gatherer of data who decides what to do with it (the school).
  • Data Processor – the person/organisation who does activities that the controller tells them to do with data and who is not a direct employee. An example would be SIMS who host the School Management Information System, which digitally stores all of the personal data about pupils and staff and Parentmail, which hosts the school communication and cashless payment system.
  • Data Subject – the person who data belongs to. It is important to note that under the new GDPR regulations children have more rights even though it is parents who give consent for the collection of certain types of data.
  • Subject Access Request – the request by a data subject for information about the personal data that a data controller holds. This must be made available in an accessible format within 40 days and 15 days if it is a request for a child’s education record.
  • Data – all recorded information in any format (sound, text, electronic files, photographs, videos, voice recordings) which includes statements and opinions.
  • Personal Data – any data that relates to an individual which can identify them or link to other information which would lead to identification.
  • Sensitive Personal Data – data that relates to aspects of personal life/preferences such as race, political opinions, religion, disability, sexuality, criminal offences etc.
  • Processing Data – obtaining, recording, sorting, converting, disclosing, analysing, storing, sharing or destroying data by any means.

Protecting Data

As a school we have reviewed all of the data that we currently hold and produced a “Data Asset Register” which documents the type of data, the data processor, where the data is stored, the reason that the data is stored and any potential risks that must be considered when developing policies/procedures around data protection. Included in this process has been making contact with any data processors to ensure that they are all GDPR compliant. Below is a list of the data processors used by the school (individual links to each provider will be added once their GDPR compliance policies/statements are finalised):

SIMS  (School Management Information System)

HCSS (School Budgeting Tool)

FMS (School Financial Management System)

Office Education 365 (Staff email system)

Mathletics, (Digital maths activities for children)

CPOMS (Child Protection Online Monitoring System that incidents are stored on)

Classroom Monitor (School Assessment Tracking System)

Parentmail (Communication and cashless payment system)

SAM (Staff Absence Management System)


As a school we have looked at what data we need to obtain consent for under the GDPR, so that any data we collect is appropriate. To comply with the Department for Education (DFE) and Census obligations we request on admission a range of personal information that complies with our statutory duties on the emergency contact form. When changes to any of this data occurs and we are informed, this is updated as soon as possible within our Management Information System SIMS.

For other types of data that we collect we seek consent though consent forms that provide parents with the opportunity to give or decline consent.

Consent is only accepted if it is freely given and parents/cares are entitled to withdraw consent at anytime by contacting the School office, where the request will be put in place with immediate effect.

Please follow the link to access our Policies Page, where our GDPR Policy can be found.

Useful GDPR Documents

GDPR Subject Access Request
GDPR Consent Guidance
Model Employment Privacy Notice
Model Volunteers Privacy Notice
School Privacy Notice


Rainbow Primary School is committed to safeguarding and promoting the welfare, both physical and emotional, of every pupil both inside and outside of the school premises.

Rainbow Primary School implements a whole-school preventative approach to managing safeguarding concerns, ensuring that the wellbeing of pupils is at the forefront of all action taken. We expect all staff, Trust, volunteers and visitors to share this commitment and maintain a safe environment.

view safeguarding policy
Safeguarding Leads

Contact Us

Rainbow Primary School, Nelson Street, Bradford, BD5 0HD

Phone: 01274 221400 Email: info@rainbowschools.org.uk

Our office staff taking calls are: Miss Thommis-Newberry, Mrs Sumera Qayyum and Mr Rauf
Arshad Javed – CEO | Dame Naila Zaffar – Executive Head | (BCL Consultancy Limited) Andrew Kenure – SEND
Asmi Darr – Chairperson  –  chairperson@rainbowschools.org.uk or
by post C/O Rainbow Primary School, Nelson Street, Bradford, BD5 0HD