All schools must comply with the UK GDPR and data protection Act 2018 to ensure that personal data for pupils, staff, parents and visitors is processed lawfully, securely and transparently. The Data (Use and Access) Act 2025 updates these laws to offer clearer rules on Subject Access requests (SARs) and strengthening protection for children’s online privacy.
Data Controller
NPAT is the data controller and responsible for compliance under UK GDPR.
Data Protection Officer (DPO)
Our Data Protection Officer is our designated expert responsible for overseeing and ensuring our compliance with GDPR and other laws. Our Trust DPO can be contact by email at:
Rights of individuals
The UK GDPR provides the following rights for individuals:
- Right to be informed;
- Right of access (to receive copies of their personal data known as Subject Access Request);
- Right to rectification (correcting data if inaccurate);
- Right to erasure (to request that data is deleted);
- Right to restrict processing (to request you do not use their data in a certain way);
- Right to data portability.
- Right to object.
- Right to have explained if there will be any automated decision-making, including profiling, based on the data and that they have the right to meaningful information about the logic behind this.
To exercise any of these rights, please contact your school office.
Policies and Privacy notices
Our privacy notices have been developed to inform pupils, staff, parents and visitors about how their personal data is collected, used, shared and stored.
Our Trust data protection policies and privacy notices can be found below.
Data Protection and the GDPR Documents
NPAT Appropriate Policy Document
NPAT Freedom of Information Policy
NPAT Freedom of Information Publication Scheme Guidance
NPAT Records Management and Retention Policy (includes data retention schedule)
NPAT Subject Access Request Policy
Using AI to help draft information requests?
This advice is provided by the Information Commissioners Office, the regulator for FOIA and EIR in England, Wales and Northern Ireland.
AI tools can be helpful, but they can also introduce errors or create overly complex requests that increase the burden on public bodies and cost to the taxpayer.
When using AI to help draft an information request, please make sure the final wording has been checked and reflects your actual information needs.
Before you submit a request or secondary correspondence, please check that:
You are only asking for the information you are genuinely looking for.
AI tools sometimes generate broad or excessive wording that goes beyond the information you actually want or need;
The request is clear, concise and focused.
Short, straightforward requests are easier for us to process and usually lead to quicker, more accurate responses;
There are no obvious factual inaccuracies.
AI can misrepresent legislation or misstate what organisations do. Please review the text of your request carefully and don’t assume AI is right. If it has referred to something you don’t understand, check what it is; and
The tone is appropriate.
AI-generated content can sometimes sound abrupt, or otherwise inappropriate. Please check the tone before sending.
Why does this matter?
We are seeing an increase in requests and secondary correspondence that appear to have been drafted by generative AI.
These can require additional clarification because of inaccuracies or unnecessary complexity. This creates delays for both requesters and our teams.
