top of page
image-removebg-preview_edited_edited.png

Compliance with GDPR

1. Introduction

Turning Point Leeds (TPL) is committed to protecting the privacy and security of personal data. This policy outlines our approach to compliance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It sets out how we safeguard the personal data of pupils, employees, parents/carers, host schools, and other stakeholders.

We aim to process data fairly, lawfully, and transparently, ensuring trust and confidence in the way we handle personal information.

​

2. Data Protection Principles

TPL adheres to the following GDPR principles:

  • Lawfulness, fairness, and transparency: All personal data will be processed lawfully, fairly, and openly.

  • Purpose limitation: Data will only be collected for specified, explicit, and legitimate purposes.

  • Data minimisation: Only the minimum personal data necessary will be collected and processed.

  • Accuracy: Personal data will be kept accurate and up to date.

  • Storage limitation: Data will be retained only for as long as necessary in line with statutory requirements and TPL’s Data Retention Schedule.

  • Integrity and confidentiality: Personal data will be processed securely, protecting against unauthorised or unlawful processing, accidental loss, or damage.

  • Accountability: TPL accepts responsibility for demonstrating compliance with GDPR at all times.

​

3. Roles and Responsibilities

  • Directors determine how and why personal data is processed.

  • Directors oversee GDPR compliance, advises staff, and acts as the main contact for the Information Commissioner’s Office (ICO).

  • Employees and volunteers: All staff, volunteers, and contractors must comply with this policy and handle personal data securely and responsibly.

​

4. Legal Basis for Processing

TPL will only process personal data where there is a lawful basis under GDPR, including:

  • Consent

  • Contractual necessity

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

The lawful basis for processing will always be identified and recorded before processing begins.

​

5. Data Subject Rights

All individuals have the following rights regarding their personal data:

  • Right to be informed

  • Right of access (Subject Access Request, normally completed within one month)

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to data portability

  • Right to object

  • Rights in relation to automated decision-making and profiling

Requests to exercise these rights must be submitted in writing to the Directors and will be handled promptly in line with GDPR timelines.

Individuals also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if they are dissatisfied with TPL’s handling of their personal data.

​

6. Data Breach Management

TPL has clear procedures for identifying, reporting, and managing personal data breaches.

  • The Directors will assess all breaches without delay.

  • Serious breaches will be reported to the ICO within 72 hours, where required.

  • Affected individuals will be informed promptly if their rights or freedoms are at significant risk.

​

7. International Data Transfers

TPL does not transfer personal data outside the UK or European Economic Area (EEA) unless adequate safeguards are in place. No data will be shared with external organisations without the knowledge and consent of the host school.

​

8. Privacy by Design and Data Protection Impact Assessments (DPIAs)

Data protection measures are built into all of TPL’s systems and processes. Where processing activities are likely to present a high risk to individuals’ rights and freedoms, DPIAs will be completed before processing begins.

​

9. Training and Awareness

  • All staff receive GDPR and data protection training during induction.

  • Annual refresher training is provided.

  • Additional guidance is shared when changes in legislation or best practice occur.

​

10. Compliance Monitoring and Review

TPL conducts regular audits of data processing activities to check compliance.

  • Records of processing activities are maintained.

  • Policies are updated in response to new legislation, regulatory advice, or learning from practice.

  • Feedback from staff, pupils, and parents/carers is used to improve practice.

​

11. Conclusion

TPL is committed to protecting personal data and ensuring compliance with GDPR and the Data Protection Act 2018. Our approach is transparent, responsible, and restorative — addressing concerns openly to rebuild trust where issues arise.

​

Written: August 2025
Next Review: August 2026

bottom of page