GDPR Compliance Statement

Schools Data Services Ltd

Within this statement we want to highlight to our customers the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.

Schools Data Services Ltd takes data security very seriously. The success of our company builds on the trust that our employees, customers and other stakeholders have in our ability to deliver a secure and quality service. This includes our ability to apply a high level of data protection and security in relation to personal data that our employees, customers and third parties entrust to us.


Cyber Essentials - Cyber Essentials is a Government-backed, industry-supported scheme designed to help companies protect against cyber threats. We are currently implementing several changes necessary to comply with the new CE requirements, including Two Factor Authentication (2FA). Certification is independently verified and gives you peace of mind that certificate holders’ defences will protect against the vast majority of common cyber attacks.

Physical Security

Our main production servers are located in the Equinix Group facility (Williams House) based in Manchester Science Park. There is a back-up facility based in Newcastle. Communication between the two is via a secure, encrypted link. Entry to each facility is tightly controlled – with strict procedures in place to monitor and control visitor access both into and within the data centre. Extensive CCTV video camera surveillance is in place across each facility, along with security breach alarms, biometric checks and controlled physical barriers.

Customer Contracts

To comply with the GDPR, a written agreement stating that personal data is processed only on documented instructions from the controller or the requirements of EU law or the national laws of Member States should be in place. We are reviewing all our agreements with our customers on an individual basis to ensure compliance. This will ensure that relevant wordings are in place to cover aspects such as:

  • a summary of the subject matter of the data
  • the duration, nature and purpose of the processing
  • the types of data to be processed
  • the obligations and rights of the controller and processor.
  • how we will assist the Data Controller in dealing with data subject requests, data breaches and conducting impact assessments and data security audits.
  • the deletion or return of data at the end of the contract.

Cross Border Transfers and Sub-Processors

Schools Data Services use only secure and private UK-based servers. We do not use ‘cloud’ services to store data. Data is never stored overseas. Schools Data Services do not sub-contract out any data services to any third party organisations. In the unlikely event this becomes necessary we would seek prior, written consent of the Data Controller before doing so.

Security and Business Continuity Measures

We continually seek to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.

All Schools Data Services personnel with access to pupil data are vetted and are subject to a written confidentiality agreement.

Under the GDPR, we must notify any data breach to the controller without undue delay. Schools Data Services therefore has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller.

We would provide the controller with:

  • A description of the nature of the breach
  • Contact details of the responsible data protection officer or any other contact person
  • Likely consequences of the breach
  • Proposed and imposed measures taken to limit harmful effects

We would stress again that we have comprehensive technical and organisational security measures in place to mitigate against a data breach.

Data Subject Rights

Under the GDPR there are significant enhancements to the rights that individuals enjoy with regards their personal data. Schools Data Services can work with customers for whom we hold or process personal data in order to determine how best to facilitate:

  • Handling Data Subject Access Requests and rectification of personal data
  • The application of retention periods and the secure erasure / destruction of personal data
  • Responding to data portability requests, providing it in a structured, commonly used and machine-readable format

Contact Person

Any GDPR related questions can be addressed to Mr E Whittaker or Mr A Rose at or

Phone: 0161 713 0402