Education Service Privacy Notice

This Privacy Notice is sent to you by:

Diocese of Westminster Education Service,

Vaughan House,

46 Francis St


Tel. 020 7798 9005.

The purpose of this privacy notice is to give you a clear explanation about how the Diocese of Westminster Education Service uses the personal information that we collect, whether online, via phone, email, in forms, letters or from third parties.

The designated Diocesan Data Protection Officer (DPO) is Mathew D’Souza, who can be contacted on on 020 7798 9000 or at Vaughan House, 46 Francis Street, SW1P 1QN. We will endeavour to use your information in accordance with all applicable laws concerning the protection of personal information. If you wish to read the diocesan data protection policy please go to the education service website at

This Notice explains:

  • What information the Education Service may collect about you and why we collect it
  • How we will use that information
  • Whether we disclose your details to anyone else
  • Your choices regarding the information you provide to us
  • How long we will retain your information.

The Personal Data we collect

We process data relating to those who work at our schools, either as employees or on a voluntary basis. We also collect data about the children in our schools. Personal data that we may collect, use, store and share (when appropriate) about you may include, but is not restricted to:

  • Contact details
  • Date of birth, marital status and gender
  • Next of kin and emergency contact numbers
  • Recruitment information, including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process
  • Qualifications and employment records, including work history, job titles, working hours, training records and professional memberships
  • Performance information
  • Outcomes of any disciplinary and/or grievance procedures
  • Absence data
  • Copy of driving licence
  • Photographs
  • CCTV footage
  • Data about your use of the school’s information and communications system

We may also collect, store and use information about you that falls into "special categories" of more sensitive personal data. This includes information about (where applicable):

  • Race, ethnicity, religious beliefs, sexual orientation and political opinions
  • Trade union membership

Why we collect your Data and how we use it

You may give us your information for the following reasons:

  • to receive email updates, bulletins or CES documentation
  • to subscribe to or attend one of our CPD courses
  • to complete a registration form to become a Foundation Governor or Director
  • to complete an Education Service census form such a Pupil Placement
  • to register for Education Service run events
  • to register engagement and delivery of state funded programmes such as LCVAP, PSB, PSB2,
  • to receive HR and other services from us
  • to assess the quality of our services
  • to carry out research
  • to further the work of the Education Service e.g. pupil place planning etc.

The Legal Basis for Processing

We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:

  • Fulfil a contract we have entered into with you
  • Comply with a legal obligation
  • Carry out a task in the public interest
  • You have given us consent to use it in a certain way
  • We need to protect your vital interests (or someone else’s interests)

Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent, and explain how you go about withdrawing consent if you wish to do so.

Data sharing

We do not share information about you with any third party without your consent unless the law and our policies allow us to do so. Where it is legally required, or necessary (and it complies with data protection law) we may share your personal information.

Retention of Data

We will not retain your data any longer than is necessary and we will not use it for any purpose other than the purpose for which it was obtained. You may contact us at any time to find out how long we will need to retain your data.

Individual’s rights under the GDPR

As an Education service, users can all request that we comply with a request to exercise their rights, which are:

  1. Right to information
  2. Subject access rights
  3. Right to rectification
  4. Right to erasure (right to be forgotten)
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights in relation to automated decision making and profiling

Your rights include the right to make a complaint to the Information Commissioner’s Office. 


One of the key requirements of the GDPR relates to transparency. This means that the Diocesan Education Service will keep Data Subjects informed about how their Personal Data will be processed when it is collected.

Diocesan Education Service employees will use other appropriate and proportionate methods to tell individuals how their Personal Data is being processed if Personal Data is being processed in a way that is not envisaged by our privacy notice.

  • Evidence and records of Consent will be maintained so that the Diocesan Education Service can demonstrate compliance with Consent requirements.

Specified, explicit and legitimate purposes

  • Personal data will only be collected to the extent that it is required for the specific purpose notified to the Data Subject, for example, in the Privacy Notice or at the point of collecting the Personal Data. Any data which is not necessary for that purpose should not be collected in the first place.
  • The Diocesan Education Service will be clear with Data Subjects about why their Personal Data is being collected and how it will be processed. We cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary.

Adequate, relevant and limited to what is necessary

The Diocesan Education Service will ensure that the Personal Data collected is adequate to enable us to perform our functions and that the information is relevant and limited to what is necessary. In order to ensure compliance with this principle, the Diocesan Education Service will check records at appropriate intervals for missing, irrelevant or seemingly excessive information and may contact Data Subjects to verify certain items of data.

The Diocesan Education Service will implement measures to ensure that Personal Data is processed in such a way that only members of staff, local governors or trustees who need to know Personal Data about a Data Subject will be given access to it and no more information than is necessary for the relevant purpose will be shared. In practice, this means that the Diocesan Education Service may adopt a layered approach in some circumstances, for example, members of staff, trustees or local governors may be given access to basic information about an employee if they need to know it for a particular purpose but other information about a Data Subject may be restricted to certain members of staff who need to know it, for example, where the information is Sensitive Personal Data, relates to criminal convictions or offences or is confidential in nature (for example, child protection or safeguarding records). When Personal Data is no longer needed for specified purposes, it will be deleted or anonymised in accordance with our data retention guidelines.

Accurate and, where necessary, kept up to date

Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data will be destroyed. If a Data Subject informs the Diocesan Education Service of a change of circumstances their records will be updated as soon as is practicable.

Where a Data Subject challenges the accuracy of their data, the Diocesan Education Service will immediately mark the record as potentially inaccurate, or ‘challenged’. In the case of any dispute, we shall try to resolve the issue informally, but if this proves impossible, disputes will be referred to the Data Protection Officer for their judgement. If the problem cannot be resolved at this stage, the Data Subject should refer their complaint to the Information Commissioner’s Office. Until resolved the ‘challenged’ marker will remain and all disclosures of the affected information will contain both versions of the information.

Data to be processed in a manner that ensures appropriate security of the Personal Data

The Diocesan Education Service has taken steps to ensure that appropriate security measures are taken against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data. Data Subjects may apply to the courts for compensation if they have suffered damage from such a loss. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.


We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.

To make a complaint, please contact our data protection officer.

Alternatively, you can make a complaint to the Information Commissioner’s Office:

  • Report a concern online at
  • Call 0303 123 1113
  • Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contact us

If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer:

Mathew D’Souza on