Privacy Information and GDPR

The General Data Protection Regulation (GDPR) is a new EU law that came into effect on 25 May 2018.  It replaced the Data Protection Act 1998 and the changes remain in place even after the UK leaves the EU in 2019.

GDPR principles

GDPR condenses the Data Protection Principles into six areas, referred to as the Privacy Principles. They are:

  1. You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
  2. You must only use the data for the reason it is initially obtained.
  3. You must not collect any more data than is necessary.
  4. It has to be accurate and there must be mechanisms in place to keep it up to date.
  5. You cannot keep it any longer than needed.
  6. You must protect the personal data.

These privacy principles are supported by a further principle – accountability.

This means our setting must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.


For more information please see our Policy 10.8 Information sharing.  For a copy of the policy please see Policies section.


‘Practitioners need to understand their organisation’s position and commitment to information sharing. They need to have confidence in the continued support of their organisation where they have used their professional judgement and shared information professionally.’

Information Sharing: Guidance for Practitioners and Managers (DCSF 2008).