Fair Processing Notice

The Headteacher in the name of Bunscoill Rhumsaa as Data controller

The Headteacher, in the name of Bunscoill Rhumsaa, is a data controller for the purposes of the Data Protection Act 2002/General Data Protection Regulation (Isle of Man) Order 2018. The contact details for the Data Controller are Bunscoill Rhumsaa of Lezayre Road, Ramsey, Isle of Man IM8 2PA.

In addition to the information set out in the Isle of Man Privacy Notice, we may also collect the following information about your child as required by the Education Act 2001 and the Registration of Pupils Regulations 2016:

  1. full legal name and where known, any former name or names;
  2. gender;
  3. date of birth;
  4. unique pupil number;
  5. ethnic group and by whom that information was provided;
  6. first language;
  7. date of admission to the school;
  8. year group;
  9. the address and postcode of the pupil's usual residence and any other properties at which the pupil is also known to reside on occasion;
  10. the name and address of every person known to the school to be a parent of the pupil and at least one emergency contact telephone number;
  11. the name and address of any other schools the pupil is known to have attended, if any, and in the case of guest registration, any other schools at which the pupil is registered;
  12. full-time or part-time;
  13. day pupil or boarder;
  14. date of leaving the school;
  15. usual mode of transport to and from school;
  16. for any pupil who is known to the head teacher to be or to have been looked after by an appropriate organisation, the name of that organisation;
  17. (where applicable) that the pupil has been found eligible for free school meals;
  18. Attendance;
  19. Medical information for the vital interests of children where appropriate;
  20. Educational psychologists reports and supporting documents;
  21. Academic achievements;
  22. Skills and abilities;
  23. Educational progress;
  24. Special educational needs information;
  25. Suspension information;
  26. Course information;

The Data Protection Officer for the Department of Education, Sport and Culture is: Andrew Shipley, Department of Education, Sport and Culture, Hamilton House, Douglas. IM1 5EZ. Tel 01624 685828. Email: DPO-DESC@gov.im.

How we will use the information we collect about you

Bunscoill Rhumsaa may use your information to:

  • register your child at the school;
  • record attendance information;
  • produce an educational record containing:
    • Information about your child
    • Personal education plans
    • Educational psychologist's reports and accompanying documents
  • produce a curricular record containing:
    • Academic achievements;
    • Skills and abilities; and
    • Educational progress
  • produce a record of special educational needs and special needs provision, if appropriate detailing:
    • The type of special need;
    • A ranking of the special needs if there is more than one;
    • The special needs provision being made; and
    • Whether teaching is in a special education needs unit or elsewhere
  • record details of suspensions
  • produce a record of the studies undertaken;
  • help prevent and detect crime

Bunscoill Rhumsaa has a statutory obligation to check and verify the data you provide to us on registration documents and on consent forms. This may include checks of publicly available information but in some cases, where it is necessary and relevant, the information you provide may be disclosed or shared with other organisations.

How we will share the information we collect about you

App or Service Details Consent Required


more information

Data Shared: Pupil record

Sharing Basis: No - Public interest +official authority of the DC

Security Protocols:
Arbor uses bank-grade, end-to-end, 256bit SSL encryption to ensure only the authorised user can see school data. Student data is NEVER shared with third parties without a schools’ consent.  Each user is issued with a unique and secure password, with permission-based access ensuring that they can only view the data relevant to them. No data is stored on any device, and Arbor automatically logs out after a period of inactivity.  Arbor is a Data Processor and abides by all of the terms of the Data Protection Act 1998. Arbor are also registered with the UK Government on the G-Cloud VII framework, a Government framework which audits the security of cloud-based providers to ensure they meet government standards. Arbor products have also been approved by the Department for Education list for cloud suppliers.

Access Conditions: N/A

Teacher Access: N/A

Server/Data Location: EEA 

Retention Period: DOB +25 years



more information

Sharing Basis: To demonstrate children's safety and welfare have been assessed prior to off-site visits to SLT and central DESC staff.

Security Protocols:
Implement additional security measures including advanced firewalls, enterprise-level virus protection on all servers, HTTPS encryption for all communication between our servers and users, regular data backup, username/password/PIN to control access, failed log-in attempt logging, automatic suspicious activity detection and logging etc.

Access Conditions: Staff only

Teacher Access: Yes, to risk assess and evaluate risk assessments for off-site visits.

Server/Data Location: EEA 


Google Docs

more information

Data Shared: No personal information should be stored on Google servers by staff apart from a name, class grouping, email address and information regarding work completed or to be completed.

Sharing Basis: Collaborative learning by children and home learning. Can be shared with teacher and any other child at DESC school on IOM. re consent - No - Public interest +official authority of the DC

Security Protocols: Google adheres to several self regulatory frameworks, including the EU-US Privacy Shield arrangement.

Access Conditions: No

Teacher Access: Limited to areas set up by staff and shared documents

Server/Data Location: Worldwide including the US

Retention Period: DOB + 21 years or 3 years since the last log on



more information

Data Shared: First name, surname and email address (Google for education)

Sharing Basis: To provide a LMS (Learning Management System) so that children can learn how to maintain a digital profile in a safe environment. Also to facilitate independent and self direct learning with reflection and peer assessment.

Security Protocols:
Physical security Data Centres itslearning operates all its customer services from data centres separated from the corporate office work space. Access to data centres are strictly controlled and protected to reduce the likelihood of unauthorised access, fire, flooding or other damage to the physical environment. Physical access to data centres are limited to a small number of employees within itslearning and/or its hosting centre providers. Strict security clearances are required and must be approved by security management prior to entering a data centre. Office work space All of the office work space of itslearning is protected by access control. Only invited visitors and employees can access itslearning’s work space. Multiple measures are in place to avoid security issues due to theft or loss of computer equipment. This includes security guidelines and acceptable use policies, authentication systems and encryption of storage units when applicable.

Access Conditions: supervised and unsupervised

Teacher Access: To support learning the teacher has access to pupil pages and their posts

Server/Data Location: EEA

Retention Period: While in education at state school. School attendance plus 1 year


Language link / Speech

more information

Data Shared: Name, DOB. email & telephone number of school

Security Protocols: Encryption, access restriction and physical security

Teacher Access: Yes

Server/Data Location: EEA

Retention Period: 3 years



more information

Data Shared: Name, email address

Security Protocols: Appropriate and suitable safeguards and technical measures are in place to protect your personal data

Access Conditions: Supervised

Teacher Access: Yes

Server/Data Location: Worldwide

Retention Period: End of use + 12 months


Quesmedia Sites

more information

Data Shared: Website activity, website form submissions and user content.

Sharing Basis: To provide public website services for our school

Security Protocols:
Sites are served over HTTPS using TLS to provide both secure server–server and server–client communication. Accounts are protected from brute force attacks with rate limiting and automated account locking. Passwords are one-way encrypted using bcrypt before being stored and are required to satisfy strong password rules to ensure high-entropy.

Access Conditions: None

Teacher Access: Limited to data provided within the CMS

Server/Data Location: United Kingdom (EEA)

Retention Period: Please view the more information link for data retention policies.


For more specific details about retention periods see the Department’s retention schedule

Information obtained or disclosed by third parties will not be used for any other purpose other than supporting the delivery of teaching and learning.

Failure to provide information may impact on support in school, the quality of teaching and learning and in achievement in examinations.

Protecting your information

Bunscoill Rhumsaa will:

  • keep your information safe and secure in compliance;
  • only use and disclose your information as detailed above where necessary
  • Retain the information for no longer than is necessary and your information wll be permanently deleted once the timeframes set out below have been reached (there will need to be an authorisation process, to dispose of this in line with our Records Management Policy and retention periods as outlined below (unless there is an over-riding reason to retain this information).

Transfer of Information outside the EEA

Apps and services that are used in school may require data to be stored on servers outside of the EEA. Information sent to these will be limited and are as detailed above.

More Information

You can find out more information including:

  • Looking at the Isle of Man Government Privacy Policy here https://www.gov.im/about-this-site/privacy-notice/ [Accessed 16/1/18]
  • Contacting our Data Protection Officer who is: Andrew Shipley, DPO. Hamilton House, Peel Road. Douglas. IM1 5EZ. Tel 685828. Email DPO-DESC@gov.im
  • Asking to see your information or making a complaint if you feel that your information is not being handled by contacting the Headteacher as Data Controller for Bunscoill Rhumsaa
  • Making a subject access request which is a request for all of the personal data we hold about you.
  • Obtaining this information in large print, braille, or in an alternative language.

Your rights

You have a right to access your personal data to ensure that it is accurate, and to request that it is rectified, blocked, erased or destroyed if it is inaccurate.

To make any request relating to your data held by us, please contact the Data Protection Officer for the Department of Education, Sport and Culture who is: Andrew Shipley, DPO. Hamilton House, Peel Road. Douglas. IM1 5EZ. Tel 685828. Email DPO-DESC@gov.im

If you are not satisfied with the response you receive, you may also complain to the Information Commissioner, whose details can be found on www.inforights.im, or the relevant supervisory authority. You may have a right to other remedies.