top of page
Privacy Policy

Key details

  • Document prepared by Elizabeth Hutchinson

  • Document became operational on 1st September 2019

  • Next review date 1st September 2021


The Great School Libraries campaign need to gather and use certain information about individuals as both a Controller and Processer of data.

These details can include customers, suppliers, business contacts, and other people the organisation has a relationship with or may need to contact.

This document describes how this data is collected, handled and stored to meet the campaign’s data protection standards and to comply with the law.

The campaign does not share information it holds on individuals with any third parties unless legally obliged to do so or where it has written, prior consent.


What data we may collect

We may collect the following information:

  • Name and job title

  • Contact information including email address, and school name.

  • Demographic information such as postcode, preferences and interests 

What we do with the information we gather

We are committed to ensuring that your personal data is processed in accordance with GDPR requirements. We will make our best efforts to always ensure that the personal data we hold about you is up-to-date and only retained as long as is necessary.

We will use this information for the following reasons:

  • Internal record keeping

  • We may use the information to improve our campaign

  • We will periodically send promotional emails information which we think you may find interesting using the email address which you have provided. This will be done in accordance with the Legitimate Interest lawful basis of data processing under GDPR and you will always be given the option to unsubscribe if you do not wish us to contact you anymore

We are committed to ensuring that the information we collect is appropriate for this purpose and does not constitute an invasion of your privacy.

Legitimate Interests – the legal basis for gathering information

The law allows personal data to be legally collected and used if it is necessary for a legitimate business interest of the organisation – as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned.

The processing of data is necessary so that we can provide updates about the campaign.

Who we share the data with

We will not sell, distribute or lease your personal information to any third parties for marketing purposes.

However it may be necessary for us to pass your personal data on to third party service providers, such as freight companies used to make deliveries i.e. competition winners.

Any third parties will be legally obliged to keep your details securely and to dispose of them once they no longer have a lawful basis for retaining them.

Any involved associations will not use any details for any other purpose other than the campaign.

The use of cookies

We use cookies (small text files placed on your device) and similar technologies to provide our websites and online services and to help collect data. Cookies allow us, among other things, to store your preferences and settings; enable you to sign-in; combat fraud; and analyse how our websites and online services are performing.

You can block cookies by activating the setting on your browser that allows you to refuse the setting for some or all cookies.  However, this may restrict access to some or all parts of our websites and services.

Subject access requests – How do I find out what personal data is held about me?

We can supply the following information if requested:

  • The type of data we process

  • How the data was obtained

  • How the data is processed (stored, retained and disposed of)

  • The purpose and lawful basis of the processing

  • Details of any third parties to whom the data has been provided and the reasons for this

  • Details of how you can correct, withdraw or delete your data from our records

  • How to contact the Data Protection Officer in case of query or complaint

If you wish to make a subject access request, please make that request in writing to

Right to rectification and data quality. How do I ask for the data to be amended?

If you wish to have the data amended or rectified, please make that request in writing to 

Right to erasure, including retention and disposal.  How do I ask for my data to be removed?

If you wish to have the data removed, please make that request in writing to

Where requested, data will be disposed of and destroyed in line with the current legislation.  Data will be deleted from both live and archived or back-up copies of our systems.

System security

At present all of our servers are located in the UK, either on site or in secure data centres.

How will you identify a breach, what are your breach reporting processes, and in what time frame will you report to us as the controller? 

We have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals.

Should such a breach ever occur, our priorities will be the securing of our systems to prevent any further data theft or damage.  In line with Article 33(2) of the regulations, if necessary, the breach will be reported to the ICO with any information we have gathered at that time, with further updates to this information as we discover it.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay.

We will also keep a record of any personal data breaches, regardless of whether we are required to notify.

Breaches would normally be reported within 72 hours, where feasible.

General Enquiries

If you have any general enquiries regarding data protection, please submit them in writing

September 19 v1

bottom of page