Structured governance assurance for UK school governing boards.

Client Privacy

How we protect the privacy and security of your school's assessment data on the School Governance Assurance Framework platform.

Effective: 1 May 2026
Version: 2026-05-01-v1
UK GDPR compliant
Data Processor: Joshua Mangas

Contents

  1. Who this policy applies to
  2. What assessment data we collect
  3. Data ownership and roles
  4. How we use your assessment data
  5. Data isolation and access control
  6. Who can see your data
  7. Data sharing, we don't share with Ofsted, DfE, or LAs
  8. Data retention and deletion
  9. Data export and portability
  10. Security measures
  11. Sub-processors we use
  12. Your rights under UK GDPR
  13. Contact

This policy explains how the School Governance Assurance Framework treats your school's assessment data as a data processor. Your school is the data controller. Your data is yours to own, control, export, and delete at any time.

1 Who this policy applies to

This Client Privacy policy applies to schools, academies, multi-academy trusts (MATs), and governing boards using the School Governance Assurance Framework platform at portal.governanceassurance.co.uk. This covers all platform tools: Quality Standard, Website Check, AI Readiness Audit, Faith Inspection Readiness, School Data Check, Website Compliance, Board Intelligence Report, Meeting Agendas, School Improvement, Statutory & Core, Headteacher Report, CES Assurance, SIAMS Assurance, Trust Dashboard, and Agenda Builder.

The policy covers the school leadership, governors, trustees, clerks, and other school staff members who are authorised by the school to access the platform and complete governance assessments.

This policy is separate from our general Privacy Policy, which covers the marketing website and contact forms. For website data, see Privacy Policy.

2 What assessment data we collect

When your school uses the SGAF platform tools, we collect and store the following data:

Data fieldWhat is collected
Organisation profileSchool or trust name, town, postcode, and headteacher / CEO and Chair of Governors / Trustees names (used to label your assessment report).
User email and roleEmail address and role of the person(s) completing or accessing the assessment (e.g., Governor, Trustee, Clerk, Headteacher, CEO).
Quality Standard responsesFor each element across every governance function and 3 stages (Compliance, Assurance, Continuity), the status you select: Not Started, Developing, or Secure.
Quality Standard evidence notesOptional text evidence you provide to support your assessment status (e.g., "Board reviewed this policy in October 2025").
Website crawl dataURLs, page content, and compliance findings collected when the Website Check or Website Compliance tool scans your school website.
GIAS governor dataGovernor names, roles, and appointment dates retrieved from the DfE Get Information About Schools (GIAS) register for the Board Intelligence Report.
SIP document uploadsSchool Improvement Plan documents uploaded for AI-assisted priority extraction within School Improvement.
Governor names and assignmentsGovernor names assigned to statutory monitoring roles and SIP visit reports within Statutory & Core and School Improvement.
Headteacher termly dataAttendance, exclusions, staffing, budget, SIP progress, and safeguarding data entered via the Headteacher Report tool.
Submission metadataTimestamps of when assessments, reports, and scans are started, updated, and completed.
CES module responsesSelf-assessment responses across 12 Catholic governance standards within CES Assurance, including visit records and monitoring plans.
SIAMS module responsesSelf-assessment responses across 10 Church of England inspection strands within SIAMS Assurance, including visit records and monitoring plans.
Faith readiness self-assessmentCES and SIAMS readiness answers and AI-generated action plans from the Faith Inspection Readiness tool.
Trust dashboard dataAggregated governance data across schools within a multi-academy trust, including heatmap views and trust-level reports.
Agenda Builder selectionsMeeting type selections, framework element mappings, and generated agenda content.
School Data Check lookupsSchool URN and retrieved published DfE data (attendance, behaviour, performance, staffing).
Plan and action logAny governance action items or development priorities you record in the platform.

We do not collect or store personal data about individual pupils, staff, or parents. Your assessment should relate only to board-level governance processes and policies. Do not enter names, email addresses, or identifiable data about children or staff in evidence note fields.

3 Data ownership and roles

3.1 Your school is the Data Controller

Your school is the data controller for all assessment data submitted to the SGAF platform. This means:

  • Your school decides what data is entered, when assessments are completed, and how the assessment findings are used within the school
  • Your school determines the lawful basis for processing governance data (typically legitimate interests in maintaining board governance standards)
  • Your school is responsible for ensuring that any evidence notes comply with UK GDPR and do not contain inadvertent personal data
  • Your school controls who within your organisation has access to the platform and your assessment data

3.2 School Governance Assurance Framework is the Data Processor

School Governance Assurance Framework (operated by Joshua Mangas) acts as a data processor on behalf of your school. This means:

  • We process assessment data only on your instruction and for the purpose of providing the Quality Standard tool
  • We do not use your data for any secondary purpose (marketing, analytics, comparison with other schools, or research) without your explicit prior consent
  • We implement appropriate technical and organisational security measures to protect your data
  • We comply with UK GDPR Chapter V requirements for sub-processors
  • We provide you with the access, export, and deletion capabilities you need to exercise control over your data

3.3 Data Processing Agreement

Schools using the platform have a Data Processing Agreement (DPA) in place that sets out the terms of our data processor relationship. The standard DPA is published on our website. Contact us at info@governanceassurance.co.uk to discuss your school's specific requirements.

4 How we use your assessment data

We use your assessment data only for the following purposes:

  • Providing the Quality Standard tool: storing your responses, generating your governance assessment report, and enabling you to review and update your assessment over time
  • Generating reports: creating a PDF or online report of your assessment results for your governance records
  • Platform administration: notifying our operational team when a school submits an assessment so we can verify completion and provide any requested support
  • Service improvement: anonymised usage data (e.g., "60% of schools selected Secure for question 1.2") may be used in aggregate to improve the framework questions and platform usability, with your prior consent if required
  • Customer support: responding to requests for help accessing or exporting your data

We do not:

  • Share your assessment responses with other schools or with Ofsted, the Department for Education (DfE), or local authorities
  • Use your data for marketing or to target you with advertising
  • Sell your data or share it with third-party analytics providers
  • Use your data for benchmarking or comparison reports without your explicit consent
  • Share individual school scores with any external body

5 Data isolation and access control

5.1 Row-level security

The SGAF platform uses database row-level policies so that:

  • Each school account can only read and write its own assessment data
  • A school's data is completely isolated from all other schools' data at the database level
  • Multi-school users (e.g., governance professionals or MAT staff with access to multiple schools) see only the schools they are explicitly added to
  • Users cannot access data from schools they are not assigned to, even if they know the school ID

5.2 User access management

Your school manages user access to the platform. When you add a user to your school account:

  • That user signs in via passwordless authentication via email one-time codes, or OAuth sign-in through Google or Microsoft (School Portal)
  • The user can access only your school's assessment data (and any other schools you authorise)
  • Your school can remove user access at any time, and the user will no longer be able to sign in
  • All user actions (viewing, updating responses) are logged and can be audited

5.3 Administrative access

The School Governance Assurance Framework operator (Joshua Mangas) has separate administrative access to:

  • View service-level metrics and usage (e.g., number of active schools, submissions per week)
  • Access individual school data only when explicitly requested by the school for support or technical troubleshooting
  • Respond to data subject access requests (SARs) and deletion requests

Administrative access is logged and restricted to authorised personnel only.

6 Who can see your data

6.1 Your school's users

Only the users (governors, staff, clerks) that your school has explicitly added to your account can see your assessment data. Your school controls this access list.

6.2 School Governance Assurance Framework support team

The SGAF support team can access your data only to:

  • Respond to your support request (e.g., "I can't access my assessment")
  • Troubleshoot technical issues
  • Fulfill data subject access requests or deletion requests

Support staff do not routinely view school data and do so only when necessary for these purposes.

6.3 Who cannot see your data

Your assessment data is not accessible to:

  • Ofsted or other school inspectorates
  • The Department for Education (DfE)
  • Local authorities
  • Governor services, consultants, or third-party governance providers (unless you manually export and share your report with them)
  • Other schools or MATs
  • Marketing, analytics, or advertising partners

7 Data sharing, we don't share with Ofsted, DfE, or LAs

7.1 Clear policy: no automatic sharing

We do not automatically share your school's assessment data with any external body. This includes:

  • Ofsted: your SGAF assessment is not sent to Ofsted and does not form part of any inspection dataset
  • Department for Education (DfE): your data is not shared with the DfE
  • Local authorities: your data is not shared with your local authority
  • Governor services and third-party providers: your data is not sold or provided to external companies

7.2 You control sharing

You have complete control over whether and how to share your assessment findings:

  • Internal sharing within your school: you decide who within your leadership team, governors, and staff can see your assessment results
  • Exporting your report: you can export your assessment summary as a PDF report (see section 9) and share this with whoever you choose (e.g., your local authority, an external governance consultant, or for inspection preparation)
  • External partnerships: if you choose to share your assessment with a third party (e.g., a governance service or consultant), that is your decision and responsibility

7.3 Legal obligations

We may disclose your data if required by law, court order, or lawful authority (e.g., a police investigation). We will inform you of such a request where legal constraints permit.

7.4 Sub-processors

We use third-party infrastructure providers to operate the School Governance Assurance Framework (see section 11). These providers process only the limited data needed for their function (for example request logs and IP addresses, or the email address and content needed to deliver a sign-in code). Only our cloud database provider (which hosts your data) and our AI provider (which processes documents you submit, transiently and never for training) process the content of your governance records.

8 Data retention and deletion

8.1 How long we retain your data

Data typeRetention period
Quality Standard responses and evidenceRetained for the duration of your school's active use of the platform plus 2 years. After your school's account is closed or you request deletion, data is deleted from the database within 30 days of closure request.
Organisation profile (name, postcode, headteacher / CEO)Retained while the account is active. Deleted within 30 days of account closure or deletion request.
User data (email, role)Retained for as long as the user has access to the platform. Deleted within 30 days when the user is removed or when the school account is closed.
Authentication one-time codesOne-time codes expire after approximately 1 hour. Email provider logs are retained according to the provider's retention policy (typically 30-90 days).
Payment recordsRetained for 7 years in accordance with HMRC requirements.
Platform activity logsLogs of user actions (sign-in, data updates, exports) are retained for 1 year for security and audit purposes.

8.2 How to request deletion

Your school can request deletion of all assessment data at any time:

  • Contact info@governanceassurance.co.uk and request deletion of your school account
  • Specify which data you wish to delete (all data or specific assessments)
  • We will delete the data within 30 days and confirm completion to you
  • Deletion is permanent and cannot be reversed, ensure you have exported your data if you need to keep a copy

8.3 Right to erasure

Under UK GDPR Article 17, your school has the right to request erasure of personal data. We will delete your assessment data and user records upon request unless a legal obligation requires us to retain the data.

9 Data export and portability

9.1 Exporting your assessment

Your school can export your assessment data at any time from the platform:

  • PDF report: download a formatted governance assessment report showing your school name, assessment date, status for each question, and any evidence notes you have added
  • Data portability request: request your assessment data in machine-readable format (CSV or JSON) containing all responses and metadata

9.2 Requesting data portability

Under UK GDPR Article 20, you have the right to data portability. To request your assessment data in a structured, machine-readable format:

  • Contact info@governanceassurance.co.uk with a data portability request
  • Include your school name or account ID
  • Specify the format (CSV, JSON, or other)
  • We will provide the data within 30 days

9.3 Data format

Exported data will include:

  • Organisation profile information (name, postcode, headteacher / CEO, Chair of Governors / Trustees)
  • All assessment responses (question ID, status, evidence text)
  • Submission timestamps and user information
  • Any action log or development plan entries

Data is provided in a format suitable for import into other governance or compliance tools, or for storage in your own records.

10 Security measures

10.1 Data encryption in transit

All communication between your browser and the SGAF platform is encrypted using TLS 1.2 or higher. This applies to:

  • Sign-in and authentication
  • Assessment data submission
  • Data export and report generation

10.2 Data encryption at rest

Assessment data stored in our cloud database is protected by the provider's standard encryption and physical security measures.

10.3 Access controls

  • Passwordless authentication, users sign in via email one-time codes, or OAuth sign-in through Google or Microsoft (School Portal). No passwords are stored
  • Session tokens, user sessions are authenticated with secure, expiring tokens stored in the browser
  • Row-level database policies, the database enforces that users can only query their own school's data
  • Administrative access, limited to named staff with strong authentication and audit logging

10.4 Vulnerability management

We monitor platform security through:

  • Regular security updates to platform dependencies
  • SSL/TLS certificate management and renewal
  • Server and database hardening
  • Incident response procedures

10.5 What you can do

To protect your school's data:

  • Keep your sign-in email address secure and do not share it with unauthorised users
  • Only add staff to your account who need access to the assessment
  • Do not enter personal data about pupils, staff, or parents in assessment evidence notes
  • Review your user access list periodically and remove users who no longer need access
  • Report any suspected data breach or security incident to info@governanceassurance.co.uk immediately

11 Sub-processors we use

We use a small number of sub-processors to operate the service. We describe them here by category. Each is contractually bound to protect your data and to comply with UK GDPR Chapter V requirements, and each is engaged under data protection terms no less protective than our own.

CategoryWhat it doesLocation
Cloud database and authenticationStores school profile, user email addresses, assessment responses and evidence, timestamps and action logs; handles sign-in. Encryption in transit and at rest, access controls, row-level security.EU-hosted
Application and website hosting / CDNServes the School Portal and marketing website. Processes HTTP request metadata (IP addresses, request logs). TLS, DDoS protection, SOC 2 compliant infrastructure.EU (London) / global CDN
AI processingDocument text submitted for AI-assisted extraction, scoring or generation (e.g. School Improvement Plan data). Processed transiently, never used for model training. Enterprise API security, SOC 2 compliant.Outside UK/EU, under SCCs
Transactional email deliveryEmail address, one-time sign-in code tokens, notification content. Encrypted in transit where supported.Outside UK/EU, under SCCs
Payment link processingPayment amount and reference. You are redirected to the provider's FCA-authorised hosted page to complete payment. We do not store bank details.UK/EU
Identity providers (OAuth)Optional sign-in with a Google or Microsoft account: email address and basic profile during sign-in.Global
Marketing-site servicesContact-form email delivery (website only; not a processor of assessment data; fonts are self-hosted).Global

We never use your data to train AI models. Your governance data, uploaded documents and assessment responses are never used to train any AI model. AI processing is carried out by our AI provider through a private API on a transient basis: inputs and outputs are not used for model training, are retained only briefly for trust-and-safety purposes (typically no more than 30 days) and are then deleted. Our AI provider holds recognised independent security certification (currently SOC 2 Type II) and is bound by appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum). AI outputs are decision-support aids and do not constitute legal or regulatory advice.

11.1 Named sub-processor list

A current, named list of our sub-processors, their roles and data-processing locations is provided to schools and trusts in our Data Processing Agreement and is available to anyone on request from info@governanceassurance.co.uk. We notify customers of any intended change to our sub-processors and give at least 14 days to object before the change takes effect.

12 Your rights under UK GDPR

As your school is the data controller for assessment data, your school (and individual staff members as data subjects) has the following rights under UK GDPR:

12.1 Right of access

Your school can access all assessment data stored in your account at any time by signing into the platform. You can also request a formal Subject Access Request (SAR) for a structured export of your data. We will respond within 30 days.

12.2 Right to rectification

If assessment data is inaccurate or incomplete, your school can:

  • Update responses and evidence directly in the platform
  • Request correction of profile information (name, postcode, headteacher / CEO details)

12.3 Right to erasure ("right to be forgotten")

Your school can request deletion of all assessment data at any time. We will delete the data within 30 days. Deletion is permanent and cannot be reversed.

12.4 Right to restrict processing

Your school can request that we restrict processing of your data (e.g., pause access to the platform while a dispute is resolved). Contact info@governanceassurance.co.uk to arrange this.

12.5 Right to data portability

Your school has the right to request assessment data in a structured, machine-readable format (CSV or JSON) suitable for transfer to another service. See section 9 for details.

12.6 Right to object

Your school can object to processing of assessment data based on legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds (e.g., legal obligation). Contact us to exercise this right.

12.7 How to exercise your rights

To exercise any of the above rights:

  • Contact info@governanceassurance.co.uk with your request
  • Include your school name and account email
  • Specify which right you are exercising and what data your request relates to
  • We will respond within 30 days and at no cost to you
  • We may ask you to verify your identity before fulfilling a request

12.8 Right to lodge a complaint

If you believe the School Governance Assurance Framework is not complying with UK GDPR or this policy, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13 Contact

13.1 Questions about this policy or your data

For questions about how the School Governance Assurance Framework handles your school's assessment data, or to exercise your rights:

  • Email: info@governanceassurance.co.uk
  • Subject line: "Client Privacy Request" or "Data Subject Access Request"
  • Response time: We aim to respond within 10 working days for general enquiries and within 30 calendar days for formal data requests

13.2 Data Protection Officer (DPO)

The School Governance Assurance Framework does not currently employ a designated DPO. For data protection matters, contact Joshua Mangas (the platform operator) at info@governanceassurance.co.uk.

13.3 Changes to this policy

We may update this Client Privacy policy from time to time to reflect changes to our service, legal requirements, or security practices. Material changes will be communicated to active schools by email or in-app notification where practicable.

The "Last updated" date at the top of this page reflects the most recent version.

13.4 Related policies

Questions about your school's data?

If you're a school leader, clerk, or data protection officer with questions about how we protect your governance assessment data, we're here to help.

Email us at info@governanceassurance.co.uk →