Privacy Policy


DPOCOMS is committed to protecting the privacy and security of personal data.

The General Data Protection Regulation (GDPR) 2018 and Data Protection Act 2018 (DPA) sets out the law relating to data protection and the way we process your data is all carried out in accordance with that law.

This privacy notice relates to the data we collect/process when you visit our website and sign up for DPOCOMS.

Where we do collect personal data through our website, we make this clear and this privacy notice explains what we intend to do with that data.

This privacy notice sets out the following information:

  1. Our details
  2. DPO Details
  3. Analytics
  4. Cookies
  5. Security and Performance
  6. Personal data collected
  7. How we collect this information
  8. Purpose and lawful basis for processing
  9. Who we share the information with
  10. How we store the information
  11. How we communicate with you
  12. Transferring data internationally
  13. Your rights
  14. Complaints
Our Details

DPOCOMS (Data Protection Officer’s Compliance and Online Management System), is a web-based software solution designed to assist schools and multi-academy trusts with data protection compliance.

DPOCOMS is owned by The DP Advice Service Ltd a limited company incorporated in England and Wales under company registration number 11203202, whose registered office address is The Elsie Whiteley Innovation Centre, Hopwood Lane, Halifax, United Kingdom, HX1 5ER.

The DP Advice Service is the controller for the personal information we process, unless otherwise stated. This means that we are responsible for deciding how we hold and use the personal information we collect about you.

You can contact us at

DPO Details

It is the role of the Data Protection Officer to monitor internal compliance with data protection legislation and inform and advise The DP Advice Service Ltd of its data protection obligations.

If you have any questions about the information in this privacy notice or how we collect and process your personal data, please contact our Data Protection Officer.

Our Data Protection Officer is Debbie Pettiford, Director and founder of The DP Advice Service Ltd. You can contact the DPO at


When you visit our website, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.

The information collected in this way includes:

  • IP address

  • Pages visited

  • Web browser

  • Search criteria entered

  • Previous web pages visited

  • Social media username (if you have interacted with us using such channels)

We do this to find out such things as the number of visitors to the various parts of the site and to make improvements to our service to ensure we are providing the best visitor experience.

This information is only processed in a way that does not directly identify anyone.

The information collected is classed as personal data as Google assigns a unique identifier to each visitor. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

We have measures to protect the information collected, which include limiting the amount of data that is collected, setting a retention schedule for the data collected, restricting access to our Google Analytics data and regularly reviewing our use of analytics.

We keep analytics data for 14 months from the visitor's last visit.


Cookies are small text files that are placed on your computer by the websites that you visit.

We do not use cookies on our website; we use browser sessions. Browser sessions don’t contain personal information, they are always considered necessary for the website functionality. Unlike traditional cookies, they are deleted on the browser-side instantly or, approximately within 20 minutes after the last requested page from the website has been closed.

We use Google Analytics, which does use its own cookies. Further information about these cookies can be found here -

If you wish to opt out of all Google Analytics tracking then you can do so, here:

Security and performance

We use a server-based firewall called ModSecurity, by Apache Foundation, to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as we would expect. The service will block traffic that is not using the site as expected.

We host our website in a London data-centre, operated by Rackspace Ltd and managed by QWeb Ltd. Traffic information is retained for 7 days.

Personal data collected when you register for a DPOCOMS licence and how this is used

When you register for a DPOCOMS licence we will ask you for the following information:

  • Email address

  • Username

  • Password (we will not collect this information or ask you to share it with us)

Other information we will collect via DPCOMS is:

  • Full name

  • School/Trust name

  • Staff email addresses

  • Staff usernames

  • School contact address and telephone number

  • Financial information – for payments

This information is collected to create and assign staff users to your account.

We may also collect the following information if you provide this to us:

  • Basic personal information of staff such as name and username - when they log a request,

  • Personal information of pupils/other data subjects that you provide when you log a ticket through the dashboard tools. This includes any text provided via the ticket and any attachments to the ticket.

  • Other personal information that you provide when logging a request or seeking advice.

If you have signed up for the software++ package, then you may provide more personal information and special category data to seek advice and assistance with the requests that you log. You will remain the data controller of this information, we will be the data processor. This personal data will be covered by The DP Advice Service Privacy Notice which can be found here.

How we collect this information from you

We collect all personal information directly from you when you provide the information to set up, manage and use your DPOCOMS account.

We will always make it clear when we are asking you to provide personal information.

Purpose and lawful basis for processing

The purpose for collecting the analytical data and using cookies is to maintain and monitor the performance of our website and to constantly look to improve the site and the services we offer to our users.

The purpose for collecting the personal data is:

  • to create and manage your DPOCOMS account, communicate with you and offer you the services you have requested.

The lawful basis we rely on to process your personal data to:

  • provide and operate the services offered by DPOCOMS

  • communicate with you regarding your account

  • For the Software++ package – we collect the information to offer the advice and assistance as part of your DPO service with The DP Advice Service Ltd.

Article 6(1)(a) UK GDPR – which states that we will process your personal data with your consent.

If we process your personal data on the lawful basis of consent, you have the right to amend that consent and change your preferences at any time.

Article 6(1)(b) - which states that we will process your personal data as you have entered into a contract with us or taken steps to enter into a contract with us and processing the data is necessary for us to fulfil that contract.

Article 6(1)(f) UK GDPR – which allows us to process personal data when it is necessary for our legitimate interests. For example, to maintain the integrity of our website, IT systems and the continuity of our business and to create and maintain your account.

Who we share this information with

We will only share the personal information that you use to create your account with third parties who help us to offer the software to you. This includes:

  • Our data storage, website developers and maintenance provider – Rackspace Ltd and QWeb Ltd.

  • Payment processing providers

  • Accounting software/third party accounting provider – payment information

We will ensure that the appropriate data protection and security measures are in place with these third parties before any data is shared.

We will not share the information you provide when logging a request for advice or assistance.

We will not share any personal information relating to children or parents with any third parties.

How we store the personal information we collect

The information we store is all obfuscated in a way that means the website code can decipher it back to plain text, but a human can’t easily do the same. Passwords are encrypted.

The dashboard ticket tools have built in redaction, once a ticket is closed any data that is redacted is retained for 30 days on backups before it will be permanently deleted. When an account is deleted, we have 30 days before the backups containing information about the account are also deleted.

When you register for a DPOCOMS licence, the information is retained for the duration of the time that you hold that licence plus 12 months.

If you allow your licence to expire and wish to reinstate this at any time within the 12 months, we will be able to restore any data that was previously held under your old licence, except any redacted data (which would have been deleted after 30 days).

If you wish to reinstate the licence after the account has been dormant for 12 months, any pre-existing data will no longer be available.

How we communicate with you

We may contact you to notify you regarding your account, to troubleshoot problems with your account, to resolve a dispute, to collect fees or monies owed, to poll your opinions through surveys or questionnaires, to send updates about our company, or as otherwise necessary to contact you to enforce our User Agreement, applicable national laws, and any agreement we may have with you. For these purposes we will contact you via the email address provided to set up the initial licence.

Please contact us if the member of staff who set up your DPOCOMS licence leaves employment with you so that we can transfer the account.

Transferring data internationally

Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law and ensure that the organisation outside the EEA is compliant with the GDPR.

We do not currently transfer personal data to a country outside the EEA and don’t propose to in the future but will liaise directly with any individuals if this becomes necessary.

Your rights

Your right of access:

Individuals have a right to make a ‘subject access request’ to gain access to personal information that The DP Advice Service Ltd holds about them.

If you make a subject access request, and if we do hold information about you, we will:

  • Give you a description of the data we hold,

  • Tell you why we are holding and processing it, and how long we will keep it for,

  • Explain where we got it from, if not from you,

  • Tell you who it has been, or will be, shared with,

  • Let you know whether any automated decision-making is being applied to the data, and any consequences of this

  • Give you a copy of the information in an intelligible form.

Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.

Your other rights:

  • Your right to rectification – you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information that you think is incomplete. This right always applies.

  • Your right to erasure – you have the right to ask us to erase your personal information in certain circumstances.

  • Your right to restriction of processing – you may have the right to ask us to restrict the processing of your information in certain circumstances.

  • Your right to object to processing – you have the right to object to processing if the process forms part of our legitimate interests.

If you would like to make a request, please contact our Data Protection Officer (see details above in the ‘Our DPO’ section).


We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with our DPO in the first instance.

Alternatively, you can make a complaint to the Information Commissioner’s Office:

  • Report a concern online at

  • Call 0303 123 1113

  • Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF