This privacy notice advises parents, carers and guardians of the school’s data protection responsibilities on the collection and processing of pupil’s personal information.
You are being provided with this notice because you can exercise your child’s data protection rights on their behalf. Current guidelines state that when your child is older (usually when they reach the age of 13) they may be considered mature enough to exercise their own data protection rights.
This notice provides details about:
- The personal information we collect on pupils.
- How we collect that personal information.
- What we do with the personal information.
- Your rights in relation to any personal information held and processed by the school.
We have appointed a senior member of the Academy as the person with responsibility for ensuring that pupils’ personal information is held, secured and processed in the correct way.
Personal information is any information that relates to your child that can be used directly or indirectly to identify your child.
This includes information such as their name, date of birth and address as well as information relating to their exam results, medical details and behaviour records. This may also include sensitive personal information such as their religion or ethnic group, photos and video recordings.
Personal information and processing are defined as follows:
- Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
- Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).
Data protection principles
We process personal data about pupils in accordance with the following data protection principles:
- We process personal data lawfully, fairly and in a transparent way.
- We collect personal data only for specified, explicit and legitimate purposes.
- We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
- We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- We keep personal data in a form which permits identification from personal data for no longer than is necessary for the purpose of the processing or, if for longer periods, for such reasons as permitted by the GDPR.
- We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.
Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.
There are several reasons why we hold, process and share pupils’ personal data. Under data protection laws, the lawful reasons for processing personal data include:
- For the performance of a contract.
- To comply with a legal obligation.
- To protect the vital interests of the pupil or another person.
- For a task carried out in the public interest.
- For a legitimate interest of the school or one of the organisations it shares data with (eg legal adviser) except where those rights are overridden by the interests or fundamental rights and freedoms of the data subject which require protection, particularly in the case of a child.
Sometimes the handling of pupils’ personal data falls within several of the above lawful grounds.
We may ask for your consent to use your child’s information in certain ways. If we ask for your consent to use your child’s personal data, you can take back this consent at any time. Any use of your child’s information before you withdraw your consent remains valid.
On some occasions, the school will process pupils’ personal data for the performance of a contract.
This is where we need to use pupils’ personal data to comply with a legal obligation.
Statutory reporting requirements to the Department for Education (DFE) are included within this section. As is disclosing information to third parties such as the courts or the police where we are legally obliged to do so.
This legal basis can be used where, for example, we need to disclose information about pupils to prevent them or someone else from being seriously harmed or killed. An example can include providing information to a medical professional about a pupil in circumstances where they are unable to provide the information themselves or you are unable to. It may cover an emergency situation.
We consider that we are acting in the public interest when providing education.
Specifically, we have a public interest in:
- Providing an education.
- Fulfilling our safeguarding obligations and investigating complaints that may be directly connected with you or may require access to your personal data when investigating complaints by others.
- Promoting the interests of the school.
- Managing the school efficiently.
We have many legitimate interests for which we hold, retain, process and share pupils’ personal data. This ground is therefore used for a large number of reasons. The GDPR states that the exception to using this ground is where it is detrimental to a pupil’s rights.
We use pupils’ personal data to:
- Support pupil learning.
- Monitor and report on pupil progress.
- Provide appropriate pastoral care.
- Assess the quality of our services.
- Comply with the law regarding data sharing.
We obtain personal data in a variety of ways. Some of the information comes from the admissions forms and acceptance forms which you supply to us. This can contain information about you as well as your child and the same principles contained in this notice apply regarding your personal data. We also receive information about pupils from other schools and agencies, such as healthcare professionals. Data is also obtained from your child, their teachers and other pupils.
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the DFE on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
Pupils’ data, where it is reasonable to do so, may also be shared with other professionals contracted by the school such as legal and professional advisers or insurers. In addition, a data security contract with a third-party IT services provider or as part of cloud-based storage may also process your personal data for the purpose of securely holding and protecting your data.
The NPD is owned and managed by the DFE. It contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the DFE. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities (LAs) and awarding bodies.
We are required by law to provide information about our pupils to the DFE as part of statutory data collections, such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The DFE may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- Conducting research or analysis.
- Producing statistics.
- Providing information, advice or guidance.
The DFE has robust processes in place to ensure the confidentiality of our data is maintained. There are stringent controls in place regarding access to and use of the data. Decisions on whether the DFE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- Who is requesting the data.
- The purpose for which it is required.
- The level and sensitivity of the requested data.
- The arrangements in place to store and handle the data.
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the DFE’s data sharing process, please visit: www.gov.uk/data-protection-how-we-collect-and-share-research-data.
For information about which organisations the DFE has provided pupil information to (and for which project), please visit: www.gov.uk/government/publications/national-pupil-database-requests-received.
Once our pupils reach the age of 13, we also pass pupil information to our LA and/or provider of youth support services, because they have responsibilities in relation to the education or training of 13–19 year olds under section 507B of the Education Act 1996.
This enables them to provide services such as:
- Youth support.
- Careers advice.
- Post-16 education and training providers.
A parent, carer or guardian can request that only their child’s name, address and date of birth is passed to their LA or provider of youth support services by informing us. This right is transferred to the child/pupil once he/she reaches the age of 16.
Here are some further examples of why we collect, hold and share pupils’ personal data. If you would like more information about any of these, please contact our Data Protection Officer.
- We may need to share information about your child’s health and wellbeing with those who have responsibility for pupil welfare.
- We need to tell all appropriate members of staff if your child has specific medical needs.
- We need to tell all appropriate members of staff if your child might need extra help with some tasks.
- We may need to provide information containing your child’s personal data to other schools and colleges. We may need to pass on information which they need to look after your child. For example, how well your child has behaved at other schools and their test results.
- We may need to share data with external examination boards.
- Where we have the right to do so, we may share your child’s academic and behaviour records with you or their guardian.
- We will only share your child’s information with other people and organisations when we have a legitimate reason to do so.
- We are required to share information about our pupils with the DFE under the Education (Information About Individual Pupils) (England) Regulations 2013.
- Sometimes we need to share information with the police or our legal advisers to help with an inquiry. For example, safeguarding issues or injuries.
- We might need to share pupils’ information with consultants, experts and other advisers who assist us in the running of the school, if this is relevant to their work.
- On occasions external consultants/contractors may have temporary access to personal data held by the school. For example, IT consultants might be granted temporary access to pupils’ personal data in order to fulfil their contract(s). Access will only be granted to consultants who have demonstrated compliance with the school’s data protection standards.
- The school uses various IT systems. This may include using cloud-based storage systems to hold pupil data. Before use, the school ensures that adequate security measures are in place.
- We may need to share some information with our insurance provider to ensure we maintain cover or to process any claims.
- We may need information about any court proceedings or judgements concerning your child. This is so that we can safeguard your child’s welfare and the welfare of other pupils at the school.
- We may monitor your child’s use of the school’s email, internet and other electronic devices provided by the school eg iPads. We monitor in order to ensure appropriate use of these technologies and to confirm your child is not putting themselves at risk of harm.
- We have CCTV in operation to make sure the school sites are safe. CCTV is not used in private areas such as changing rooms.
- We may use photographs or videos of your child on our website, social media sites, newsletters and publications as part of our advertising of the school.
- We publish our exam results and other news on the website. We also send articles, photographs and videos to local and national news outlets to celebrate the school’s successes.
- Sometimes we use photographs and videos to support curriculum activities, for example, to provide feedback on a presentation your child has given.
We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling)
We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.
Some of the reasons we process such data on pupils include:
- Legal claims. The processing is necessary for the establishment, exercise or defence of legal claims. This allows us to share information with our legal advisers and insurers.
- Medical purposes. This includes medical treatment and the management of healthcare service.
- For compiling census data as required by law.
We take the security of pupils’ personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices, uses passwords, virus protection and has appropriate firewalls.
With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions.
Our servers and cloud based storage systems are based in the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your pupils’ personal data.
We keep pupils’ personal data for the time they are at our school. We will also keep certain information after pupils have left the school. A copy of our Retention Schedule is available from the school website.
What rights do you have in relation to your child’s information?
When the GDPR came into force on the 25 May 2018, you have the following rights in relation to your child’s personal data. Some of these rights are new.
- The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
- The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
- The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
- The right to object. Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
- Direct marketing.
- Processing for scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling.
There are specific rights in relation to a child’s personal data. Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
If you have a concern about the way we are collecting or using your child’s personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Office (firstname.lastname@example.org). r. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s access request process.
Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.