East Wichel Privacy Notice (How We Use Pupil Information)
This Privacy Notice explains how and why we store personal information about pupils and parents/carers. It provides a guide to parents/carers about our legal obligations and their own rights. Like any organisation which handles personal data, our school is defined as a ‘Data Controller’ and, as such, we are registered with the ICO (Information Commissioner’s Office) and we comply with the Data Protection Act. and UK General Data Protection Regulation.
The Categories of Pupil Information That We Process Include:
This list is not exhaustive, to access the current list of categories of information we process please contact the school.
Why We Collect and Use Pupil Information
The personal data collected is essential, for the school to fulfil their official functions and meet legal requirements.
We collect and use pupil information, for the following purposes:
- To support pupil learning
- To keep informed to keep children safe
- To monitor and report on pupil progress
- Safeguarding pupils' welfare and providing appropriate pastoral (and where necessary medical) care
- Informing decisions such as the funding of schools
- Assessing performance and to set targets for schools
- Giving and receive information and references about past, current and prospective pupils, and to provide references to potential employers of past pupils
- Managing internal policy and procedure
- Enabling pupils to take part in assessments, to publish the results of examinations and to record pupil achievements
- To carry out statistical analysis for diversity purposes
- Legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with legal obligations and duties of care
- Enabling relevant authorities to monitor the school's performance and to intervene or assist with incidents as appropriate
- Monitoring use of the school's IT and communications systems in accordance with the school's IT security policy
- Making use of photographic images of pupils in school publications, on the school website and on social media channels
- Security purposes, including CCTV
- To comply with the law regarding data sharing
- To meet the statutory duties placed upon us for DfE data collections
- Sharing names on school communication systems.
We use the parents’ data:
- To assess the quality of our services
- To comply with the law regarding data sharing
- To ensure financial stability
- Sharing names on school communication systems.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing pupil information are:
The lawful bases for processing personal data are set out in Article 6 of the UK General Data Protection Regulation. The school processed such data because we have:
(6a) Consent: parents have given clear consent for us to process their (and their child’s) personal data for the purposes indicated above.
(6c) A Legal obligation: the processing is necessary for us to comply with the law (e.g. we are required by law to submit certain teacher assessment information and to safeguard pupils’ welfare by sharing information with other agencies).
(6d) A duty to safeguard pupils: the processing is necessary in order to protect the vital interests of the data subject (children); (e.g. if we are required to share medical history information with emergency services in the event of an accident or to other agencies when a child may be in danger).
(6e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law (e.g. processing attendance information or academic attainment and progress records).
Special Categories of data are set out in Article 9 of the UK General Data Protection Regulation. The school processes under the following articles:
(9.2a) explicit consent. In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing. Examples of our processing include use of pupil photographs for external purposes, pupil dietary requirements, and health information we receive from our pupils who require a reasonable adjustment to access our services.
(9.2b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
(9.2c) where processing is necessary to protect the vital interests of the data subject or of another natural person. An example of our processing would be using health information about a pupil in a medical emergency.
(9.2f) for the establishment, exercise or defence of legal claims. Examples of our processing include processing relating to any employment tribunal or other litigation.
(9.2g) reasons of substantial public interest. As a school, we are a publicly funded body and provide a safeguarding role to young and vulnerable people. Our processing of personal data in this context is for the purposes of substantial public interest and is necessary for the carrying out of our role. Examples of our processing include the information we seek or receive as part of investigating an allegation.
(9.2j) for archiving purposes in the public interest. The relevant purpose we rely on is Schedule 1 Part 1 paragraph 4 – archiving. An example of our processing is the transfers we make to the County Archives as set out in our Records Management Policy.
We process criminal offence data under Article 10 of the UK GDPR.
Our Data Protection Policy highlights the conditions for processing in Schedule 1 of the Data Protection Act 2018 that we process Special Category and Criminal Offence data under.
How We Collect Pupil Information
We collect pupil information via registration forms at the start of the school year or Common Transfer File (CTF) or secure file transfer from the previous setting.
Pupil data is essential for the schools’ operational use. Whilst the majority of pupil information you provide to us is mandatory, some of it requested on a voluntary basis. In order to comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this.
How We Store Pupil Data
We hold pupil data securely for the set amount of time shown in our data retention schedule. For more information on our data retention schedule and how we keep your data safe, please contact the school administrator.
All confidential information is kept secure either on encrypted, password protected devices or paper copies kept on the school site. Once the deadline for retaining information has passed, data kept electronically is deleted and paper copies are destroyed in conjunction with the retention schedule.
Who We Share Pupil Information With
We routinely share pupil information with:
- Schools that the pupil attends after leaving us
- Our local authority
- The Department for Education (DfE)
- Children’s Social Care (when safeguarding pupils’ welfare)
- External professionals who visit school (such as Educational Psychologists)
- Law enforcement officials such as the Police
- The NHS
- Suppliers and service providers with whom we have a contract
- Voluntary organisations linked to the school
Information will be provided to those agencies securely or anonymised where possible.
The recipient of the information will be bound by confidentiality obligations - we require them to respect the security of your data and to treat it in accordance with relevant legislation.
Why We Regularly Share Pupil Information
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
Department for Education
The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our pupils with the Department for Education (DfE) either directly or via our local authority for the purpose of those data collections, under:
Section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
All data is transferred securely and held by DfE under a combination of software and hardware controls, which meet the current government security policy framework.
For more information, please see ‘How Government uses your data’ section.
We may be required to share information about our pupils with the local authority to ensure that they can conduct their statutory duties under
- the Schools Admission Code, including conducting Fair Access Panels.
Requesting Access to Your Personal Data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact the school administration team firstname.lastname@example.org or our Data Protection Office GDPR@SchoolPro.uk.
Depending on the lawful basis above, you may also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to seek redress, either through the ICO, or through the courts
If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
For further information on how to request access to personal information held centrally by DfE, please see the ‘How Government uses your data’ section of this notice.
Withdrawal of Consent and the Right to Lodge a Complaint
Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the school administration team email@example.com.
How Government Uses Your Data
The pupil data that we lawfully share with the DfE through data collections:
- underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
- informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
- supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)
Data Collection Requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (NPD)
Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.
It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information
Sharing by the Department
The law allows the Department to share pupils’ personal data with certain third parties, including:
- local authorities
- organisations connected with promoting the education or wellbeing of children in England
- other government departments and agencies
- organisations fighting or identifying crime
For more information about the Department’s NPD data sharing process, please visit:
Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically supplies data on around 600 pupils per year to the Home Office and roughly 1 per year to the Police.
For information about which organisations the Department has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares
How to Find Out What Personal Information DfE Hold About You
Under the terms of the Data Protection Act 2018, you are entitled to ask the Department:
- if they are processing your personal data
- for a description of the data they hold about you
- the reasons they’re holding it and any recipient it may be disclosed to
- for a copy of your personal data and any details of its source
If you want to see the personal data held about you by the Department, you should make a ‘subject access request’. Further information on how to do this can be found within the Department’s personal information charter that is published at the address below:
To contact DfE: https://www.gov.uk/contact-dfe