PRIVACY NOTICE 2018 (Pupils & parents)
On 25 May 2018 the European General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998.
How we use pupil and parent information
Under General Data Protection Regulations (GDPR) we are obliged to inform you of the information we hold on you and your child(ren), what we use it for, who we share it with, and for how long we keep it. This privacy notice (also known as a fair processing notice) aims to provide you with this information. If it, or any information linked to it is unclear, please contact the school office, or the school’s Data Protection Officer. Contact details for both are available at the end of this privacy notice.
We, St Peter’s Eaton Sq CofE School, at Lower Belgrave Street, SW1W 0NL, are the Data Controller for the purposes of data protection law.
As a public body we have appointed a Data Protection Officer (DPO); Robert.Bullett@london.anglican.org
1. The categories of pupil & parent information that we collect, hold and share include but are not limited to:
- Personal information (such as name, unique pupil number and address, parents national insurance number).
- Contact details and preference (contact telephone numbers, email addresses, addresses)
- Characteristics (such as ethnicity, religion, language, nationality, country of birth and free school meal eligibility)
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Assessment information (such as data scores, tracking, and internal and external testing)
- Relevant medical information (such as NHS information, health checks, physical and mental health care, immunisation program and allergies)
- Special educational needs information (such as EHCP’s, applications for support, care or support plans)
- Safeguarding information
- Exclusion information
- Behavioural information
- Photographs (for internal safeguarding & security purposes, school newsletters, media and promotional purposes).
- CCTV images
- Payment details
We may also hold data about pupils that we have received from other organisations, including other schools, local authorities and the Department for Education.
2. Why we collect and use this information
We use the pupil and parent data:
- to support pupil learning
- to monitor and report on pupil progress
- to provide appropriate pastoral and medical care
- for safeguarding and pupil welfare purposes
- administer admissions waiting lists
- for research purposes
- to inform you about events and other things happening in the school
- to assess the quality of our services
- to comply with the law regarding data sharing
3. The lawful basis on which we use this information
Our lawful basis for collecting and processing pupil information information is defined under Article 6, and the following sub-paragraphs in the GDPR apply:
(a) Data subject gives consent for one or more specific purposes.
(c) Processing is necessary to comply with the legal obligations of the controller.
(d) Processing is necessary to protect the vital interests of the data subject.
(e) Processing is necessary for tasks in the public interest or exercise of authority vested in the controller(the provision of education).
Our lawful basis for collecting and processing pupil information information is also further defined under Article 9, in that some of the information we process is demed to be sensitive, or special, information and the following sub-paragraphs in the GDPR apply:
(a) The data subject has given explicit consent.
(b) It is necessary to fulfill the obligations of controller or of data subject.
(c) It is necessary to protect the vital interests of the data subject.
(d) Processing is carried out by a foundation or not-for-profit organisation (includes religious, political or philosophical organisations and trade unions)
(g) Reasons of public interest in the area of public health
(i) It is in the public interest
A full breakdown of the information we collect on pupils can be requested from the school office.
Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.
Some of the reasons listed above for collecting and using pupils’ personal data overlap, and there may be several grounds which justify our use of this data.
An example of how we use the information you provide is:
The submission of the school census returns, including a set of named pupil records, is a statutory requirement on schools under Section 537A of the Education Act 1996.
Putting the school census on a statutory basis:
• means that schools do not need to obtain parental or pupil consent to the provision of information
• ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils
• helps to ensure that returns are completed by schools
4. Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.
5. Storing pupil data
We hold pupil data whilst the child remains at St Peter’s Eaton Sq CofE School . The file will follow the pupil when he / she leaves St Peter’s Eaton Sq CofE School. However where there is a legal obligation to retain the information beyond that period, it will be retained in line with our retention policy.
We have data protection policies and procedures in place, including strong organisational and technical measures,which are regularly reviewed. Further information can be found on our website.
6. Who we share pupil information with
We routinely share pupil information with appropriate third parties, including:
- Our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions
- The Department for Education
- The pupil’s family and representatives
- Educators and examining bodies
- Suppliers and service providers – to enable them to provide the service we have contracted them for
- Financial organisations
- Central and local government
- Our auditors
- Survey and research organisations
- Health authorities
- Security organisations
- Health and social welfare organisations
- Professional advisers and consultants
- Charities and voluntary organisations
- Police forces, courts, tribunals
- Professional bodies
- schools that the pupil’s attend after leaving us
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.
7. Why we share pupil information
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
8. Data collection requirements:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
9. The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
10. Requesting access to your personal data and your Data Protection Rights
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold, through a Subject Access Request.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.
Parents also have the right to make a subject access request with respect to any personal data the school holds about them.
If you make a subject access request, and if we do hold information about you or your child, we will:
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you or your child
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
- Give you a copy of the information in an intelligible form
Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.
If you would like to make a request please contact our data protection officer.
John Pearson-Hicks email@example.com
Parents/carers also have a legal right to access to their child’s educational record. To request access, please contact firstname.lastname@example.org for attention of Miles Ridley, Head.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our data protection officer. [insert details here]
Alternatively, you can make a complaint to the Information Commissioner’s Office:
- Report a concern online at https://ico.org.uk/concerns/
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
12. Contact us
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer: email@example.com or firstname.lastname@example.org
There is a printable version of this notice below.