GDPR
What is GDPR?
The European Commission (EC) has passed GDPR as a Regulation to strengthen and unify data protection laws for European Union (EU) and UK Citizens not just in the EU but working outside of the EU as well. GDPR also addresses the transfer of personal data outside the EU.
We currently hold a wealth of information for a variety of purposes. GDPR is about tightening up data security, who has access to that data and how it is used. We already have policies in place around the use and storage of data. We have an obligation to ensure that data is protected and this is an obligation we are duty bound to meet and take extremely seriously. Due to the sensitive nature of the data we hold, many elements required for GDPR are already in place. We are working to guidelines and will make any changes necessary to comply with the legislation in our system, policies and staff training.
Data Protection and the GDPR – January 2021
As the UK transitional arrangements expired on 31 December 2020, there are some practical changes for Data Protection and the GDPR. To comply with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 please note that every policy, notice and procedural guide that refers to ‘GDPR’ shall now be read as ‘UK GDPR’. The rights, responsibilities and data protection that the Data Protection Act 2018 and the GDPR are not changed. Our procedures and arrangements will not change.
If you have any queries please contact our Head Teacher via email, info@drighlingtonprimary.org.uk or telephone 0113 2853000.
Privacy Notice - Pupil Information
Privacy Notice (How we use pupil information)
Why do we collect and use pupil information?
We collect and use pupil information under the Data Protection Act 1998 (DPA) and “Article 6” and “Article 9“ of the General Data Protection Regulation (GDPR). Article 6 (GDPR) condition: Processing is necessary for compliance with a legal obligation to which the data controller is subject. Article 9 (GDPR) condition: For substantial public interest on legal basis.
We use the pupil data:
- to support pupil learning
- to monitor and report on pupil progress
- to provide appropriate pastoral care
- to assess the quality of our services
- to comply with the law regarding data sharing
We may also receive information from their previous school or college, local authority, the Department for Education (DfE) and the Learning Records Service (LRS).
Note: Schools and local authorities have a (legal) duty under the DPA and the GDPR to ensure that any personal data they process is handled and stored securely.
The categories of pupil information that we collect, hold and share include:
- Personal information (such as name, unique pupil number and address)
- Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
- Attendance information (such as sessions attended, number of absences and absence reasons)
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Storing pupil data
We hold pupil data for no longer than is necessary. Full details of data retention lists can be found in the Records Management Society’s (RMS) Retention Guidelines for schools.
Who do we share pupil information with?
We routinely share pupil information with:
- schools that the pupil’s attend after leaving us
- our local authority
- the Department for Education (DfE)
- NHS (for inoculations, etc)
Why we share pupil information
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Data collection requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the pupil information we share with the department, for the purpose of data collections, go tohttps://www.gov.uk/education/data-collection-and-censuses-for-schools.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit:
https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data (Subject Access Request)
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact us using the form below and send to:
The Head Teacher, Drighlington Primary School, Moorland Road, Drighlington, Bradford, BD11 1JY.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Privacy Notice – Job Applicants
When applying for a position in school, as an organisation we are the Data Controller. That means we have a statutory responsibility to explain how we collect, manage, use and store information about applicants.
You have a right to be informed about how our trust uses any personal data that we collect about you. This privacy notice, and our Data Protection Policy, explains our data usage when you apply for a job with us.
What information do we collect?
Personal data that we may collect, use, store and share (when appropriate) about you includes, but is not restricted to:
Name, address and contact details, including email address and telephone number
Copies of right to work documentation
References
Evidence of qualifications
information about your current role, level of remuneration, including benefit entitlements
Employment records, including work history, job titles, training records and professional memberships
We may also request and collect, use, store and share (when appropriate) information about you that falls into "special categories" of more sensitive personal data. This includes, but is not restricted to:
Information about race, ethnicity, religious beliefs, sexual orientation and political opinions
Whether or not you have a disability for which the school needs to make reasonable adjustments during the recruitment process
Photographs and CCTV images captured in school
We may also collect, use, store and share (when appropriate) information about criminal convictions and offences.
We may also hold data about you that we have received from other organisations, including other schools and social services, and the Disclosure and Barring Service in respect of criminal offence data.
We may choose to conduct an online search as part of the application process.
Every school has statutory obligations that are set out in ‘Keeping Children Safe in Education’ and other guidance and regulations.
Why we use this data?
The school needs to process data to take steps at your request prior to entering into a contract with you. It may also need to process your data to enter into a contract with you.
The school needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.
The school has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the school to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The school may also need to process data from job applicants to respond to and defend against legal claims.
The school may process information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.
Where the school processes other special categories of data, such as information about ethnic origin, sexual orientation, disability or religion or belief, this is for equal opportunities monitoring purposes.
For some roles, the school is obliged to seek information about criminal convictions and offences. Where the school seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.
The school will not use your data for any purpose other than the recruitment exercise for which you have applied.
How do we use the data?
Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, shortlisting and interview panel members involved in the recruitment process (this may include external panel members), and IT staff if access to the data is necessary for the performance of their roles.
The school will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. As well as circulating your application and related materials to the appropriate staff at the school, we will share your personal information for the above purposes as relevant and necessary with:
- your referees.
- Disclosure & Barring Service (DBS) in order to administer relevant recruitment checks and procedures.
- UK Visas & Immigration (UKVI) in order to administer relevant recruitment checks and procedures.
- Where relevant and as required for some posts, the Teacher Regulation Authority checks
Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent, and explain how you would go about withdrawing consent if you wish to do so.
Automated Decision Making and Profiling
We do not currently process any personal data through automated decision making or profiling. If this changes in the future, we will amend any relevant privacy notices in order to explain the processing to you, including your right to object to it.
Collecting this data
As a school, we have a legal obligation to safeguard and protect our pupils and also staff, volunteers and visitors to our setting. We collect the data for specific purposes.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to the school during the recruitment process. However, if you do not provide the information, the school may not be able to process your application properly or at all.
Whenever we seek to collect information from you, we make it clear whether you must provide this information for us to process your application (and if so, what the possible consequences are of not complying), or whether you have a choice.
Most of the data we hold about you will come from you, but we may also hold data about you from:
Local authorities
Government departments or agencies
Police forces, courts, tribunals
How we store this data
The school takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
We will dispose of your personal data securely when we no longer need it.
We keep applicant data for a period of up to 6 months if an applicant is not successful.
Successful applicants who secure a position then come within the employee/school workforce provisions.
Transferring data internationally
We do not share personal information internationally.
Your rights
You have a right to access and obtain a copy of your data on request;
You can:
- require the school to change incorrect or incomplete data;
- require the school to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the school is relying on its legitimate interests as the legal ground for processing.
If you would like to exercise any of these rights, please contact the school office. If you believe that the school has not complied with your data protection rights, you can complain to the Information Commissioner.
Privacy Notice for School Trips and Off-site visits
Why we share pupil information
In this privacy notice, we have summarised some of the key ways in which we use your personal information for School Trips and Off-site visits. This information should be read in conjunction with our School’s general Privacy Notice.
The categories of pupil information that we collect, hold and share can include:
- Personal information (such as name, date of birth and address)
- Special Category (such as health and religion)
- Additional Learning Needs and Disability information (such as Special Needs)
- Financial information relating to the payments for a trip/visit
Why we collect and use pupil information
- To ensure the safe running of all school trips and off site visits which include swimming lessons, extra curricular activities, overnight stays and overseas trips.
- To comply with all risk assessment processes and the Health and Safety Executive (HSE) regulations.
- To comply with audit regulations regarding fees and payments.
The categories of parent/carer, staff and volunteer information that we collect, hold and
share can include:
- Personal information (such as name and address)
- Contact details (including telephone numbers, place of work and email addresses)
- Financial information relating to the payments for a trip/visit
Why we collect and use parent/carer, staff and volunteer information
We use the data:
- To be able to contact you in relation to a pupil’s visit/trip and also in the case of urgency or
safeguarding.
- To comply with audit regulations regarding fees and payments.
Collecting pupil information – who we get our data from
Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a
voluntary basis with your consent. In order to comply with the General Data Protection Regulation (GDPR), we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this when the data is collected.
In the case of School Trips and Off-site visits we will get our data from:
- Parents/carers
- School staff
- Volunteers on the trip
- 3rd parties such as swimming instructors, trip venue staff etc.
Who we share information with
We may share information with:
- Travel companies
- Trip/visit venue staff e.g Leisure Centres
- EVOLVE – 3rd party processor, to record, process and store data
For Privacy Notice information relating to the organisations above, please visit the data protection pages of their websites.
The lawful basis on which we use this information
UK Data Protection legislation is set out in the Data Protection Act 2018 and the GDPR.
This legislation states that we are allowed to use and share personal information, only where we have a proper and lawful reason for doing so.
Our lawful bases for processing personal information for the Pupil Data Record are:
- Public Task - Processing is necessary for the school to undertake its statutory responsibilities as a public body and is exercising official authority which is laid down by law – Education Act 1996,
- Health and Safety at Work Act 1974
Storage and disposal of personal data
We hold and dispose of personal data in line with the guidance set out in the Retention Schedule contained within the IRMS Toolkit for Schools. Following the expiry of the retention period, information will be destroyed securely and permanently.
Requesting access to your personal data and your rights
The General Data Protection Regulation (GDPR) gives you important rights. To find out more about accessing personal data and the other rights, please visit our school’s general data protection privacy notice.
Breach Management
GDPR Breach Response
Should we identify a breach in our processes we will follow the ICO guidance, referring to he flowchart below, and work closely with our Data Protection Officer to ensure that our response is complaint.
https://ico.org.uk/for-organisations/accountability-framework/breach-response-and-monitoring/
Complaints
We take any complaints about our collection and use of personal information seriously.
Our complaints policy deals with the different stages of any complaint, and how this is managed within school. You can also contact our Data Protection Officer or contact the Information Commissioner’s Office:
Report a concern online at https://ico.org.uk/make-a-complaint/
Call 0303 123 1113
Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Contact us
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer:
Our Data Protection Officer is:
John Walker of J.A.Walker, Solicitor – info@jawalker.co.uk
However, our data protection lead, the Head Teacher, has day-to-day responsibility for data protection issues in our school. If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact the Head Teacher via email on info@drighlingtonprimary.org.uk
Useful Links
Information Commissioners Office
Privacy Notice for School Workforce