Introduction
The General Data Protection Regulation (GDPR) 2018 and Data Protection Act 2018 (DPA) sets out the law relating to data protection, and this privacy notice and the way we handle your personal data is all carried out in accordance with that law.
Under the GDPR and DPA anyone who holds and controls the way in which data is used is known as a data controller. We, Bailiffe Bridge Junior & Infant School, are a ‘data controller’ for the purposes of the data protection law.
This privacy notice relates to the pupil and parent information that we collect and process when a child attends our school.
This privacy notice sets out the following information:
The personal data we collect
Why we use this data
Special Category Data
Our legal basis for using this data
Collecting this personal data
How we store this data
Data Sharing - Who we share any personal data with, and why
Transferring data internationally
Parents and Pupils’ rights regarding personal data
Other Rights
Complaints
Contact us
How Government uses your data
Personal data that we may collect, use, store, and share (when appropriate) about pupils includes, but is not restricted to:
We may also hold data about pupils that we have received from other organisations, including other schools, local authorities, and the Department for Education.
Why we use this data
We use this data to:
The personal information is initially used to create the pupil record then information will be taken from that record to create attendance records, class lists, reading groups and other educational records. The personal information is used to track attainment and performance and put any support in place for your child throughout their time in our school.
Some personal information may be input into communication-based apps to allow school to communicate with you about important matters relating to your child and school events, consent will be sought for this separately.
Some information, mainly your child’s name and class/age, may be used in software/applications which your children will use as resources to facilitate their learning. A Data Protection Impact Assessment (DPIA) or other compliance review measures will be conducted, where necessary, before the school uses any new software or applications and your child will be supervised in line with ICT acceptable use policy whilst using the software/application. Where necessary, we will obtain your consent before using software.
Special Category Data
The school collects and processes some personal information that is classed as special category data under the DPA and GDPR. Special category data is personal data that is classed as more sensitive than other personal information and therefore requires greater protection.
The special category data which we may process includes race, ethnic origin, religion and health information.
To lawfully process special category data, we must have a lawful basis under Article 6 GDPR and a separate condition for processing the data under Article 9 GDPR.
Under Article 6 GDPR, the lawful basis for processing health information is that there is a legal obligation on the school to hold, process, and, in some instances, share this information to safeguard your child. Article 9(2)(b) is the separate condition for processing the health and medical information of your child for safeguarding purposes.
We may ask you for information about your child’s race, ethnic origin, and religion, but in most instances, this is optional, and therefore, by providing this information, you are giving your consent for the information being processed by the school. Usually, the only use for this information is to provide this to the Department for Education on the annual census to understand the demographic of children within the academy/school/local authority area. Further information about personal data that is shared with the DfE and how they use it is set out at the end of this privacy notice.
The legal basis for processing your child’s race or religion is consent, and the separate condition for processing under Article 9(2)(a) is consent.
Extra care will be taken when collecting, processing, or sharing special category data and unless there is a legal reason preventing it, you will be informed before we share the data with any external organisations.
Back to the top
We only collect and use pupils’ personal data when the law allows us to. Most commonly, we process it where:
Less commonly, we may also process pupils’ personal data in situations where:
Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent and explain how consent can be withdrawn.
Some of the reasons listed above for collecting and using pupils’ personal data overlap, and there may be several grounds that justify our use of this data.
This legal basis for collecting and using personal data is set out in Article 6 and Article 9 of the GDPR.
Back to the top
We collect pupil information via the admissions form we ask you to complete before your child starts with us at school or on a Common Transfer File (CTF) from your child’s previous school. We may collect some of the information via other written methods and, if applicable, will communicate this with you at the time of collection.
Pupil data is essential for us to provide educational services and for operational use. Whilst most of the pupil information you provide to us is mandatory, some of it requested on a voluntary basis. To comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this and we will tell you what you need to do if you do not want to share this information with us.
[We do not use cookies (data files that can track users) on our website].[We use cookies on our website that track user technical information and preferences – please see further details on our website].
We keep personal information about pupils while they are attending our school. We may also keep it beyond their attendance at our school if this is necessary to comply with our legal obligations. The schedule set out in the Information and Records Management Society’s toolkit for schools sets out how long we keep information about pupils, what we retain and what we dispose of and when. We also have our Records Management and Retention Policy which sets out more information about how long we keep personal information, how we store your information whilst we are processing it and how we dispose of the information when we no longer need it.
We do not share information about pupils with any third party without consent unless the law and our policies allow us to do so.
Where it is legally required or necessary (and it complies with data protection law), we may share personal information about pupils with:
Back to the top
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law and ensure that the organization outside the EEA is compliant with the GDPR. We do not currently transfer personal data to a country outside the EEA and don’t propose to in the future but will liaise directly with any individuals who may move to a country outside the EEA.
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 13), or where the child has provided consent.
Parents also have the right to make a subject access request with respect to any personal data the school holds about them.
If you make a subject access request, and if we do hold information about you or your child, we will:
Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.
If you would like to make a request please contact our Data Protection Officer (see details below in the ‘Contact us’ section).
Maintained Schools - Parents/carers also have a legal right to access to their child’s educational record. To request access, please contact the school office.
Other rights
Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:
Your right to rectification – you may have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information that you think is incomplete.
Your right to erasure – you have the right to ask us to erase your personal information in certain circumstances. We will only be able to do this in circumstances when the law and/or our policies allow.
Your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – you have the right to object to the processing of your personal information in certain circumstances. For example:
Your right to data portability – you have the right to ask that we transfer the personal information we hold about you to another educational provider. This will only be done once we have official confirmation of a transfer and will be done directly to the school or academy via the Common Transfer Form.
To exercise any of these rights, please contact our Data Protection Officer.
Back to the top
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our Data Protection Officer – see ‘contact us’ section.
Alternatively, you can make a complaint to the Information Commissioner’s Office:
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our Data Protection Officer:
Debbie Pettiford from The DP Advice Service Ltd
info@thedpadviceservice.co.uk.
The pupil data that we lawfully share with the DfE through data collections:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (NPD)
Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the department.
It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
To find out more about the NPD, go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information
Sharing by the Department for Education
The law allows the Department to share pupils’ personal data with certain third parties, including:
For more information about the DfE’s NPD data sharing process, please visit:
https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically supplies data on around 600 pupils per year to the Home Office and roughly 1 per year to the Police.
For information about which organisations the DfE has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares
How to find out what personal information the DfE holds about you
Under the terms of the Data Protection Act 2018, you are entitled to ask the DfE:
If you want to see the personal data held about you by the DfE, you should make a ‘subject access request’. Further information on how to do this can be found within the DfE’s personal information charter that is published at the address below:
To contact DfE: https://www.gov.uk/contact-dfe
This notice is based on the Department for Education’s model privacy notice for pupils, amended for parents and to reflect the way we use data in this school.
Introduction
The General Data Protection Regulation (GDPR) 2018 and Data Protection Act 2018 (DPA) sets out the law relating to data protection, and this privacy notice and the way we handle your personal data is all carried out in accordance with that law.
Under the GDPR and DPA anyone who holds and controls the way in which data is used is known as a data controller. We, Bailiffe Bridge Junior & Infant School, are a ‘data controller’ for the purposes of the data protection law.
This privacy notice relates to the pupil and parent information that we collect and process when a child attends our school.
This privacy notice sets out the following information:
The personal data we collect
Why we use this data
Special Category Data
Our legal basis for using this data
Collecting this personal data
How we store this data
Data Sharing - Who we share any personal data with, and why
Transferring data internationally
Parents and Pupils’ rights regarding personal data
Other Rights
Complaints
Contact us
How Government uses your data
Personal data that we may collect, use, store, and share (when appropriate) about pupils includes, but is not restricted to:
We may also hold data about pupils that we have received from other organisations, including other schools, local authorities, and the Department for Education.
Why we use this data
We use this data to:
The personal information is initially used to create the pupil record then information will be taken from that record to create attendance records, class lists, reading groups and other educational records. The personal information is used to track attainment and performance and put any support in place for your child throughout their time in our school.
Some personal information may be input into communication-based apps to allow school to communicate with you about important matters relating to your child and school events, consent will be sought for this separately.
Some information, mainly your child’s name and class/age, may be used in software/applications which your children will use as resources to facilitate their learning. A Data Protection Impact Assessment (DPIA) or other compliance review measures will be conducted, where necessary, before the school uses any new software or applications and your child will be supervised in line with ICT acceptable use policy whilst using the software/application. Where necessary, we will obtain your consent before using software.
Special Category Data
The school collects and processes some personal information that is classed as special category data under the DPA and GDPR. Special category data is personal data that is classed as more sensitive than other personal information and therefore requires greater protection.
The special category data which we may process includes race, ethnic origin, religion and health information.
To lawfully process special category data, we must have a lawful basis under Article 6 GDPR and a separate condition for processing the data under Article 9 GDPR.
Under Article 6 GDPR, the lawful basis for processing health information is that there is a legal obligation on the school to hold, process, and, in some instances, share this information to safeguard your child. Article 9(2)(b) is the separate condition for processing the health and medical information of your child for safeguarding purposes.
We may ask you for information about your child’s race, ethnic origin, and religion, but in most instances, this is optional, and therefore, by providing this information, you are giving your consent for the information being processed by the school. Usually, the only use for this information is to provide this to the Department for Education on the annual census to understand the demographic of children within the academy/school/local authority area. Further information about personal data that is shared with the DfE and how they use it is set out at the end of this privacy notice.
The legal basis for processing your child’s race or religion is consent, and the separate condition for processing under Article 9(2)(a) is consent.
Extra care will be taken when collecting, processing, or sharing special category data and unless there is a legal reason preventing it, you will be informed before we share the data with any external organisations.
Back to the top
We only collect and use pupils’ personal data when the law allows us to. Most commonly, we process it where:
Less commonly, we may also process pupils’ personal data in situations where:
Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent and explain how consent can be withdrawn.
Some of the reasons listed above for collecting and using pupils’ personal data overlap, and there may be several grounds that justify our use of this data.
This legal basis for collecting and using personal data is set out in Article 6 and Article 9 of the GDPR.
Back to the top
We collect pupil information via the admissions form we ask you to complete before your child starts with us at school or on a Common Transfer File (CTF) from your child’s previous school. We may collect some of the information via other written methods and, if applicable, will communicate this with you at the time of collection.
Pupil data is essential for us to provide educational services and for operational use. Whilst most of the pupil information you provide to us is mandatory, some of it requested on a voluntary basis. To comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this and we will tell you what you need to do if you do not want to share this information with us.
[We do not use cookies (data files that can track users) on our website].[We use cookies on our website that track user technical information and preferences – please see further details on our website].
We keep personal information about pupils while they are attending our school. We may also keep it beyond their attendance at our school if this is necessary to comply with our legal obligations. The schedule set out in the Information and Records Management Society’s toolkit for schools sets out how long we keep information about pupils, what we retain and what we dispose of and when. We also have our Records Management and Retention Policy which sets out more information about how long we keep personal information, how we store your information whilst we are processing it and how we dispose of the information when we no longer need it.
We do not share information about pupils with any third party without consent unless the law and our policies allow us to do so.
Where it is legally required or necessary (and it complies with data protection law), we may share personal information about pupils with:
Back to the top
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law and ensure that the organization outside the EEA is compliant with the GDPR. We do not currently transfer personal data to a country outside the EEA and don’t propose to in the future but will liaise directly with any individuals who may move to a country outside the EEA.
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 13), or where the child has provided consent.
Parents also have the right to make a subject access request with respect to any personal data the school holds about them.
If you make a subject access request, and if we do hold information about you or your child, we will:
Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.
If you would like to make a request please contact our Data Protection Officer (see details below in the ‘Contact us’ section).
Maintained Schools - Parents/carers also have a legal right to access to their child’s educational record. To request access, please contact the school office.
Other rights
Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:
Your right to rectification – you may have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information that you think is incomplete.
Your right to erasure – you have the right to ask us to erase your personal information in certain circumstances. We will only be able to do this in circumstances when the law and/or our policies allow.
Your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – you have the right to object to the processing of your personal information in certain circumstances. For example:
Your right to data portability – you have the right to ask that we transfer the personal information we hold about you to another educational provider. This will only be done once we have official confirmation of a transfer and will be done directly to the school or academy via the Common Transfer Form.
To exercise any of these rights, please contact our Data Protection Officer.
Back to the top
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our Data Protection Officer – see ‘contact us’ section.
Alternatively, you can make a complaint to the Information Commissioner’s Office:
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our Data Protection Officer:
Debbie Pettiford from The DP Advice Service Ltd
info@thedpadviceservice.co.uk.
The pupil data that we lawfully share with the DfE through data collections:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (NPD)
Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the department.
It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
To find out more about the NPD, go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information
Sharing by the Department for Education
The law allows the Department to share pupils’ personal data with certain third parties, including:
For more information about the DfE’s NPD data sharing process, please visit:
https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically supplies data on around 600 pupils per year to the Home Office and roughly 1 per year to the Police.
For information about which organisations the DfE has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares
How to find out what personal information the DfE holds about you
Under the terms of the Data Protection Act 2018, you are entitled to ask the DfE:
If you want to see the personal data held about you by the DfE, you should make a ‘subject access request’. Further information on how to do this can be found within the DfE’s personal information charter that is published at the address below:
To contact DfE: https://www.gov.uk/contact-dfe
This notice is based on the Department for Education’s model privacy notice for pupils, amended for parents and to reflect the way we use data in this school.