Data Protection
A GUIDE TO HOW WE PROCESS INFORMATION ABOUT YOUR CHILD
Schools hold information on their pupils and from time to time, by law, they have to share some of the information with various government departments.
Pupil and Parent Privacy Notice October 2022
What this privacy notice is for
This notice is intended to provide information about how the academy will use, or ‘process’, personal data about individuals including: its current, past and prospective pupils and their parents, carers, guardians or wider family members (for instance siblings or other extended family members who may be named as emergency contacts) - referred to in this notice as ‘parents’.
Personal information is information that identifies you as an individual and relates to you. This makes the academy a data controller of your personal information, and this Privacy Notice sets out how we will use that information and what your rights are. Parents are encouraged to read this Privacy Notice and understand the academy’s obligations.
This Privacy Notice applies alongside any other information the academy may provide about a particular use of personal data, for example when collecting data via an online form, or images captured on closed circuit television (CCTV).
This Privacy Notice applies in addition to the academy’s other relevant policies, including REAch2’s policy on information and records retention, safeguarding, pastoral, or health and safety policies and IT policies.
Anyone who works for, or acts on behalf of, the academy, including staff, volunteers, governors and service providers, should also be aware of and comply with this Privacy Notice and the academy’s data protection policy for staff, which provides further information about how personal data on those individuals will be used.
Responsibility for Data Protection
Peter Noskiw has been appointed as Data Protection Officer for REAch2 Multi Academy Trust. He can be contacted at [email protected] Requests and enquiries concerning the academy’s uses of your personal data (see section on Your Rights below) should be directed to the academy in the first instance.
How the school collects your information
Generally, an academy receives personal data from the individual directly (including, in the case of pupils, from their parents). This may be via a form, through our website or simply in the ordinary course of interaction or communication, such as email.
In some cases, personal data will be supplied by third parties (for example another school, or other professionals or authorities working with that individual); or collected from publicly available resources.
The types of information we collect
We may collect the following types of personal data about you (and your family members and 'next of kin', where relevant):
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- gender, nationality and date of birth;
- past, present and prospective pupils' academic, disciplinary, admissions and attendance records (including information about any special needs), and examination scripts and marks;
- where appropriate, information about individuals' health and welfare, and contact details for their next of kin;
- references given or received by the academy about pupils, and relevant information provided by previous educational establishments and/or other professionals or organisations working with pupils;
- correspondence with and concerning pupils and parents past and present;
- images of pupils (and occasionally other individuals) engaging in school activities, and images captured by the academy’s CCTV system; and
- a pupil’s interests and extra-curricular activities (e.g. out of school sports activities).
Where it is necessary for pupil welfare, safeguarding or other statutory or regulatory requirements, we may also collect special categories of data, including:
- information revealing racial or ethnic origin;
- information concerning health and medical conditions (for example, where requested to administer medication, meet dietary needs, to make reasonable adjustments to working conditions or environment or as part of an Educational Health and Care Plan);
- information about certain criminal convictions, (formerly designated as special category personal data), for example, where a parent volunteer requires a check with the Disclosure and Barring Service (DBS).
However, this will only be undertaken where and to the extent it is necessary for a lawful purpose in connection with attending an academy or volunteering at an academy.
Why it is necessary for the school to collect Personal Data
In order to carry out its ordinary duties to pupils and parents, the academy needs to process a wide range of personal data about individuals, including current, past and prospective pupils or parents, as part of its daily operation.
The academy will need to carry out some of this activity in order to fulfil its legal rights, duties or obligations. Other uses of personal data will be made in accordance with the academy’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data.
The academy expects that the following uses will fall within that category of its ‘legitimate interests’:
- For the purposes of pupil assessment and to confirm the identity of prospective pupils and their parents;
- To provide education services, including meeting special educational needs (SEN), providing musical education, physical training or spiritual development, career services, and extra-curricular activities to pupils, and monitoring pupils' progress and educational needs;
- Maintaining relationships with alumni and the community, including direct marketing or fundraising activity;
- To confirm the identity of prospective donors and their background and relevant interests;
- For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity analysis);
- To enable relevant authorities to monitor the school's performance and to intervene or assist with incidents as appropriate;
- To give and receive information and references about past, current and prospective pupils,
- To enable pupils to take part in national or other assessments, and
- To publish test results or other achievements of pupils at the academy
- To safeguard pupils' welfare and provide appropriate pastoral care;
- To monitor, as appropriate, use of the school's IT and communications systems in accordance with the academy’s IT acceptable use policy;
- To make use of photographic images of pupils in academy, and REAch2 publications, on the academy and REAch2’s website and on the academy and REAch2’s social media channels
- For security purposes, including CCTV in accordance with the REAch2 CCTV policy;
- To carry out or cooperate with any external complaints, disciplinary or investigation process; and
- Where otherwise reasonably necessary for the academy purposes, including to obtain appropriate professional advice and insurance for the academy.
In addition, the academy will, on occasion, need to process special category personal data (concerning health, ethnicity or religion) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons will include:
- To safeguard pupils' welfare and provide appropriate pastoral and medical care
- To take appropriate action in the event of an emergency, incident or accident, including the disclosure of an individual's medical condition or other relevant information where it is in the individual's interests to do so: for example, for medical advice, for social protection, safeguarding, and cooperation with police or social services, for insurance purposes or to caterers or organisers of academy trips who need to be made aware of dietary or medical needs;
- To provide educational services in the context of any special educational needs of a pupil;
- As part of any academy or external complaints, disciplinary or investigation process that involves such data, for example if there are SEN, health or safeguarding elements; or
- For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
Sharing information with others
Occasionally, the academy will need to share personal information relating with third parties, such as:
- professional advisers, e.g. lawyers, insurers, auditors;
- government authorities, e.g. HMRC, Department for Education, police or the local authority;
- the Health and Safety Executive if there is a health and safety issue at the academy, and
- appropriate regulatory bodies, e.g. the Charity Commission or the Information Commissioner.
For the most part, personal data collected by the academy will remain within the academy and will be processed by appropriate individuals only in accordance with access protocols on a ‘need to know’ basis. Particularly strict rules of access apply in the context of medical records and pastoral or safeguarding files.
However, a certain amount of any SEN pupil’s relevant information will need to be provided to staff more widely in the context of providing the necessary care and education that the pupil requires.
Staff, pupils and parents are reminded that the academy is under duties imposed by law and statutory guidance (including Keeping Children Safe in Education) to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This is likely to include file notes and, in some cases, referrals to relevant authorities such as the Local Authority Designated Officer (LADO) or the police. For further information about this, please view the academy’s Safeguarding Policy.
In accordance with Data Protection Law, some of the academy’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely.
Criminal offence information
We may only use information relating to criminal convictions and offences where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations. Less commonly, we may use information relating to criminal convictions and offences where it is necessary in relation to legal claims, where it is necessary to protect a pupil and you are not capable of giving your consent, or when you have already made the information public.
Multiple legal grounds
In some cases, the academy will rely on more than one of the grounds above for a particular use of your information. For example:
- the academy will rely on public interest and legitimate interest grounds when providing your child with an education, and
- We will rely on public interest and legal obligation grounds if we have concerns about a child’s welfare and the academy is required to inform the local authority.
How long we keep personal data
The academy will retain personal data for as long as necessary in order to educate and look after your child. The academy will keep some information after a child has left, for example to refer back to a complaint. If you have any specific queries about how our Information and Records Retention policy is applied or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact the academy.
Keeping in touch and supporting the academy
The academy may retain contact details of parents and past pupils to keep them updated about the activities of the academy, or to promote events of interest, or to promote and raise funds for the academy. You have the right to withdraw consent, where given, or otherwise object to direct marketing or fundraising.
Your rights
Rights of access, rectification, portability and deletion
Individuals have various rights under Data Protection Law to access personal data about them held by the academy, and in some cases to ask for it to be erased or amended or have it transferred to others, or for the academy to stop processing it – subject to certain exemptions and limitations.
You can ask what information we hold about you and be provided with a copy. This is known as making a subject access request. Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation in a format which can be read by computer, or who has some other objection to how their personal data is used, should put their request in writing to the academy.
Requests that cannot be fulfilled
You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals or information which is subject to legal privilege.
The academy is also not required to disclose any pupil test scripts or provide test marks ahead of any ordinary publication, nor share any confidential reference given by the academy itself for the purposes of the education, training or employment of any individual.
However, we may have a compelling reason to refuse a request to amend, delete or stop processing your, or your child's, personal data: for example, a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.
Consent
Where the academy is relying on consent as a means to process personal data, any person may withdraw this consent at any time. We may ask for your consent to use your information as an alternative to relying on any of the bases above.
You can find out more about your rights under applicable data protection legislation from the Information Commissioner’s Office website available at www.ico.org.uk.
Data accuracy and security
The academy will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals should notify the academy of any significant changes to important information, such as contact details, held about them.
An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected. The academy will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to systems. All staff and governors will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
This notice
The academy will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.
Contact and complaints
Any comments or queries on this policy should be directed to the academy in the first instance, or to the Trust’s Data Protection Officer, Peter Noskiw at [email protected] .
If an individual believes that the academy has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should use the academy’s complaints procedure. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the academy before involving the regulator.