GDPR
Privacy Notice
Data Controller:
Potton Primary School
Mill Lane
Potton
Bedfordshire
SG19 2PB
This Privacy Notice is to let you know how we as an educational setting look after personal information about our pupils. This includes the information you provide us as well as information we hold about our pupils relating to their education. This notice explains the reasons why we hold personal information, how we use this information, who we share it with and how we keep it secure. This notice meets with the requirements of the General Data Protection Regulations (GDPR).
Certain senior members of staff are responsible for overseeing the implementation of this policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable. As a school this responsibility is shared by the school’s data manager, admin manager, the Headteacher and named GDPR Governor.
They will provide an annual report of their activities directly to the governing board and, where relevant, report to the board their advice and recommendations on school data protection issues.
These individuals are also the first point of contact for individuals whose data the school processes, and for the ICO.
The school will on an annual basis commission an external validation of the data protection processes followed by the school to ensure compliance with GDPR is maintained.
A copy of this Privacy Notice is available on our website www.pottonprimary.co.uk Please refer to the website copy of this Privacy Notice for the latest version as it will be updated from time to time to reflect any changes in our circumstances.
If you have any questions or queries or would like to discuss anything in this Privacy Notice, please contact: Miss J Watts, Headteacher – 01767 260034
How we collect pupil information
We obtain pupil information for the start of each academic year through our ‘new pupil’ registration forms. We also collect any changes to pupil information through update forms during the academic year as part of our data administration process to keep the information we hold as up-to-date as possible. We also collect information through secure file transfers which contain relevant information (e.g. name, date of birth, attendance details) about our new pupils from their previous schools.
We collect and hold pupil information that includes:
-
Personal information about the pupils that come to our school such as name, unique pupil number and address, date of birth
-
Characteristics such as home language, meal arrangements and eligibility, special educational needs
-
Information that is categorised as special data such as gender, ethnicity, religion and medical information
-
Contact information such as parental and other contact names and telephone numbers for use in cases of emergency
-
Safeguarding information such as court orders, professional involvement and contact with non-resident parents
-
Medical information such as GP surgery details, allergies, medication and dietary requirements
-
Sibling information
-
History of previous schools or nurseries attended
In addition to the information we collect from parents/carers, we also record and hold the following information:
-
Attendance information such as sessions attended, number of absences and absence reasons
-
Assessment information recorded at various assessment capture points during the academic year as well as end of year attainment information such as Phonics outcomes and Key Stage 1 results
-
Behaviour information and where relevant, lunch time, fixed and permanent exclusions and any relevant alternative provision
Why we collect and use this information
We use the pupil data to:
-
support pupil learning
-
safeguard pupils in our care
-
record attendance
-
monitor and report on pupil attainment and progress
-
keep children safe whilst in our care
-
provide appropriate pastoral care
-
assess the quality of our services
-
comply with the law regarding data returns and sharing
-
provide any additional support
We use parent/carer contact information to:
-
email parent/carers for purpose of notification of school events, share pupil school work and various reports relating to the pupil’s life at the school
-
telephone parents/carers in cases of emergency or other matters relating to the safety of the child
The lawful basis on which we hold and use this information
We collect and use pupil information under the legal basis of public interest as an educational setting/school with the delegated task of educating and safeguarding the children in our care and under a legal obligation which necessitates our school making statutory data returns to the Department for Education (DfE) and our Local Authority [as described in Article 6, GDPR).
Our school is obliged to make statutory pupil census returns and hold attendance information under the following legislation:
Education Act 1996 – Section 434 (1), (3), (4) & (6) and Section 458 (4) & (5)
Education (Pupil Registration) (England) (Amendment) Regulations 2013
Department of Education Advice on Attendance (Nov 2016)
The special categories of data have been collected through explicit consent from the data subject in support of the specific purposes for which the data is being used in the education and safeguarding of pupils in our care [Article 9, GDPR].
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to:
https://www.gov.uk/education/data-collection-and-censuses-for-schools.
Whilst the majority of pupil information you provide to us is mandatory (for reasons described above), there may be some information which we ask you for which is not mandatory but provided on a voluntary basis.
In some cases, we will ask you for information on the legal basis of legitimate interest where the information is required to support an educational or safeguarding function (e.g. a parent/carer email address or mobile contact number so that we can contact the parent/carer in an emergency or reasons involving the safety of the child).
The data we collect relating to medical health information is necessary to protect the vital interests of the child so that we can ensure a child’s medical needs are properly addressed and catered for.
As a Parent/carer, you cannot decline a data collection but you have right to decline providing information for self-declared data items by selecting the ‘Refused’ option e.g. ethnicity.
There are certain personal data items (e.g. photographs) which we collect on the legal basis of legitimate interest. We will ask you for your explicit consent about how these data items can be used if the purpose extends beyond holding the data within our main management information system (e.g. photograph on our school’s website). As a parent/carer you can change your decision to grant or withdraw consent at any time.
If at any point in the future, we seek to use any previously collected information for another purpose or use the information in new software, we will ask for your explicit consent to do so.
Who we share pupil information with
We routinely share pupil information with:
-
the school that a pupil attends after leaving us
-
our local authority
-
the Department for Education (DfE)
We also provide certain pupil data with other parties that provide a service for our school:
-
Integris
-
Class DoJo
-
Music teacher
-
Scopay
-
Read Theory
-
Evolve
-
School Library Service
-
Junior Liberian
-
Juniper Education
-
Provision Map
-
Medical Tracker
-
My Concern
- Groupcall
- Dfe and Central Bedfordshire Council
- GL Assessments
- White on Blue school photography service
- School Nursing Team
- NHS Screening
The majority of our pupil information is processed in our main Management Information System (Integris). However, our school also purchases third party software to help us provide additional functions and services. Certain data held on our main management information system is also shared with third party software providers for the following reasons:
-
Assessment software which uses the main pupil information such as name, class, date of birth and some contextual information to help us record attainment and track progress
-
Text messaging software which uses the contact names and telephone numbers used to notify parents/carers of certain events and important notices
-
Online payments system which uses our pupil names and classes to link to parent users for the purpose of enabling payments for meals etc.
-
Library system which uses pupil names and classes
We actively ensure that all of the third-party software organisations we share data with comply with the General Data Protection Regulations through their Privacy Notices and Data Sharing Agreements that they share with us.
Why we share pupil information with external parties
We do not share information about our pupils with anyone without consent unless the legal basis for holding and sharing the data allow us to do so.
We share pupil data with the Department for Education (DfE) and the Local Authority on a statutory basis through data collections such as the school census under the following statutes:
Section 573A of the Education Act 1996
Education Act 1996 s29(3)
Education (School Performance Information) (England) Regulations 2007
Regulations 5 & 8 School Information (England) Regulations 2008
Education (Pupil Registration) (England) (Amendment) Regulations 2013
Further information about the data collection requirements placed on our school by the DfE through the school census can be found at https://www.gov.uk/education/data-collection-and-censuses-for-schools
The data shared with the DfE and the local Authority is for the purpose of:
-
determining school funding which is calculated based upon the numbers of children and their characteristics in our school
-
informing the monitoring of ‘short term’ education policy such as Pupil Progress measures
-
supporting the ‘longer term’ research and monitoring of educational policy
Most of the pupil data we share with the DfE is held within their National Pupil Database (NPD). Please refer to the last page of this Privacy Notice for more information about the NPD and their basis for sharing data with third parties.
Our Local Authority’s Privacy Notice relating to early years pupil information can be found at http://www.centralbedfordshire.gov.uk/school/professionals/two-year-old-funding/privacy.aspx and their Privacy Notice relating to pupil information can be found at http://www.centralbedfordshire.gov.uk/schools-portal/administration/school-privacy-notice.aspx
How we keep personal data secure
We fully adhere to our Data Protection policies which outline our procedures and processes for accessing, handling and storing data safely in accordance with all the GDPR principles. These policies are regularly reviewed and ratified by our governors. The following processes ensure that we comply with data protection legislation in how we manage the protection of personal data:
-
Our networks, file systems and server operating systems are secured through firewalls and spyware/ virus detection programs on our servers to prevent unauthorised access to our data
-
Data held in a physical location within the school is held securely and only accessible by staff with appropriate authorisation
-
Access to data on systems is through individual passwords which are carefully managed and monitored
-
Any data that is removed from the school is minimised and encrypted
-
Older data is safely removed from computers and other devices
-
Data shared with the DfE and the Local Authority is shared through secure file transfer systems. Any data shared with other legitimate third parties where there is a legal basis for sharing will only be shared through secure methods.
-
Data shared with third-party software suppliers is controlled by the school. We will only deal with suppliers who can demonstrate that they comply with the requirements of data protection legislation and not use personal data for any other purpose than the purpose for fulfilling the functions we have contracted with them (e.g. assessment).
-
We ensure all staff receive regular training on data protection
We also adhere to our Data Breach Procedures Policy in the event of a data breach. These procedures explain how our school responds to occurrences of known or reported data breaches. A copy of this policy is available on our school website at: www.pottonprimary.co.uk
Requesting access to your personal data
Under data protection regulations, you as the parent/carer and pupils (from age 13, you have the following rights:
-
Right to be informed
-
Right to access to your child’s or your personal information
-
Right to have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances
-
Right to object to the processing of personal data that is likely to cause, or is causing, damage or distress
-
Right to restrict processing for the purpose of direct marketing
-
Right to data portability
-
Right to object to decisions being taken by automated means
-
Right to claim compensation for damages caused by a breach of the Data Protection regulations
It should be noted that some of these rights will not apply in circumstances where allowing them would significantly reduce or prevent our ability to perform our duties as a school and safeguard the children in our care.
You do have the right to request access to personal information about you and/or your child that we hold. To request access to your personal information or to your child’s educational record, you can make a Subject Access Request (SAR). For further information about this contact our school office: office@pottonprimary.co.uk
Our school will follow procedures outlined in our Subject Access Request Policy available from our website www.pottonprimary.co.uk which follows the guidelines promoted by the data protection regulations.
Please note that whilst we aim to respond to requests within the required time period of one month, we may not be able to honour this time period if we receive requests just before or during school holidays. If the nature of the request is complex and/or the request falls within a holiday period, we will aim to reach a mutually agreed alternative time period.
How long we keep personal information
We hold pupil data for the period determined appropriate for the different types of data we hold.
We will keep information for the minimum period necessary in accordance with DfE’s data retention recommendations which take into account legal and safeguarding considerations linked to the types of data held.
All information is held securely and will be destroyed as appropriate under secure and confidential conditions.
Let us know of any changes to personal information and emergency contact information
As a matter of course, we will contact you at least once a year to ensure that all the personal information and emergency contact details we have for your child is accurate and up-to-date. We would encourage you very strongly to ensure that any changes to phone numbers in particular are notified to our school office as soon as possible.
Reporting concerns about our data protection processes
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting our school office: office@pottonprimary.co.uk Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
Keeping you informed through this Privacy Notice
We aim to keep you informed of any changes to our data collections and data protection obligations through this Privacy Notice – the latest copy will be available on our website at www.pottonprimary.co.uk . We incorporate information about the pupil data we hold and how we adhere to the GDPR principles for protecting this data in our e-Safety and ICT lessons so that our children are aware of what we do.
Department for Education (DfE)
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.
It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
Sharing data by the DfE
The DfE can legally share information about our pupils from the NPD with third parties who are:
-
organisations involved with promoting the education or well-being of children in England :
-
researchers or analysts
-
schools
-
local authorities
-
other government departments and agencies
-
organisations fighting or identifying crime
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
How the DfE keeps data secure
All data is transferred securely and held by DfE under a combination of software and hardware controls, which meet ISO27001 standards and the government security policy framework.
The Department has robust processes in place to ensure the confidentiality of our pupils’ data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
-
who is requesting the data
-
the purpose for which it is required
-
the level and sensitivity of data requested: and
-
the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe