GDPR

In light of the changes to Data Protection with the introduction of the GDPR (General Data Protection Regulation) on the 25th May 2018, we have made some changes to the way we collect, use and share your data.

The GDPR is an updated set of rules designed to harmonise data privacy laws across Europe and gives greater protection and rights to individuals.

The GDPR implements 6 principals:

Lawfulness, Fairness and Transparency – Organisations must have legitimate reasons for collecting and processing your personal or sensitive data.
Purpose – Organisations should only collect data for a specified, explicit and legitimate purpose
Data Minimisation – Organisations should only collect data which is adequate, relevant and limited to what is necessary in relations to the purpose for which they are processed.
Accuracy – Data held by organisations should be accurate and where necessary kept up to date.
Retention – Data should be kept in a form which permits identifications of data subjects for no longer than is necessary for the purpose for which the personal data is processed.
Security – Data should be processed in a matter what ensures appropriate security of its personal data.

We have recently updated our Privacy notice which can be found on our website which details the information which we collect, the purpose for which we collect it, any 3rd parties who this may be shared with and how long we will retain it.

Under the GDPR, there is an enhancement of individuals rights:

The right to be informed – You should know about the collection and use of personal data.
The right of access – You can ask about your personal data we hold in the form of a subject access request (SAR)
The right of rectification – You can ask us to correct the information we hold which is incorrect
The right to erase – You can have your data removed
The right to restrict processing – You can limit what your data is being used for
The right to withdraw consent – Where consent has been given, you have the right to withdraw at any time.

It is important to note, where organisations have a legitimate purpose for the collection, use, sharing and storage of data these will therefore overrule individual’s rights and processing can continue.

Subject access requests (SAR)

If you wish to contact the School to obtain information that we hold, please complete the form available on the website or retrieve a paper copy in house. Proof of ID will need to be provided in order for the request to be completed and a response will be issued within one month from the date the request is received.

Reporting a Data Breach

If you believe that your personal or sensitive data has been compromised, please complete the 'Reporting a Breach' form available on collection from the office. All forms will be given to the Data Protection Officer.

What is GDPR?

GDPR stands for: General Data Protection Regulation. Although the school has been working in line with the Data Protection Act from 1998, new regulations in relation to your personal data come into effect from 25th May. We will ensure that personal data is protected and kept safely and securely. It will ensure that its policy for data protection is used as the basis for collecting, storing, accessing, sharing and deleting personal data. The school will use the General Data Protection Regulations (GDPR) as the benchmark for its standard for protecting personal data.

Objectives

To ensure that decision makers and key people in school comply with the statutory changes to the GDPR which will officially come into force in May 2018;
To ensure that there will be regular reviews and audits of the information we hold to ensure that we fully meet the GDPR statutory requirements;
To document the personal data we hold, where it came from and with whom it will be shared.;
To ensure that data collection, data handling, data storage and data disposal procedures are in line with the GDPR and cover all the rights individuals have, including how personal data is deleted and destroyed.

Strategies

Data access request procedures will handled within the timescales set out in the GDPR and we provide any additional information in line with the GDPR guidance;
The processing of personal data will be carried out on a lawful basis as required by the GDPR;
Where the school needs to seek consent, it will do so in a manner that meets GDPR standards;
Any records of consent and the management of the process for seeking consent will also meet the GDPR standard;
Where there is a personal data breach the procedures used to detect, report and investigate it will meet the requirements of the GDPR;
The systems the school puts into place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity will meet the standard set in the GDPR;
Data protection by design and data protection impact assessments will meet with the ICO’s code of practice on privacy impact assessments as well as with the latest guidance;
The school will have a Data Protection Officer who will be given responsibility for data protection compliance;
When the school requests data we will provide appropriate privacy notices to explain why data is being and the purposes for which it is used.

Outcomes

The requirements of the GDPR will be met by this school as the basis for collecting, storing, accessing, sharing and deleting personal data. Data will be processed fairly lawfully and in a transparent manner. It will be used for specified, explicit and legitimate purposes in a way that is adequate, relevant and limited. It will be accurate and kept up to date and kept no longer than is necessary. Data will be processed in a manner that ensures appropriate security of the data.

How we use pupil and parent information

Under General Data Protection Regulations (GDPR) we are obliged to inform you of the information we hold on and your child(ren), what we use it for, who we share it with, and for how long we keep it. This privacy notice (also known as a fair processing notice) aims to provide you with this information. If it, or any information linked to is unclear, please contact the school office, or the school’s Data Controller. Contact details for are available at the end of this privacy notice.

We, Brant Broughton CE Methodist Primary School are the Data Controller for the purposes of data protection law.

1. The categories of pupil & parent information that we collect, hold and share include but are not limited to:

Personal information (such as name, unique pupil number and address, parents national insurance number).
Contact details and preference (contact telephone numbers, email addresses, addresses)
Characteristics (such as ethnicity, religion, language, nationality, country of birth and free school meal eligibility)
Attendance information (such as sessions attended, number of absences and absence reasons)
Assessment information (such as data scores, tracking, and internal and external testing)
Relevant medical information (such as NHS information, health checks, physical and mental health care, immunisation program and allergies)
Special educational needs information (such as EHCP’s, applications for support, care or support plans)
Safeguarding information
Exclusion information
Behavioural information
Photographs (for internal safeguarding & security purposes, school newsletters, media and promotional purposes).
Payment details

We may also hold data about pupils that we have received from other organisations, including other schools, local authorities and the Department for Education.

2. Why we collect and use this information

We use the pupil and parent data:

to support pupil learning
to monitor and report on pupil progress
to provide appropriate pastoral and medical care
for safeguarding and pupil welfare purposes
administer admissions waiting lists
for research purposes
to inform you about events and other things happening in the school
to assess the quality of our services
to comply with the law regarding data sharing

3. The lawful basis on which we use this information

Our lawful basis for collecting and processing pupil information is defined under Article 6, and the following sub-paragraphs in the GDPR apply:

(a) Data subject gives consent for one or more specific purposes.

Processing is necessary to comply with the legal obligations of the controller.
Processing is necessary to protect the vital interests of the data subject.
Processing is necessary for tasks in the public interest or exercise of authority vested in the controller (the provision of education).

Our lawful basis for collecting and processing pupil information is also further defined under Article 9, in that some of the information we process is deemed to be sensitive, or special, information and the following sub-paragraphs in the GDPR apply:

The data subject has given explicit consent.
It is necessary to fulfil the obligations of controller or of data subject.
It is necessary to protect the vital interests of the data subject.
Processing is carried out by a foundation or not-for-profit organisation (includes religious, political or philosophical organisations and trade unions)

(g) Reasons of public interest in the area of public health

(i) It is in the public interest

A full breakdown of the information we collect on pupils can be requested from the school office.

Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.

Some of the reasons listed above for collecting and using pupils’ personal data overlap, and there may be several grounds which justify our use of this data. An example of how we use the information you provide is:

The submission of the school census returns, including a set of named pupil records, is a statutory requirement on schools under Section 537A of the Education Act 1996.

Putting the school census on a statutory basis:

means that schools do not need to obtain parental or pupil consent to the provision of information
ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils
helps to ensure that returns are completed by schools

4. Collecting pupil information

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.

5. Storing pupil data

We hold pupil data whilst the child remains at our school. The file will follow the pupil when he / she leaves Brant Broughton Primary School. However where there is a legal obligation to retain the information beyond that period, it will be retained in line with our retention policy.

We have data protection policies and procedures in place, including strong organisational and technical measures, which are regularly reviewed.

6. Who we share pupil information with

We routinely share pupil information with appropriate third parties, including:

Harrow Council, our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions
The Department for Education
The pupil’s family and representatives
Educators and examining bodies
Ofsted
Suppliers and service providers – to enable them to provide the service we have contracted them for
Financial organisations
Central and local government
Our auditors
Survey and research organisations
Health authorities
Security organisations
Health and social welfare organisations
Professional advisers and consultants
Charities and voluntary organisations
Police forces, courts, tribunals
Professional bodies
Schools that the pupil’s attend after leaving us
Details of nursery applications to other local providers to ensure that only one application has been made

Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.

7. Why we share pupil information

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.

We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.

8. Data collection requirements:

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools

9. The National Pupil Database (NPD)

https://www.gov.uk/data -protection -how -we -collect -and -share -research dataThe NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the NPD, go to https://www.gov.uk/government/collections/national-pupil-database

The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

conducting research or analysis
producing statistics
providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

who is requesting the data
the purpose for which it is required
the level and sensitivity of data requested: and
the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit: https://www.gov.uk/guidance/data-protection-how-we-collect-and-share-research-data

For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:

https://www.gov.uk/government/publications/dfe-external-data-shares

To contact DfE: https://www.gov.uk/contact-dfe

10. Requesting access to your personal data and your Data Protection Rights

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold, through a Subject Access Request.

Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.

Parents also have the right to make a subject access request with respect to any personal data the school holds about them.

If you make a subject access request, and if we do hold information about you or your child, we will:

Give you a description of it
Tell you why we are holding and processing it, and how long we will keep it for
Explain where we got it from, if not from you or your child
Tell you who it has been, or will be, shared with
Let you know whether any automated decision-making is being applied to the data, and any consequences of this
Give you a copy of the information in an intelligible form

Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.

If you would like to make a request please contact our data protection officer.

Parents/carers also have a legal right to access to their child’s educational record. To request access, please contact enquiries@brant-broughton.lincs.sch.uk for the attention of Mr Wells (Executive Headteacher).

You also have the right to:

object to processing of personal data that is likely to cause, or is causing, damage or distress
prevent processing for the purpose of direct marketing
object to decisions being taken by automated means
in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
claim compensation for damages caused by a breach of the Data Protection regulations

11. Complaints

We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.

To make a complaint, please contact our data protection officer.

Alternatively, you can make a complaint to the Information Commissioner’s Office:

Report a concern online at https://ico.org.uk/concerns/
Call 0303 123 1113
Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact us.

Privacy Notice Child Friendly version pdf