Privacy notice (Pupils)

Privacy Notice for Pupils

Privacy Notice (How we use pupil information)

St Mark’s CE Primary School is the data controller under the UK General Data Protection Regulation (UK GDPR) for the use of personal data explained in this Privacy Notice.

The categories of pupil information that we process include:

·        personal identifiers like name, address, unique pupil number, and contact details etc.

·        characteristics like ethnicity, language, free school meal, & pupil premium eligibility etc.

·        image and voice recordings for assessment, celebration

·        safeguarding information like court orders and the involvement of other professionals.

·        special educational needs including the needs and ranking.

·        medical information like doctors’ details, child health, dental health, allergies, medicines, and dietary requirements.

·        family financial information like bank details and entitlement to meals, transport, and pupil premium funding to manage catering, school trips etc.

·        attendance like sessions attended, absences, absence reasons, previous schools attended.

·        assessment and attainment like End of Key Stage Assessments and  Year 1 Phonics Screening Check, and any relevant results.

·        behavioural information like behaviour management plans, exclusions, and alternative provision.

Why we collect and use this information

The personal data we collect is essential for the school to fulfil official functions and meet legal requirements and we use it to:

a)     support learning,

b)     monitor and report on pupil attainment progress,

c)     provide appropriate pastoral care,

d)     assess the quality of what we do,

e)     keep children safe e.g. food allergies, emergency contact details

f)      meet the statutory duties placed on us for the Department for Education (DfE) data collections,

g)     meet the statutory duty placed upon us to report infectious diseases e.g. supporting test and trace, 

h)     to record our own school history.

Under UK GDPR, the lawful bases we rely on for processing personal pupil information are:

6(1)(e) to perform a task carried out in the public interest i.e. to provide education.

6(1)(b) to enter into or carry out a contract e.g. to provide safe meals, trips, transport, uniform, professional photos, childcare.

6(1)(c) to comply with the law e.g. recording attendance, publishing results, recording the census (see Sharing with the DfE below), data sharing with child protection partners like social care, the NHS, and the Local Authority etc.

6(1)(a) having your consent e.g. to use images and names publicly, or use biometric data as an identifier.

When we process sensitive personal information like medical data we rely on the lawful bases:

9(2)(h)      to prevent medical problems, assess needs, and to support health & social care services e.g. Education Health & Care Plans (EHCP), records of medicine administration.

9(2)(i)       to improve public health e.g. we are required to report infections, like meningitis, Covid-19[1] or e-Coli, to local and national government departments;

9(2)(f)       to make or defend legal claims e.g. some special educational needs and all accident records etc.

This list is not exhaustive.  For more information about the categories of information we process and why please see our data asset register available in the school office.

Collecting pupil data

We collect pupil information via an initial registration forms at the start of the Reception year or Common Transfer File (CTF) or secure file transfer from a previous school.

Most of the pupil information we ask for is required by law or necessary so we can provide a good education and some of it is voluntary.  To comply with UK GDPR, if you have a choice about providing information, we will tell you when we ask for it.

Storing pupil data

We hold pupil data securely in line with the Information and Records Management Society (IRMS) Records Management Toolkit for Schools.  This personal data is retained for a wide range of time periods from days after a successful trip for the consent form to many years after a pupil has left us for an accident report.  For more information about how long we keep some information for and why (data retention), and how we keep the data safe, please see our Data Protection Policy and data asset register.

Who we share pupil information with and why

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.  The laws listed in this notice that require us to collect information also require us to share it.  Data is transferred securely by hand delivery or registered post, via a government data transfer system like School to School, via a contractor’s secure data sharing system like our online school trips safety system, and sometimes in other secure ways. 

We routinely share pupil information with:

·        Schools and other education providers pupils go to after leaving us to support their continuing education.

·        Child development and protection partners like our Local Authority Children’s Services, Public Health, Inclusion & Social Care etc. to check attendance, monitor, and protect children; the NHS for medical referrals & support; private companies offering counselling and other family or support services.

·        The DfE to help decide our school funding, monitor attainment & benchmark it nationally, compile league tables, develop national education policy and monitor it.

·        Our Local Authority to ensure they can conduct their statutory duties under the Schools Admission Code, including conducting Fair Access Panels.

·        Medical services like therapists, the public health 5-19 nurses , or the NHS for things like screening, vaccinations, health/ eye/ dental checks, Education Health and Care Plan (EHCP) provision etc. and Public Health England about certain contagious infections our pupils come into contact with.

·        Government departments like Public Health England, Local Authority Public Health, and District Council Environmental Health Departments to comply with the law and support public health emergency action;

·        Voluntary and charitable organisations (with your permission only), such as Action for Children , our local foodbank and similar organisations who can offer families practical help and support.

Sharing with the Department for Education (DfE)

The DfE collects personal data from educational settings and local authorities via various statutory data collections (as above).  We are required to share this information about our pupils with them directly or via our local authority for the purpose of those data collections, under section 29(3) and section 537A of the Education Act 1996; under the Education (School Performance Information)(England) Regulations 2007; under regulations 5 and 8 of the School Information (England) Regulations 2008; under the Education (Pupil Registration) (England) Regulations 2006; under section 83 of the Children Act 1989 (for monitoring and research purposes); and for census purposes under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.

All data is transferred securely and held by DfE under a combination of software and hardware controls, which meet the current government security policy framework.

For more information, please see the section on ‘How Government uses your data’ below.

Requesting access to your personal data

Under UK GDPR, parents, carers, and pupils have the right to request access to information about them that we hold.  To make a request for your personal information, or be given access to your child’s educational record, please contact the Headteacher or School Business Manager.

Depending on which lawful basis above was used to process the data, you may also have the right to:

·        object to processing of personal data that is likely to cause, or is causing, damage or distress;

·        prevent processing for the purpose of direct marketing;

·        object to decisions being taken by automated means;

·        in certain circumstances, have inaccurate personal data rectified, blocked, erased, or destroyed; and

·        seek redress, either through the ICO, or through the courts.

If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/.

For further information on how to request access to personal information held centrally by DfE, please see the ‘How Government uses your data’ section of this notice below.

Withdrawal of consent and the right to lodge a complaint

Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the Headteacher or School Business Manager.

Last updated

This privacy notice was compiled using DfE advice and model documents.  We may need to review it periodically, so we recommend that you revisit this information from time to time. This version was last updated in September 2021.

Contact

If you would like to discuss anything in this privacy notice, please contact: the Headteacher or School Business Manage via  admin@st-marks.cumbria.sch.uk. 

How Government uses your data

The pupil data that we lawfully share with the DfE through data collections:

·        underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.

·        informs ‘short term’ education policy monitoring and school accountability and intervention (for example Pupil Progress measures).

·        supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)

Data collection requirements

To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) go to www.gov.uk/education/data-collection-and-censuses-for-schools.

The National Pupil Database (NPD)

Much of the data about pupils in England is held in the National Pupil Database (NPD).

The NPD is owned and managed by the DfE and contains information about pupils in schools in England.  It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.

It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

To find out more about the NPD, go to www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.

Sharing by the DfE

The law allows the DfE to share pupils’ personal data with certain third parties, including:

·        schools and local authorities

·        researchers

·        organisations connected with promoting the education or wellbeing of children in England

·        other government departments and agencies

·        organisations fighting or identifying crime

For more information about the DfE’s NPD data sharing process, please visit: www.gov.uk/data-protection-how-we-collect-and-share-research-data

Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically supplies data on around 600 pupils per year to the Home Office and roughly 1 per year to the Police.

For information about which organisations the DfE has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares

How to find out what personal information the DfE holds about you

Under the terms of the Data Protection Act 2018, you are entitled to ask the DfE:

·        if they are processing your personal data

·        for a description of the data they hold about you

·        the reasons they’re holding it and any recipient it may be disclosed to

·        for a copy of your personal data and any details of its source

If you want to see the personal data held about you by the DfE, please make a ‘subject access request’ to them.  Find out how in the DfE’s personal information charter published at: www.gov.uk/government/organisations/department-for-education/about/personal-information-charter

To contact the DfE go to: www.gov.uk/contact-dfe.

[1] Visit: https://www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace#information-to-collect, if you want more information about Test and Trace, what data they collect and what they do with it.