Privacy Notice (How we use pupil and parent / carer information)
Under data protection law, Samuel Rhodes School is subject to a variety of obligations as the data controller of personal data (information) about pupils and their parents, carers and families.
Personal data is information that identifies you and your child and is about you and your child. This personal data might be provided to us by you, or provided by someone else (for example another school) or it could be created by the school.
This privacy notice explains how we collect, store and use pupil & parent / carer personal data. Samuel Rhodes School is the 'Data controller' for the purposes of data protection law. We have appoint Grow Education Partners Ltd as our data protection officer (DPO) and the responsible contact is Claire Mehegan, email@example.com
In this privacy notice all references to ‘you / your’ include both the pupil and the pupil’s parents, both individually and collectively, unless otherwise specified.
The personal data we collect and hold:
Personal data that we may collect, use, store, and share (when appropriate) about pupils & parents/carers includes, but is not limited to:
- Personal Information (such as name, date of birth, unique pupil number, parent’s/carer’s national insurance number)
- Contact details and preferences (such as telephone number, email address, postal address, for you and your emergency contacts)
- Assessment information (such as data scores, tracking, and internal/external testing)
- Protected characteristics, (such as ethnic background, religion or belief)
- Special educational needs information (such as EHCP’s, statements, applications for support, care or support plans)
- Exclusion information
- Relevant medical information (such as NHS information, health checks, physical and mental health care, immunisation status and allergies and medical conditions, including physical and mental health)
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Safeguarding information
- Details of any support received, including care packages, plans and support providers
- Photographs (such as for internal safeguarding & security purposes, school newsletters, media and promotional purposes).
- Closed-circuit television (CCTV) images captured in school
- Data about your use of the school’s information and communications systems
- Payment and banking details where required.
We may also hold data about pupils and parents/carers that we have received from other organisations, including other schools, local authorities and the Department for Education (“DfE”).
A full breakdown of the information we collect on pupils & parents/carers can be requested by contacting the school office, firstname.lastname@example.org
Why we collect and use this information
The purpose of collecting and processing this data includes but is not limited to:
- Contacting you in relation to your child or to inform you about School events and updates
- Supporting pupil learning
- Monitoring and reporting on pupil progress
- Providing appropriate pastoral care
- Protecting pupil welfare and safeguarding
- Assessing the quality of our services
- Administering admissions waiting lists
- Carrying out research
- Complying with the law regarding data sharing
- Adhering to the statutory duties placed upon us by the Department for Education.
The lawful basis on which we use this information
This section contains information about the legal basis that we are relying on when handling your information. These are defined under data protection legislation and for personally identifiably information are:
- You have given consent for one or more specific purposes
- Processing is necessary to comply with the school’s legal obligations
- Processing is necessary to protect your vital interests
- Processing is necessary for tasks in the public interest or exercise of authority vested in the controller (the provision of education)
- Processing is necessary for the school’s legitimate interests or the legitimate interests of a third party.
When we process special category information, which is deemed to be more sensitive, the following lawful basis are used:
- You have given explicit consent
- It is necessary to fulfil the school’s obligations or your obligations
- It is necessary to protect your vital interests
- Processing is carried out by a foundation or not-for-profit organisation (includes religious, political or philosophical organisations and trade unions)
- Reasons of public interest in the area of public health.
An example of how we use the information you provide is:
The submission of the school census returns, including a set of named pupil records, is a statutory requirement on schools under Section 537A of the Education Act 1996.
Putting the school census on a statutory basis:
• means that schools do not need to obtain parental or pupil consent to the provision of information
• ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils
• helps to ensure that returns are completed by schools.
Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent and explain how consent can be withdrawn.
Collecting pupil information
While the majority of information we collect about pupils & parents/carers is mandatory, there is some information that can be provided voluntarily.
Whenever we seek to collect information from you or your child, we make it clear whether providing it is mandatory or optional. If it is mandatory, we will explain the possible consequences of not complying.
Storing pupil data
We keep your information for as long as we need to in order to educate and look after our pupils.
The majority of this will be stored in the pupil file and this file will follow the pupil whenever they move schools and will be retained by the last school the pupil attends.
Where we are legally required or have a lawful basis to do so we will keep some information after your child has left the School. This will be retained in line with our Data Retention Schedule, a copy of which can be requested by contacting the school office, email@example.com
To protect your data, we have data protection policies and procedures in place, including strong organisational and technical measures, which are regularly reviewed. Further information can be found in our Data Protection Policy or upon request.
In order for us to legally, effectively and efficiently function we are required to share data with appropriate third parties, including but not limited to:
- Our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions (where the pupil is not resident in Islington, with their respective local authority)
- The Department for Education- to meet our legal obligations to share certain information.
- The pupil’s family and representatives- such as in the event of an emergency
- Educators and examining bodies- such as ensuring we adhere to examining regulations to guarantee the validity of examinations
- Ofsted- during the course of a school inspection
- Suppliers and service providers – to enable them to provide the service we have contracted them for
- Central and local government
- Our auditors- to ensure compliance with our legal obligations
- Health authorities (NHS) - to ensure the wellbeing of pupils
- Security organisations to create a secure workplace for all staff
- Health and social welfare organisations
- Professional advisers and consultants - for us to develop our services and best provide our public service
- Charities and voluntary organisations
- Police forces, courts, tribunals, security services - to create a secure workplace for all at the school.
- Professional bodies
- Schools that the pupils attend after leaving us.
Transferring data internationally
We may send your information to other countries where:
- we or a company we work with store information on computer servers based overseas; or
- we communicate with you when you are overseas.
We conduct due diligence on the companies we share data with and note whether they process data in the UK, EEA (which means the European Union, Liechtenstein, Norway and Iceland) or outside of the EEA.
The UK and countries in the EEA are obliged to adhere to the requirements of the GDPR and have equivalent legislation which confer the same level of protection to your personal data.
For organisations who process data outside the UK and EEA we will assess the circumstances of how this occurs and ensure there is no undue risk.
Additionally, we will assess if there are adequate legal provisions in place to transfer data outside of the UK.
Why we share information
In order to successfully perform our key functions, we need to share personal data with organisations
For example, we share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Data collection requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example, via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
Youth support services
Pupils aged 13+
Once our pupils reach the age of 13, we also pass basic pupil information (name, address and date of birth) to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
youth support services
Any additional information is provided only with opt-in consent from the parent or carer.
This right is transferred to the child/pupil once he/she reaches the age 16.
Pupils aged 16+
We will also share basic information about pupils aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
post-16 education and training providers
youth support services
For more information about services for young people, please visit our local authority website: https://www.islington.gov.uk/children-and-families/young-people
If a student is over 16, the child (or the parent(s)) can ask that no information beyond names, address and your date of birth be passed to the support service. Please see the contact us section below on how to opt-out of this arrangement. For more information about young peoples’ services, please go to the Directgov Young People page at https://www.gov.uk/topic/schools-colleges-childrens-services/support-for-children-young-people
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the department.
It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://find-npd-data.education.gov.uk/
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance.
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data.
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
Data Protection Rights
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.
If you make a subject access request, and if we do hold information about you, we will:
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
- NOT provide information where it compromises the privacy of others
- Give you a copy of the information in an intelligible form.
You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.
In most cases, we will respond to subject access requests within 1 month, as required under data protection legislation However, we are able to extend this period by up to 2 months for complex requests or exceptional circumstances.
Your Other Rights regarding your Data:
- Withdraw your consent to processing at any time (This only relates to data for which the school relies on consent as a lawful basis for processing)
- Ask us to rectify, erase or restrict processing of your personal data, or object to the processing of it in certain circumstances and where sufficient supporting evidence is supplied
- Prevent the use of your personal data for direct marketing
- Challenge processing which has been justified on the basis of public interest, official authority or legitimate interests
- Request a copy of agreements under which your personal data is transferred outside of the United Kingdom.
- Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect you)
- Request a cease to any processing that is likely to cause damage or distress
- Be notified of a data breach in certain circumstances
- Submit a complaint to the ICO
- Ask for your personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances).
Parents/carers also have a legal right to access to their child’s educational record.
If you would like to exercise any of the rights or requests listed above, please contact the school office:
- Email: firstname.lastname@example.org
- Primary Campus: Montem Community Campus, Hornsey Road, London, N7 7QT
- Telephone: 020 7281 5114
- Secondary Campus: 11 Highbury New Park, London, N5 2EG
- Telephone: 020 7704 7490
The School will comply with the Data Protection legislation in regard to dealing with all data requests submitted in any format, although individuals are asked to preferably submit their request in written format to assist with comprehension.
We reserve the to verify the requesters identity by asking for Photo ID. If this proves insufficient, then further ID may be required.
Data Protection Breaches
If you suspect that your or someone else’s data has been subject to unauthorised or unlawful processing, accidental loss, destruction or damage, we ask that you please contact the School Business Manager at Samuel Rhodes School and advise us without undue delay.
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our independent data protection officer:
Data Protection Services, Grow Education Partners
London Diocesan House, 36 Causton Street,
London, SW1P 4AU
Telephone: 020 7932 1175
Alternatively, you can refer a complaint to the Information Commissioner’s Office:
- Report a concern online at https://ico.org.uk/concerns/
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact either our School Data Protection Lead, Bernadette Napleton, School Business Manager at Samuel Rhodes School or our independent Data Protection Officer, Claire Mehegan at Grow Education Partners.