On 25 May 2018, The General Data Protection Regulation (GDPR) will be
enforced and this is legislation which both strengthens and unifies Data Protection for individuals. This will go a significant way to ensuring that personal data is not being accessed by or shared with people who should not be able to view it.
GDPR outlines responsibilities for Data Controllers and Data Processors.
Who are these people in our school?
As a school we are the Data Controller of the personal data you provide to us. This means that we decide the purpose for which and the manner in which any personal data relating to pupils and their families is to be processed.
Ms Phillips is the Data Protection Officer. Her role is to oversee and
monitor the school’s Data Protection procedures and to ensure they are compliant with GDPR.
Data Processors are people or organisations that process the personal data on behalf of the controller. Examples in our school include our Management
Information System provider, our school photographer and websites like TimesTable Rock Stars.
In any school, there are very few occasions where we would need to approach you for your consent to process (share) your data as most of what we do falls under the heading of ‘public interest’ as a school is a public body.
Public interest essentially means that it is in the public interest to operate our school and educate our children. So, we use data for delivering our curriculum, contacting you in the event of an emergency and our termly census returns which inform school funding allocations.
What sort of data is collected?
The categories of pupil information that the school collects, holds and shares
· Personal information e.g. name, gender, date of birth, address
· Characteristics e.g. ethnicity, language, nationality, country of birth,
entitlement to free school meals
· Attendance Information e.g. the number of absences and the reasons for
· Assessment Information e.g. national curriculum assessment results (SATs,
Phonics Screening) and ongoing teacher assessments
· Relevant medical information e.g. asthma, allergies and other confirmed
· Special Educational Needs and Disability (SEND) information (where
· Behavioural information e.g. exclusions
· Accident / Incident information e.g. where First Aid has been administered
· Equality information e.g. incidents of racism, bullying
Whilst the majority of the personal data you provide to school is mandatory, some is provided on a voluntary basis. When we are collecting data we will inform you whether you are required to provide this data or whether your consent is needed. Where consent is required, the school will provide you with specific and explicit information with regard to the reasons the data is being collected and how it will be used. A recent example here relates to the Flu Vaccinations administered by the School Aged Immunisation Service.
How long is your data stored for?
GDPR states that schools should not store personal data indefinitely and that unless there is a legitimate reason to keep it e.g. a legal requirement, it should only be stored for as long as it is necessary to complete the task for which it was originally intended. Once it is no longer needed it will be securely erased.
Will my information be shared?
All schools are required to share pupils’ data with the Department for Education.
The best examples of this are our termly census returns where we provide detailed information about our school, its staff and pupils so that a national picture can be obtained of all schools across the country. Similarly we share information with the Local Authority and the School Health Team (part of the National Health Service).
Examples here include applications for free school meals and information about children who are new to school so that they do not become ‘lost’ in the healthcare system.
The Department for Education manages the National Pupil Database (NPD) and this contains information about pupils in school in England. We are required by law to provide information about our pupils and some of this is then stored on the NPD. In
To promote the education or well being of children, they may share
this information with third parties to:
· Conduct research or analysis
· Produce statistics
· Provide information, advice or guidance
It is important to stress at this point that the Department for Education has robust processes in place to ensure confidentiality of any data shared from the NPD is maintained.
We will not share your personal information with any third parties without your
consent, unless the law requires us to do so. The school routinely shares pupils’
· Destination schools when pupils leave us.
· The Local Authority
· The Department for Education
· Our school photographer
· Our school communications provider (parent text messaging / e-mail service)
· The National Health Service
The information we share with these parties includes:
· Pupil record files containing annual reports and attendance registration
· Electronic data including personal information, SEND information, assessment and attendance information
· Mobile phone numbers and e-mail addresses of parents, carers and other
What are your rights?
Parents and pupils have the following rights under GDPR:
· The right to be informed – this means that we must tell you that we are using
your data, why and for what purpose.
· The right of access – this means that you are allowed to request to see the
data in relation to you that we are processing.
· The right of rectification – this means that if your data is incorrect, we have to correct it.
· The right to erasure – you can request that we erase all data relating to you
that we hold. This applies only when the personal data supplied is no longer
necessary for the purpose for which it was collected. So, in essence this
means that we cannot erase information relating to a pupil who is still
attending our school.
· The right to restrict processing – you can request that we stop using your data unless we have a legitimate legal basis for continuing to do so.
· The right to data portability. This means that you can obtain and re-use your
personal data for your own purposes across different services,
· The right to object – this means that you can request us to stop using your
data unless we have an overriding legitimate reason to continue.
· Rights in relation to automated decision making or profiling – this means that
you can request that automated decisions made about you are made by a
Are you concerned or would you like more information?
If you have a concern about the way our school and / or the Department for
Education is collecting or using your personal data you can raise a concern with the Information Commissioner’s Office (ICO). This can be done by telephone 0303 1231113 Monday – Friday 9am – 5pm or e-mail email@example.com
If you have any questions please contact the school office