Privacy Notice (How we use Pupil Information)
Under data protection law, individuals have a right to be informed about how the school uses any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ (sometimes called ‘information notices’) to individuals.
In line with Government guidelines we may need to keep records of staff and pupils that have tested positive for COVID-19. This information is stored securely and is not shared with any parties it does not concern.
The General Data Protection Regulation (GDPR) 2018 and Data Protection Act 2018 (DPA) sets out the law relating to data protection and this privacy notice and the way we handle your personal data is all carried out in accordance with that law.
Under the GDPR and DPA anyone who holds and controls the way in which data is used is known as a data controller. We, Beech Hill School, are a ‘data controller’ for the purposes of the data protection law.
This privacy notice sets out the following information:
- The personal data we hold
- Why we use this data
- Special Category Data
- Our legal basis for using this data
- Collecting this personal data
- How long we store this data
- Data Sharing – Who we share any personal data with and why
- Transferring her data internationally
- Parents and Pupils’ rights regarding personal data
- Other Rights
- Data Protection Officer
- How Government uses your data
- The personal data we hold
Personal data that we may collect, use, store and share (when appropriate) about pupils includes, but is not restricted to:
- Name, address, date of birth
- Contact details, contact preferences, identification documents
- Emergency contact details
- Characteristics, such as ethnic background, religious beliefs, eligibility for free school meals, or special educational needs
- Details of any medical conditions, including physical and mental health conditions
- Results of internal assessments and externally set tests
- Pupil and curricular records
- Exclusion information
- Attendance information
- Safeguarding information
- Details of any support received, including care packages, plans and support providers
We may also hold data about pupils that we have received from other organisations, including other schools, local authorities and the Department for Education.
Why we use this data: We use this data to:
- Support pupil learning
- Monitor and report on pupil progress
- Provide appropriate pastoral care
- Protect pupil welfare
- Assess the quality of our services
- Administer admissions waiting lists
- Carry out research
- Comply with the law regarding data sharing
The personal information is initially used to create the pupil record then information will be taken from that record to create attendance records, class lists and reading groups. The personal information is used to track attainment and performance and put any support in place for your child throughout their time in school.
Some personal information may be input into communication based apps to allow school to communicate with you about important matters relating to your child and school events, consent will be sought for this separately.
Some information, mainly your child’s name, may be used in software/applications which your children will use as resources to facilitate their learning. A Data Protection Impact Assessment (DPIA) will be conducted before the school uses any new software or applications and your child will be supervised in line with ICT acceptable use policy whilst using the software/application in school. Where necessary, we will obtain your consent before using software.
Special Category Data
The School collects and processes some personal information that is classed as Special Category data under the DPA and GDPR. Special category data is personal data that is classed as more sensitive than other personal information and therefore requires greater protection.
The special category data which school may process includes race, ethnic origin, religion and health information.
In order to lawfully process special category data, school must have a lawful basis under Article 8 GDPR and a separate condition for processing the data under Article 9 GDPR.
Under Article 6 GDPR, the lawful basis for processing health information is that there is a legal obligation on the school to hold, process and, in some instances, share this information in order to safeguard your child. Article 9(2)(b) is the separate condition for processing the health and medical information of your child for safeguarding purposes.
The school may ask you for information about your child’s race, ethnic origin and religion but in most instances this is optional and therefore by providing this information you are giving your consent for the information being processed by the school. In the majority of instances the only use for this information is that school provide this to the Department for Education on the annual census in order to understand the demographic of children within the school/local authority area. Further information about personal data that is shared with the DfE and how they use it is set out at the end of this privacy notice.
The legal basis for processing your child’s race, religion and/or religion is consent and the separate condition for processing under Article 9(2)(a) is consent.
Extra care will be taken when collecting, processing or sharing special category data and, unless there is a legal reason why we can’t, you will be informed before we share the data with any external organisations.
Our legal basis for using this data
We only collect and use pupils’ personal data when the law allows us to. Most commonly, we process it where:
- We need to comply with a legal obligation
- We have obtained your consent to use it in a certain way
Less commonly, we may also process pupils’ personal data in situations where:
- We need it to perform an official task in the public interest
- Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.
- Some of the reasons listed above for collecting and using pupils’ personal data overlap, and there may be several grounds which justify our use of this data.
- This legal basis for collecting and using personal data is set out in Article 6 and Article 9 of the GDPR.
Back to the top
Collecting this information
We collect pupil information via the admissions form we ask you to complete before your child starts with us at school or on a Common Transfer File (CTF) from your child’s previous school.
Pupil data is essential for the schools’ operational use. Whilst the majority of pupil information you provide to us is mandatory, some of it requested on a voluntary basis. In order to comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this and we will tell you what you need to do if you do not want to share this information with us.
How long we store this data
We keep personal information about pupils while they are attending our school. We may also keep it beyond their attendance at our school if this is necessary in order to comply with our legal obligations. The schedule set out in the Information and Records Management Society’s toolkit for schools sets out how long we keep information about pupils, what we retain and what we dispose of and when. We also have our Records Management and Retention Policy which sets out more information about how long we keep personal information, how we store your information whilst we are processing it and how we dispose of the information when we no longer need it.
Data sharing – who we share any personal data with and why
We do not share information about pupils with any third party without consent unless the law and our policies allow us to do so.
Where it is legally required, or necessary (and it complies with data protection law) we may share personal information about pupils with:
- Our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions
- The Department for Education – to meet our legal obligation to provide census information (see further information below) and information on attainment and progress.
- The pupil’s family and representatives – in order to provide the child’s parents/carers with information about performance, attainment, attendance and behaviour.
- Educators and examining bodies – externally marked test papers contain pupil names and dates of birth.
- Our regulator e.g. Ofsted – requires data to analyse performance of the school. On visiting the school the inspector will ask to see staff applications/references, pupil information, reports and referrals.
- Suppliers and service providers – to enable them to provide the service we have contracted them for such as online digital learning environments and our online tracking system.
- Financial organisations – such as moneyless payment systems, giving parents the facility to pay for dinner money and school trips digitally
- Central and local government – termly census data.
- Our auditors – financial auditors who inspect our school every 3 years.
- Survey and research organisations – publishing companies and local universities, carrying out case studies on the performance of our pupils.
- Health authorities – school nursing team, national NHS data collection of heights and weights initiative for Reception and Year 6 children.
- Children’s Social Care
- Security organisations
- Health and social welfare organisations – if there is a medical need or arrangement for a particular child or if it is in the interests of safeguarding of the child.
- Professional advisers and consultants – e.g. – Writing moderators for Standards and Testing Agency – who select pupils work to moderate
- Police forces, courts, tribunals – these services require access to data should an incident occur to one of our pupils, staff or families.
Transferring data internationally
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law and ensure that the organization outside the EEA is compliant with the GDPR. We do not currently transfer personal data to a country outside the EEA and don’t propose to in the future but will liaise directly with any individuals who may move to a country outside the EEA.
Parents and pupils’ rights regarding personal data
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.
Parents also have the right to make a subject access request with respect to any personal data the school holds about them.
If you make a subject access request, and if we do hold information about you or your child, we will:
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you or your child
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
Give you a copy of the information in an intelligible formIndividuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.
If you would like to make a request please contact our data protection officer (see details below under the ‘Data Protection Officer’ section).
Parents/carers also have a legal right to access to their child’s educational record. To request access, please contact .
Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:
- Object to the use of personal data if it would cause, or is causing, damage or distress
- Prevent it being used to send direct marketing
- Object to decisions being taken by automated means (by a computer or machine, rather than by a person)
- In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
- Claim compensation for damages caused by a breach of the data protection regulations
To exercise any of these rights, please contact our data protection officer.
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our data protection officer.
Alternatively, you can make a complaint to the Information Commissioner’s Office:
- Report a concern online at https://ico.org.uk/concerns/
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Data Protection Officer
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer:
How Government uses your data
The pupil data that we lawfully share with the DfE through data collections:
- underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
- informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
- supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)
- Data collection requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (NPD)
Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the department.
It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information
Sharing by the Department
The law allows the Department to share pupils’ personal data with certain third parties, including:
- Local authorities
- Organisations connected with promoting the education or wellbeing of children in England
- Other government departments and agencies
- Organisations fighting or identifying crime
For more information about the Department’s NPD data sharing process, please visit:
Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically supplies data on around 600 pupils per year to the Home Office and roughly 1 per year to the Police.
For information about which organisations the Department has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares
How to find out what personal information DfE hold about you
Under the terms of the Data Protection Act 2018, you are entitled to ask the Department:
- If they are processing your personal data
- For a description of the data they hold about you
- The reasons they’re holding it and any recipient it may be disclosed to
- For a copy of your personal data and any details of its source
If you want to see the personal data held about you by the Department, you should make a ‘subject access request’. Further information on how to do this can be found within the Department’s personal information charter that is published at the address below:
To contact DfE: https://www.gov.uk/contact-dfe
This notice is based on the Department for Education’s model privacy notice for pupils, amended for parents and to reflect the way we use data in this school.