We, Sandridge School, are a data controller for the purposes of the General Data Protection Regulations (GDPR).
The purpose of this document is to conform with your legal right to be informed about how the school collects, stores, uses or shares any information we hold about you or your child. For the purpose of this document, ‘pupil information’ includes any relevant details about parents, carers or persons responsible for the child.
Why do we collect and use pupil information?
Under Article 6 of the General Data Protection Regulation (GDPR), we collect and use information because we are legally required to collect some information about pupils and staff and we need to process this information due to our legal obligation(6,c) to provide an education to our pupils. This includes sharing information with exam boards, other schools and the Department of Education (DfE) where necessary. Our operation necessitates the use of contracts(6,b) including home-school contracts and contracts with staff and suppliers. In addition, due to our safeguarding responsibilities, we also collect information for the reason of vital interest(6,d) where the processing is necessary to protect someone’s life, which includes CCTV footage. Occasionally we collect data as a requirement for a public task(6,e).
Under Article 6 and Article 9 of GDPR, where the above lawful bases do not allow us to collect essential personal information, we will use consent(6,a).
We may receive information about them from their previous school, the Department for Education (DfE) and Hertfordshire County Council. We hold this personal data to:
- support the learning in our school
- monitor and report on pupil progress
- provide appropriate pastoral care
- assess the quality of our services
- keep our pupils and staff safe
- comply with the law regarding data sharing
The categories of information that we collect, hold and share include:
Personal details (such as name, Unique Pupil Number and address), national curriculum assessment results, attendance information (such as sessions attended, number of absences and absence reasons), any exclusion information, where they go after they leave us, personal characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility), any special educational needs they may have as well as relevant medical information. CCTV is used for safeguarding purposes and is controlled internally within a secure location. Sensitive personal information may also be processed for safeguarding purposes (on the Legal Basis of Vital Interest) at any time. Explicit consent would be sought if biometric data was to be collected/used by the school in the future.
Collecting pupil information
We collect pupil information by using registration forms, data collection forms (which may be used annually) or file transfer from previous schools.
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulations, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
An annual sweep of the school network will be used to ensure that data is removed from general access where appropriate. We shred or destroy redundant data onsite.
We may hold data on USB memory sticks if adequately protected, although their use is discouraged.
Photographs, videos and sound media will be captured by the school using school equipment and in line with any consent granted.
Data is backed up onsite daily and external backup is provided by our IT service provider (details can be obtained from the School Office), including SIMS. We maintain a supplier compliance log to ensure that Data Processors (our suppliers) are compliant and effectively safeguard your data.
The school has robust processes in place to minimise the risk of data breaches. In the unlikely event of a Data Breach, the school has an internal Data Breach Procedure and documentation which would be followed. These documents are overseen by the school’s Data Protection Officer (DPO), as directed by the General Data Protection Regulations 2018.
Data will be retained by the school for the duration of the pupil’s time with us. We cannot agree to delete data during this time.
We will agree to remove data held on pupils, if requested, after they have left us. We will have to send their information to a new school or education establishment if applicable.
We hold pupil data until they reach 25 years of age for pupils with SEN* (Data will be securely deleted in the academic year of their 25th birthday). Ordinarily, data will be removed from general access two years after they have left the school, where educational records and/or child protection records have been passed to an alternative provision (or to Herts or another county or country). A yearly sweep of school documentation will be carried out to ensure that such data is protected and removed from general access where appropriate.
Some school data will be kept for 6 years – this includes financial accounting information (legal reasons) and Data Breach Logs.
Who do we share information with?
We will not give information about you or your child to anyone without your consent unless the law and our policies allow us to.
Where our school is involved in collaborative delivery with other schools and learning providers, pupil information may also be shared to aid the preparation of learning plans and the use of data to achieve the objectives identified above or with schools that the pupil attends after leaving us. We need to share information, on occasion with (but not limited to) Virtual Schools, Education Psychologist, transfer schools, Social Services Assessment Team, Children’s Services, school governors/trustees, local authority support services including the NHS, police and courts as necessary, and other health related assessment teams including disability allowance. We are required, by law, to share some information with the Department for Education (DfE). This information will, in turn, then be made available for the use by the Local Authority. Additionally, thecurriculum may require the use of third party web-based learning platforms, if GDPR compliant. We may share information with our Parent Teacher Association if we have your consent.
Why we share information
We are required to share information about our pupils with the (DfE) under regulation 4 and 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Whilst we share information as an ongoing school management requirement, which would include non-standard operational activity such as promoting the school and complaints/legal proceedings as required, we do not share information about our pupils with anyone without your consent unless the law and our policies allow us to do so.
Data collection requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
If you need more information about how our local authority and/or DfE collect and use your information, please visit:
- our local authority at http://www.hertsdirect.org/services/edlearn/privsch/or
- the DfE website at https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
How Government uses your data
The pupil data that we lawfully share with the DfE through data collections:
- underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
- informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
- supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)
Data collection requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (NPD)
Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.
It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
To find out more about the NPD, go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data
Under data protection legislation, parents, carers have the right to request access to any information that we hold about them. To make a request for your personal information, or be given access to your child’s educational record, contact the appropriate school office or email the Data Protection Officer (see ‘Contact’ below).
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purposes of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
- claim compensation for damages caused by a breach of the Data Protection regulations
- withdraw any consent that you have provided**
To find out more about your rights, visit https://ico.org.uk/your-data-matters/
We understand that there are penalties for inadequately protecting your data or for non-compliance with the GDPR. If you have a concern about the way we are collecting or using your personal data, you can raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/, on 0303 123 1113 or via email by visiting https://ico.org.uk/global/contact-us/email/
If a parent/carer wishes to access personal data held about them or their child, please contact:
- Sandridge School, Woodcock Hill, Sandridge, St Albans AL4 9EB.You can contact the school’s Data Protection Officer at firstname.lastname@example.org
- LA’s Data Protection Office: Information Governance Unit, Room C1, County Hall, Pegs Lane, Hertford, SG13 8DQ, email: dataprotectionhertscc.gov.uk
- QCA’s Data Protection Officer: 83 Piccadilly, London, W1J 8QA
- DfE’s Data Protection Office Caxton House, Tothill St, London, SW1H 9NA
- Ofsted Data Protection Office: Alexandra House, 33 Kingsway, London, WC2B 6SE
Policy Review – GDPR
This policy will be reviewed in full by the Governing Body every three years. We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
The policy was last reviewed and agreed by Governing Body on 20thMay 2019.
Name: Lisa Roberts, Headteacher
Name: Andy Boxer, Chair of Governors
* and children without SEN if there is a major incident (for example, a safeguarding or critical/medical incident requiring external agency support). We may be required to keep the entire file until the youngest child involved turns 25 years of age, or longer for specific and regulated incidents.
**Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.