Privacy Notice

Privacy Notice
at Sacred Heart Primary School

Privacy Policy (How we use pupil information)

Privacy notice for pupils, parents and carers

Introduction

As a school we collect a significant amount of information about our pupils.  This notice explains why we collect the information, how we use it, the type of information we collect and our lawful reasons to do so. 

Under data protection law, individuals have a right to be informed about how the school uses any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data.  This privacy notice explains how we collect, store and use personal data about pupils, parents and carers.

We, Sacred Heart Catholic Primary School and Nursery are the ‘data controller’ for the purposes of data protection law. Initial contact, Mrs Susan Kelly the school business manager.

Our data protection officer is Chris Walsh (Liverpool City Council) dpo@liverpool.gov.uk

 Our Legal Obligations

We must make sure that the information we collect and use about pupils is in line with the GDPR and Data Protection Act. This means that we must have a lawful reason to collect the data, and that if we share that with another organisation or individual we must have a legal basis to do so.

The lawful basis for schools to collect information comes from a variety of sources, such as the Education Act 1996, Regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013, Article 6 and Article 9 of the GDPR.

The Department for Education and Local Authorities require us to collect certain information and report back to them. This is called a ‘public task’ and is recognised in law as it is necessary to provide the information.

We also have obligations to collect data about children who are at risk of suffering harm, and to share that with other agencies who have a responsibility to safeguard children, such as the police and social care.

We also share information about pupils who may need or have an Education Health and Care Plan (or Statement of Special Educational Needs). Medical teams have access to some information about pupils, either by agreement or because the law says we must share that information, for example, school nurses may visit the school.

Counselling services, careers services, and occupational therapists are the type of people we will share information with, so long as we have consent or are required by law to do so.

We must keep up-to-date information about parents and carers for emergency contacts.

The categories of pupil information that we process include:

  • personal identifiers and contacts (such as name, unique pupil number, contact details and address)

  • characteristics (such as ethnicity, language, and free school meal eligibility)

  • safeguarding information (such as court orders and professional involvement)

  • special educational needs (including the needs and ranking)

  • medical and administration (such as doctors information, child health, dental health, allergies, medication and dietary requirements)

  • attendance (such as sessions attended, number of absences, absence reasons and any previous schools attended)

  • assessment and attainment (such as key stage 1 and phonics results, post 16 courses enrolled for and any relevant results)

  • behavioural information (such as exclusions and any relevant alternative provision put in place)

  • Additional activities (extra curricular activities, educational visits)

  • Pupil Premium Children (areas for entitlement)

  • Information provided by parents or carers (letters, emails, or telephone conversations)

This list is not exhaustive. We may also hold data about pupils that we have received from other organisations, including schools, local authorities and the Department for Education (DfE).

Why we collect and use pupil information

The personal data collected is essential, for the school to fulfil their official functions and meet legal requirements.

We collect and use pupil information, for the following purposes:

  • Fulfil our statutory obligations to safeguard and protect children and vulnerable people

  • Enable targeted, personalised learning for pupils

  • Manage behaviour and effective discipline

  • Monitor our effectiveness

  • Comply with our legal obligations to share data

  • Support pupils to fulfil their potential

  • Keep pupils, parents and carers informed about school events and school news,  to keep you informed about the running of the school (such as emergency closures) and events.

  • to support pupil learning

  • to monitor and report on pupil attainment progress

  • to provide appropriate pastoral care

  • to assess the quality of our services

  • to keep children safe (food allergies, or emergency contact details)

  • to meet the statutory duties placed upon us by the Department for Education

Use of your personal data in automated decision-making and profiling:

We do not currently process any personal data through automated decision-making or profiling. If this changes in the future, we will amend any relevant privacy notices in order to explain the processing to you, including your right to object to it.

Our lawful basis for using this data

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing pupil information are:

  • for the purposes of (a), (b), (c) & (d) in accordance with the legal basis of Public task: collecting the data is necessary to perform tasks that schools are required to perform as part of their statutory function

  • for the purposes of (e) in accordance with the legal basis of Vital interests: to keep children safe (food allergies, or medical conditions)

  • for the purposes of (f) in accordance with the legal basis of Legal obligation: data collected for DfE census information

Some of the reasons listed above for collecting and using pupils’ personal data overlap, and there may be several grounds which justify our use of this data.

Collecting this information:

Pupil data is essential for the schools’ operational use. Whilst most of the pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with UK GDPR we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this and we will tell you what you need to do if you do not want to share this information with us.
We collect personal information about pupils, parents and carers via the following methods:
   – Registration forms
   – Common Transfer File (CTF) from a previous school
   – Child protection plans
   – Written records from other settings

How We Store This Data

We keep personal information about pupils, parents and carers while they are attending our school. We may also keep it beyond their attendance at our school if this is necessary in order to comply with our legal obligations. Our record retention management policy sets out how long we keep information about pupils.

Data Sharing

We do not share information about pupils with any third party without consent unless the law and our policies allow us to do so.

Where it is legally required or necessary (and it complies with data protection law), we may share personal information about pupils with:

  • Our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions

  • The Department for Education

  • The pupil’s family and representatives

  • Educators and examining bodies

  • Our regulator [specify as appropriate, e.g. Ofsted, Liverpool Archdiocese)

  • Suppliers and service providers – to enable them to provide the service we have contracted them for

  • Financial organisations

  • Central and local government

  • Our auditors

  • Survey and research organisations

  • Health authorities

  • Security organisations

  • Health and social welfare organisations

  • Professional advisers and consultants

  • Charities and voluntary organisations

  • Police forces, courts, tribunals

  • Professional bodies

We do not share information about pupils with any third party without consent unless the law and our policies allow us to do so.

All data is transferred securely and held by DfE under a combination of software and hardware controls, which meet the current government security policy framework.

Department of Education

National Pupil Database

We are required to provide information about pupils to the Department for Education as part of statutory data collections such as the school census.

Some of this information is then stored in the National Pupil Database (NPD), which is owned and managed by the Department of Education and provides evidence on school performance to inform research.

The database is held electronically so it can easily be turned into statistics. The information is securely collected from a range of sources including schools, local authorities and exam boards.

The Department for Education may share information from the NPD with other organisations which promote children’s education or wellbeing in England. Such organisations must agree to strict terms and conditions about how they will use the data.

For more information, see the Department’s webpage on how it collects and shares research data.

You can also contact the Department for Education with any further questions about the NPD.

Local Authority

We may be required to share information about our pupils with the local authority to ensure that they can conduct their statutory duties under

How Government uses your data

The pupil data that we lawfully share with the DfE through data collections:
   • underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
   • informs ‘short term’ education policy monitoring (for example, school GCSE results or Pupil Progress measures).
   • supports ‘longer term’ research and monitoring of educational policy. (for example, how certain subject choices go on to affect education or earnings beyond school)

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools

Requesting access to your personal data

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.

Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.

If you make a subject access request, and if we do hold information about you or your child, we will:

  • Give you a description of it

  • Tell you why we are holding and processing it, and how long we will keep it for

  • Explain where we got it from, if not from you or your child

  • Tell you who it has been, or will be, shared with

  • Let you know whether any automated decision-making is being applied to the data, and any consequences of this

  • Give you a copy of the information in an intelligible form

Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.

Parents/carers also have a legal right to access their child’s educational record.

Other Rights

Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:

  • Object to the use of personal data if it would cause, or is causing, damage or distress

  • Prevent it from being used to send direct marketing

  • Object to decisions being taken by automated means (by a computer or machine, rather than by a person)

  • In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing

  • Claim compensation for damages caused by a breach of the data protection regulations

To exercise any of these rights, or to request access, please see contact details below.

Contact Us

If you have any questions, concerns, or would like more information about anything mentioned in this privacy notice, please contact, Susan Kelly – School Business Manager (Initial contact), or Chris Walsh at dpo@liverpool.gov.uk our data protection officer.

Complaints

We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.

To make a complaint, please contact, admin@sacredheart.liverpool.sch.uk (Initial contact), or Chris Walsh dpo@liverpool.gov.uk our data protection officer.

Alternatively, you can make a complaint to the Information Commissioner’s Office: