PYE BANK CE PRIMARY SCHOOL

Privacy Notice

Pye Bank CE Primary School

GDPR privacy notice for pupils and their families

Under data protection law, individuals have a right to be informed about how the school uses any personal data that we hold about them, we comply with this right by providing ‘privacy notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data. This privacy notice explains how we collect, store and use personal data about pupils and their families.

 Who processes your information?

The Diocese of Sheffield Academies Trust is a ‘data controller’ as defined by Article 4 (7) of the UK GDPR.  This means that we determine the purposes for which, and the manner in which, your personal data is processed.  We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.   

The school acts as a data processor so are obtaining, recording and holding the information. Mrs Stanley acts as a representative for the school with regard to its data processing responsibilities; she can be contacted on 0114 2760472.

In some cases, your data will be outsourced to a third party processor; however, this will only be done with your consent, unless the law requires the school to share your data. Where the school outsources data to a third-party processor, the same data protection standards that Pye Bank CE Primary upholds are imposed on the processor.

Clare Sturman is the data protection officer. Her role is to oversee and monitor the school’s data protection procedures, and to ensure they are compliant with the GDPR. The data protection officer can be contacted on 01709 718640 or csturman@dsat.education

 Why do we collect and use your information?

Pye Bank CE Primary holds the legal right to collect and use personal data relating to pupils and their families, and we may also receive information regarding them from their previous school, LA and/or the DfE. We collect and use personal data in order to meet legal requirements and legitimate interests set out in the GDPR and UK law, including those in relation to the following:

• Article 6 and Article 9 of the GDPR
• Education Act 1996
• Regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013

In accordance with the above, the personal data of pupils and their families is collected and used for the following reasons:

• to support pupil learning
• to monitor and report on pupil attainment progress
• to provide appropriate pastoral care
• to assess the quality of our services
• to keep children safe (food allergies, or emergency contact details)
• to meet the statutory duties placed upon us for DfE data collections

Which data is collected?

The categories of pupil information that the school collects, holds and shares include the following:

• Personal information – e.g. names, date of birth, pupil numbers and addresses
• Characteristics – e.g. ethnicity, language, nationality, country of birth and free school meal eligibility
• Attendance information – e.g. number of absences and absence reasons
• Assessment information – e.g. national curriculum assessment results
• Medical (such as doctors’ information, child health, dental health, allergies, medication and dietary requirements)
• Information relating to SEND
• Behavioural information – e.g. number of temporary exclusions
• Safeguarding information
• Photograph and Film images
• Details of any support received, including care packages, plans and support providers.

We may also hold data about pupils that we receive from other organisations, including other schools, local authorities and the Department for Education.  

The lawful basis for processing this information is under Article 6 of the GDPR:

• Public Task – the processing is necessary for the school to perform a task in the public interest or for the official functions, and the task or function has a clear basis in law.
• Consent – the parent/carer has given clear consent for the school to process the pupil’s personal data for specific purposes.
• Legal Obligation – processing personal data that is necessary for the legitimate interests of the school or those of a third party.

Where special categories of data are collected under Article 9 of the GDPR:

• The data subject has been given specific consent to the processing of their personal data for one or more specified purposes.
• Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right of data protection and provide for suitable and specific measures to safeguard the fundamental rights in the interests of the data subject.

Whilst the majority of the personal data you provide to the school is mandatory, some is provided on a voluntary basis. When collecting data, the school will inform you whether you are required to provide this data or if your consent is needed. Where consent is required, the school will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.  

 How long is your data stored for?

Personal data relating to pupils at Pye Bank CE Primary and their families is stored in line with the school’s DSAT Trust Retention Schedule.

In accordance with the GDPR, the school does not store personal data indefinitely; data is only stored for as long as is necessary to complete the task for which it was originally collected.

 Will my information be shared?

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our pupils with the Department for Education (DfE) either directly or via our local authority for the purpose of those data collections, under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Putting the school census on a statutory basis:

• means that schools do not need to obtain parental or pupil consent to the provision of information
• ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils
• helps to ensure that returns are completed by schools

All data is transferred securely and held by DfE under a combination of software and hardware controls, which meet the current government security policy framework.

For more information, please see ‘How Government uses your data’ section.

Local Authorities

We may be required to share information about our pupils with the local authority to ensure that they can conduct their statutory duties under

• the Schools Admission Code, including conducting Fair Access Panels.

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. The school routinely shares pupils’ information with:

• Pupils’ destinations upon leaving the school
• The LA (Local Authority)
• The NHS (including the School Nursing Team)
• CPOMS (Child Protection Online Monitoring System)
• The DfE (Department for Education)
• Arbor
• Class Dojo
• Insight DATA Tracker
• Time Tables Rockstars

The information that we share with these parties includes the following:

• Personal information – e.g. names, pupil telephone numbers, email addresses and postal addresses.
• Characteristics – e.g. ethnicity, languages spoken at home, nationality, country of birth and free school meal eligibility.
• Attendance information – e.g. number of absences and reasons for absence.
• Assessment information – e.g. national curriculum assessment results, PE and Maths Tracking
• Relevant medical information.
• Information relating to SEND
• Behavioural information e.g. number of temporary exclusions.
• Levels of attainment (Insight).
• Updates on Early Years Development

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact Clare Sturman (DPO) or the school directly.

You also have the right to:

• to ask us for access to information about you that we hold
• to have your personal data rectified, if it is inaccurate or incomplete
• to request the deletion or removal of personal data where there is no compelling reason for its continued processing
• to restrict our processing of your personal data (i.e. permitting its storage but no further processing)
• to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
• not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/

For further information on how to request access to personal information held centrally by DfE, please see the ‘How Government uses your data’ section of this notice.

Withdrawal of consent and the right to lodge a complaint

Where we are processing your personal data with your consent, you have the right to withdraw that consent.  If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the data controller.

Where can you find out more information?

If you would like to find out more information about how we and/or the DfE collect, use and store your personal data, please visit our website www.pyebank.sheffield.sch.uk or please see ‘How Government uses your data’ section.

Last updated

We may need to update this privacy notice periodically so we recommend that you revisit this information from time to time. This version was last updated on 24/02/22.

Contact

If you would like to discuss anything in this privacy notice, please contact: Clare Sturman, Data Protection Officer on 01709 718 640 or csturman@dsat.education

 for a downloadable copy of the school's privacy notice for pupil's and families.

----------------------------------------------------------------------------------------------------------- 

GDPR privacy notice for the school workforce

 Schools are currently required to detail to staff how their personal data may be collected and used. This requirement will remain once the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018; however, schools will be required to revise their privacy notices to include further information on processing individuals’ personal data. Schools can use this template privacy notice to ensure they are compliant with the GDPR and communicate how they process personal data relating to the school workforce.

Who processes your information?

The school is the data controller of the personal information you provide to us. This means they determine the purposes for which, and the manner in which, any personal data relating to staff is to be processed. A representative of the school, Karen Stanley can be contacted on 0114 276 0472

Clare Sturman is the data protection officer. His role is to oversee and monitor the school’s data processing practices. This individual can be contacted on 01709 718 640 or csturman@dsat.education

Where necessary, third parties may be responsible for processing staff members’ personal information. Where this is required, the school places data protection requirements on third party processors to ensure data is processed in line with staff members’ privacy rights.

 Why do we need your information?

Pye Bank C of E Primary School has the legal right and a legitimate interest to collect and process personal data relating to those we employ to work at the school, or those otherwise contracted to work at the school.

We use workforce data to:

1. enable the development of a comprehensive picture of the workforce and how it is deployed
2. inform the development of recruitment and retention policies
3. enable individuals to be paid

The lawful basis for processing this information is under Article 6 of the GDPR:

• Public Task – the processing is necessary for the school to perform a task in the public interest or for the official functions, and the task or function has a clear basis in law.
• Consent – the employee has given clear consent for the school to process the pupil’s personal data for specific purposes.
• Legal Obligation – processing personal data that is necessary for the legitimate interests of the school or those of a third party.

Where special categories of data are collected under Article 9 of the GDPR:

• The data subject has been given specific consent to the processing of their personal data for one or more specified purposes.
• Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right of data protection and provide for suitable and specific measures to safeguard the fundamental rights in the interests of the data subject.

We process personal data in order to meet the safeguarding requirements set out in UK employment and childcare law, including those in relation to the following:

• Academy Funding Agreement
• Academy’s legal framework
• Safeguarding Vulnerable Groups Act 2006
• The Childcare (Disqualification) Regulations 2009

If staff members fail to provide their personal data, there may be significant consequences. This could include appropriate disciplinary actions, including verbal and written warnings.

For which purposes are your personal data processed?

In accordance with the above, staff members’ personal data is used for the following reasons:

• Contractual requirements
• Employment checks, e.g. right to work in the UK
• Salary requirements
• Health & Safety at work

Which data is collected?

The personal data the school will collect from the school workforce includes the following:

• Names
• National insurance numbers
• Characteristics such as ethnic group
• Employment contracts
• Remuneration details
• Qualifications
• Absence information
• Next of Kin and associated contact number
• Medical Requirements

We collect personal information via our recruitment process.

Workforce data is essential for the school’s / local authority’s operational use. Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with GDPR, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this and we will tell you what you need to do if you do not want to share this information with us.

How long is your data stored for?

Personal data relating to staff at Pye Bank C of E Primary School is stored in line with the school’s DSAT Trust Retention Schedule.

In accordance with the GDPR, the school does not store personal data indefinitely; data is only stored for as long as is necessary to complete the task for which it was originally collected.

Will your personal data be sought from third parties?

We routinely share this information with:

• our local authority (where applicable)
• the Department for Education (DfE)
• The Diocese of Sheffield Academies Trust

We are required to share information about our workforce members with our local authority (LA) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments.

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our pupils with the Department for Education (DfE) for the purpose of those data collections, under:

We are required to share information about our school employees with the (DfE) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments.

All data is transferred securely and held by DfE under a combination of software and hardware controls which meet the current government security policy framework.

For more information, please see ‘How Government uses your data’ section.

Requesting access to your personal data

Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information, contact Clare Sturman, DPO.

Depending on the lawful basis above, you may also have the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• a right to seek redress, either through the ICO, or through the courts

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

For further information on how to request access to personal information held centrally by DfE, please see the ‘How Government uses your data’ section of this notice.

Withdrawal of consent and the right to lodge a complaint

Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting data controller.

How can you find out more information?

If you would like to find out more information about how we and/or the DfE collect, use and store your personal data, please visit our website https://www.pyebank.sheffield.sch.uk/ or please see ‘How Government uses your data’ section.

Last updated

We may need to update this privacy notice periodically so we recommend that you revisit this information from time to time. This version was last updated on 25/01/21.

Contact

If you would like to discuss anything in this privacy notice, please contact: Clare Sturman, Data Protection Officer on 01709 718 640 or csturman@dsat.education

  for a downloadable copy of the Privacy Notice for the school workforce.