We, Heavers Farm Primary School, are a data controller for the purposes of the General Data Protection Regulation. We collect and use personal data relating to pupils and their families and may also receive information regarding them from their previous school, Local Authority or Department for Education. SCC DPO Services are the Data Protection Officer. Their role is to oversee and monitor the role of the school’s data protection procedures and to ensure they are compliant with the GDPR.
The Data Protection Officer can be contacted by e-mailed on DPO@sccgdprservices.co.uk
See our update on Coronavirus – Track and Trace below
Why we collect and use this information:
- Support your child’s learning;
- Monitor and report on progress;
- Provide appropriate pastoral care, and
- Assess the quality of our services.
- To comply with the law regarding data sharing.
The categories of pupil information that we collect, hold and share include:
- Personal information (contact details, including name, address, telephone number)
- Unique pupil number
- National curriculum assessment results
- Attendance information, such as sessions attended, number of absences and absence reasons
- Personal characteristics, such as ethnicity, language, nationality, country of birth
- Other categories of information include: free school meal eligibility, any special educational needs that your child may have, relevant medical information and exclusions/behavioural information
The lawful basis on which we use this information:
We will not give information about you or your child to anyone without your consent unless the law and our policies allow us to. We collect and use personal data in order to meet legal requirements and legitimate interests set out in the General Data Protection Regulations (GDPR) and UK Law, including those in relation to the following:
- Article 6 and Article 9 of the GDPR
- Education Act 1996
- Section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013
Collecting Pupil Data
Whilst the majority of pupil data you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. Where consent is required, the school will provide you with specific and explicit information with regard to the reasons why the data is collected and how the data is used.
Storing Pupil Data
Personal data relating to pupils at Heavers Farm Primary School and their families is stored in line with the school’s GDPR Protection Policy. In accordance with the GDPR, the school does not store personal data indefinitely; data is only stored for as long as is necessary to complete the task for which it was originally collected.
Who we share pupil information with
We routinely share pupil information with:
- Schools that the pupils attend after leaving us
- Our local authority
- The Department for Education (DfE)
- The NHS school nurse team
- The NHS Track and Trace team
- Public Health England
- ParentPay, who provide online payment
- Teachers2Parents who provide text and email messaging services
- Cunninghams, our provider for cashless payments for school meals
- TEAM Educational Welfare services who help us support good school attendance
- Love to Communicate, who provide speech and language support for our pupils
- Love to Communicate, who provide educational psychology services for our pupils
- Croydon Schools Sports Partnership
- Palace for Life sports provider
- Chelsea FC sports provider
- Wonde school software
- Magicbooking club booking system
- Tracker+ school assessment system
- Fidelity childcare voucher providers
- Comutershare childcare voucher providers
- Edenred childcare voucher providers
- Sodexo childcare voucher providers
- Faircare childcare voucher providers
- R&G Childcare childcare voucher providers
- Care-4 childcare voucher providers
- School Photography Company, school photographers
Why we share pupil information
We do not share information about our pupils with anyone without consent, unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational policy and monitoring.
We are required to share information about our pupils with the Local Authority (LA) and the Department for Education (DfE) under section 3 of the Education (Information about Individual Pupils) (England) Regulations 2013.
Data Collection Requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example: via the School Census) go to: https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (PD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The Department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact the school’s Data Protection Officer as noted at DPO@sccgdprservices.co.uk.
What are your rights?
You have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed;
- to withdraw your consent at any time, where the processing of data is based on your consent; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office on 03031 233333, Monday to Friday 9am-5pm or at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact our data protection officer at DPO@sccgdprservices.co.uk
UPDATE: Coronavirus – Track and Trace
Responding to the Coronavirus advice from the Government is an obligation on all schools in England. The development of the NHS ‘Track and Trace’ scheme is a key part of the government plan to manage Coronavirus. As all pupils are returning to our schools, the safety and wellbeing of pupils, staff and their families is a priority. Planning to manage a safe return is in place, however our responsibility extends beyond the school gates.
We hold a lot of data, and it may be necessary for us to share that data on request from NHS Track and Trace workers. We will do this and will play our part in making this process as effective as possible. It is likely that we will be asked to provide contact details if a case of Coronavirus or a suspected case arises in our school. There is an obligation to support the government planning. We will provide details as requested to do this.
We will be sharing data on the basis that this is a Public Duty (see below) and that in the case of any health data it is necessary for the public interest, as set out. Please be assured that we will keep a record of information that we share. This Privacy Notice should be read alongside the other GDPR and Data Protection here on our blog.
NHS Test and Trace and the law
The law on protecting personally identifiable information, known as the General Data Protection Regulation (GDPR), allows Public Health England to use the personal information collected by NHS Test and Trace.
The section of the GDPR that applies is:
Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
As information about health is a special category of personal information, a further section of the GDPR applies:
Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare’
Public Health England also has special permission from the Secretary of State for Health and Social Care to use personally identifiable information without people’s consent where this is in the public interest. This is known as ‘Section 251’ approval and includes the use of the information collected by NHS Test and Trace to help protect the public from coronavirus. The part of the law that applies here is Section 251 of the National Health Service Act 2006 and the associated Health Service (Control of Patient Information) Regulations 200