15 High Street, Tetsworth, Oxon OX9 7AB
Tel: 01844 281328

TETSWORTH PRIMARY SCHOOL

Privacy Policy

1. Aims

Our school aims to ensure that all data collected about staff, students, parents and visitors is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 which came into force on 25th May 2018.

This policy applies to all personal data, regardless of whether it is in paper or electronic format.

2. Legislation and Guidance

This policy meets the requirements of the General Data Protection Regulation (GDPR), and is based on guidance published by the Information Commissioner’s Office and model privacy notices published by the Department for Education.

3. Definitions

TermDefinition
Personal dataData from which a living person can be identified, including data that, when combined with other readily available information, leads to a person being identified.
Sensitive personal dataData such as:
• Contact details
• Racial or ethnic origin
• Political opinions
• Religious beliefs, or beliefs of a similar nature
• Where a person is a member of a trade union
• Physical and mental health
• Sexual orientation
• Whether a person has committed, or is alleged to have committed, an offence
• Criminal convictions
ProcessingObtaining, recording or holding data
Data subjectThe person whose personal data is held or processed
Data controllerA person or organisation that determines the purposes for which, and the manner in which, personal data is processed
Data processorA person, other than an employee of the data controller, who processes the data on behalf of the data controller

4. The Data Controller

Our school processes personal information relating to students, staff, parents, students’ emergency contacts and visitors and is therefore a data controller. Our school delegates the responsibility of data controller on a day to day basis to the School Administrator and the Head of ICT Services.

In addition, the school employs an external and independent Data Protection Officer (DPO) to audit our policies and procedures and to advise on best practice.

The school is registered as a data controller with the Information Commissioner’s Office and renews this registration annually.

5. Data Protection Principles

The GDPR is based on the following data protection principles, or rules for good data handling. Data will be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

6. Roles and responsibilities

The Governing Body has overall responsibility for ensuring that the school complies with its obligations under the GDPR.

Day-to-day responsibilities rest with the Headteacher who delegates this responsibility to the School Office Staff/ICT Representative. The Headteacher will ensure that all staff are aware of their data protection obligations and oversee any queries related to the storing or processing of personal data.

Staff are responsible for ensuring that they collect and store any personal data in accordance with this policy. Staff must also inform the school of any changes to their personal data, such as a change of address.

7. Privacy Notices

7.1 Students and parents (Appendix 1)

The school holds personal data about students to support teaching and learning, to provide pastoral care and to assess how the school is performing. We may also receive data about students from other organisations including, but not limited to, other schools, Local Authorities, the Department for Education and the National Health Service.

This data includes, but is not restricted to:

  • Contact details
  • Results of internal assessment and externally set tests
  • Data on student characteristics, such as ethnic group or Special Educational Needs and Disabilities
  • Exclusion information
  • Details of any medical conditions

We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.

We will not share information about students with anyone without consent unless the law and our policies allow us to do so. Individuals who wish to receive a copy of the information that we hold about them/their child should refer to sections 8 and 9 of this Policy.

We are required, by law, to pass certain information about students to specified external bodies, such as our Local Authority and the Department for Education, so that they are able to meet their own statutory obligations.

7.2 Staff (Appendix 2)

We process data relating to those we employ to work at, or otherwise engage to work at, our school. The purpose of processing this data is to assist in the running of the school, including to:

  • enable individuals to be paid
  • facilitate safer recruitment practice
  • support the effective performance management of staff
  • improve the management of workforce data across the education sector
  • inform our recruitment and retention policies
  • allow better financial modelling and planning
  • enable monitoring of people with, and without, Protected Characteristics under the Equality Act
  • support the work of the School Teachers’ Review Body

Staff personal data includes, but is not limited to, information such as:

  • contact details, next of kin
  • National Insurance numbers
  • salary information
  • qualifications
  • absence data
  • personal characteristics/protected characteristics
  • medical information
  • outcomes of any disciplinary procedures

We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.

We will not share information about staff with third parties without consent unless the law allows us to. This may include advisers such as our Occupational Health and our Human Resources advisers.

We are required, by law, to pass certain information about staff to specified external bodies, such as our Local Authority and the Department for Education, so that they are able to meet their statutory obligations.

Any staff member wishing to see a copy of information about them that the school holds should contact the School Manager.

8. Subject Access Requests

Under the GDPR, students have a right to request access to information which the school holds about them. This is known as a Subject Access Request.

Subject Access Requests must be submitted in writing, either by letter or email. Requests should include:

  • The student’s name
  • A correspondence address
  • A contact number and email address
  • Details about the information requested

The school will not reveal the following information in response to Subject Access Requests:

  • Information that might cause serious harm to the physical or mental health of the student or another individual
  • Information that would reveal that the child is at risk of abuse, where disclosure of that information would not be in the child’s best interests
  • Information contained in adoption and parental order records
  • Certain information given to a court in proceedings concerning the child

Subject Access Requests for all or part of the student’s educational record will be provided within 15 school days. Appendix 3 shows the charges that apply.

If a Subject Access Request does not relate to the educational record, we will respond within 40 calendar days. The maximum charge that will apply is £10.00.

9. Data Accuracy

Data held will be as accurate and up to date as is reasonably possible. If a data subject informs the school of a change of circumstances his/her computer records will be updated as soon as is practicable.

Data Checking Sheets for students will be securely provided to parents in September/October each year so they can check the accuracy and make any amendments. For staff, Data Checking Sheets will be issued every 12 months

Where a data subject challenges the accuracy of his/her data the school will correct the records. In the case of any dispute, we will try to resolve the issue informally, but if this proves impossible, disputes will be referred to the

Governing Body under the formal Complaints Procedure.

Storage of records:

  • Paper-based records and portable electronic devices, such as laptops and hard drives, that contain personal information are kept under lock and key when not in use
  • Papers containing confidential personal information should not be left on office and classroom desks, on staffroom tables or pinned to noticeboards where there is general access
  • Passwords that are at least 8 characters long containing letters and numbers are used to access school computers, laptops and other electronic devices. Staff and students are forced to change their passwords at regular intervals
  • Encryption software is used to protect all portable devices and removable media, such as laptops and USB devices
  • Staff, students or governors who store personal information on their personal devices are expected to follow the same security procedures for school-owned equipment

10. Disposal of Records

Personal information that is no longer needed, or has become inaccurate or out of date, is disposed of securely according to the school’s Data Destruction Policy.

For example, we will shred or incinerate paper-based records, and override electronic files. We use an external contractor to shred documents on site.

11. Training

Our staff and governors will be provided with data protection training as part of their induction process and this is refreshed annually each September.

Data protection will also form part of continuing professional development, where changes to legislation or the school’s processes make it necessary.

12. Monitoring Arrangements

The School Management Team is responsible for monitoring and reviewing this policy.

The school’s Data Protection Officer checks that the school complies with this policy by, among other things, reviewing school records at least annually or more frequently if required.

This document will be reviewed when the General Data Protection Regulation comes into force, and then every 2 years. At every review, the policy will be shared with the Governing Body.

13. Links with other policies

  • Records Management Policy
  • Use of Email Policy
  • Data Destruction Policy
  • Record Retention Policy