Privacy Statement for Employees

Outcomes Focused, Child Centred
Northern Education Trust

Privacy Statement for Employees

Outcomes Focused, Child Centred
Northern Education Trust

Privacy Notice for Employees

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) came into force on 25 May 2018. Data protection laws are designed to keep people’s personal information safe. Your personal privacy is of great importance to us.

Northern Education Trust of Thorp Academy, Main Road, Ryton, Tyne and Wear, NE40 3AH  (the “Trust“) will process personal data (which may be held on paper, electronically or otherwise) about our employees and we recognize the need to treat it in an appropriate and lawful manner, in accordance with the General Data Protection Regulation (“GDPR“) and the Data Protection Act 2018 (the “DPA“).

The Trust is the controller of the personal information you provide to it. This means the Trust determines how and why personal data relating to children and their families are collected and used.

Where we outsource data to a third-party processor, the same data protection standards that the Trust upholds are imposed on the processor.

This privacy notice sets out, amongst other things:

  • What information we collect;
  • Why we collect it;
  • Who we share it with;
  • How long we keep it for;
  • What your rights are;
  • Who to contact if you need more information or have concerns.

We reserve the right to amend this Privacy Notice at any time. Any amended versions of this Privacy Notice will be published on our website at https://www.northerneducationtrust.org/information/privacy-statement/ and we advise that you check this webpage periodically for any updated versions of this Privacy Notice.

What data do we collect?

We process personal data relating to those who we employ, or otherwise engage, to work in the Trust. The categories of personal information that the Trust collects, holds and shares includes, but is not limited to, the following:

  • Contact details;
  • Date of birth, marital status and gender;
  • Next of kin and emergency contact numbers;
  • Salary, annual leave, pension and benefits information;
  • Bank account details, payroll records, National Insurance number and tax status information;
  • Recruitment information, including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process;
  • Qualifications and employment records, including work history, job titles, working hours, training records and professional memberships;
  • Performance information;
  • Outcomes of any disciplinary and/or grievance procedures;
  • Absence data;
  • Copies of documents which provide proof of ID;
  • Photographs;
  • CCTV footage;
  • Data about your use of the school’s information and communications system.

We may also collect, store and use information about you that is classed as special category personal data. This includes information about a person’s:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data (such as data relating to the inherited or acquired genetic characteristics of an individual);
  • Biometric data (for the purpose of uniquely identifying an individual);
  • Data concerning an individual’s health (including physical and mental health, medical conditions and sickness absence);
  • Sex life or sexual orientation.

Criminal data is not included within the definition of special categories of data but we will process criminal data using the same safeguards we operate in respect of special categories of data.

Ensuring your personal data is accurate

We will keep the personal data we store about you accurate and up to date. We will take every reasonable step to erase or rectify inaccurate data without delay. Please tell us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you. We will contact you periodically to check your details are still up to date. We will also contact you if we become aware of any event which is likely to result in a change to your personal data.

Why do we collect it?

The law requires us to collect and process employees’ personal data. The purpose of processing your personal data is to enable us to run the Trust, which includes:

  • Enabling you to be paid;
  • Facilitating safe recruitment, as part of our safeguarding obligations towards pupils;
  • Supporting effective performance management;
  • Informing our recruitment and retention policies;
  • Allowing better financial modelling and planning;
  • Enabling ethnicity, disability and gender pay monitoring;
  • Improving the management of workforce data across the sector;
  • Facilitating corporate transactions involving the Trust.

If you fail to provide us with certain personal data, consequences may include:

  • Staff not being paid on time;
  • Incorrect deductions being taken from salary;
  • The Trust failing to comply with its statutory recording and reporting obligations.

Your personal data will only be processed to the extent that it is necessary for the specific purposes we tell you about.

While the majority of information we collect from you is mandatory, there is some information that you can choose whether or not to provide to us.

Whenever we seek to collect information from you, we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice.

Our lawful basis for processing your personal data

We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:

  • Fulfil a contract we have entered into with you;
  • Comply with a legal obligation; or
  • Carry out a task in the public interest.

Less commonly, we may also use personal information about you where:

  • You have given us consent to use it in a certain way. We will tell you when we need consent and will provide more information. If you give us consent, you can withdraw it at any time by getting in touch with us;
  • We need to protect your vital interests (or someone else’s interests); or
  • We (or a third party) have legitimate interests in processing the personal data – for example to support the Trust to develop strategies and plans to support its sustainability.

Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds which justify the Trust’s use of your personal data.

We will only process special category personal data where a further processing condition is met. Usually this will mean that you have given your explicit consent, the processing is necessary for the assessment of your working capacity or that the processing is legally required for employment purposes.

What are our legitimate interests (or the legitimate interests of a third party)?

We consider that in some circumstances, the processing of your personal data is necessary for our (or a third party’s) legitimate interests, which include:

  • Ensuring our workforce is managed effectively. This requires us to manage your holiday entitlement, payroll matters, conduct periodic performance reviews and, if required, take disciplinary action;
  • Ensuring that the information you provide us with in the recruitment process and while you are employed by us is accurate;
  • That we process personal data to ensure you have the right skills, training and experience for your role.

Profiling and automated processing

The processing of your personal data may include profiling, particularly to monitor staff health and wellbeing and to ensure compliance with the Trust’s IT Acceptable Use policy. Examples of profiling may include the monitoring and analysis of:

  • Emails sent and received using a Trust email account (including the patterns of use of emails and their content);
  • Websites visited whilst using Trust IT;
  • Analysis of keystroke data for safeguarding purposes.

How do we store your data?

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of your personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction or deletion. We will only transfer personal data to a third party if that third party agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

Who do we share data with?

We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data or we are required to provide the personal data by law. Where we do disclose your personal data to a third party, we will have regard to the data protection principles.

Northern Education Trust is required to share data with the Department for Education. This includes personal and special category data relating to all staff in academies, including their characteristics, pay and sickness absence information. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) go to https://www.gov.uk/government/publications/school-workforce-census-2017-guides

We share your data with HMRC in the form of statutory tax and national insurance returns. We also share your data with Gateshead Metropolitan Borough Council as they deliver our payroll service.

We sometimes need to share information with other organisations that provide systems for managing data and information within Academies. Where this is the case, those organisations will act as Data Processors on behalf of Northern Education Trust and they will need to comply with all current Data Protection legislation to keep personal information safe.

We may need to share information when we are involved in transactions regarding the acquisition or disposal of schools from the Trust or if all or part of the assets of the Trust are acquired by a third party (such as another trust, the DfE or a Local Authority), in which case the personal data held by us may be one of the transferred assets.

If your personal data is provided to any third parties, you are entitled to request details of the recipients of your personal data or the categories of recipients of your personal data.

How long will we keep information for?

We keep information on computer systems and on paper. We will not keep your personal data for longer than is necessary for the purpose(s) for which we process it. This means that data will be destroyed or erased from our systems when it is no longer required. The Trust’s Record Management and Retention policy provides further information.

Transferring personal data internationally

We will not transfer your personal data outside the European Economic Area (“EEA“) unless such transfer is compliant with the GDPR. This means that we cannot transfer any of your personal data outside the EEA unless:

  • The EU Commission has decided that another country or international organisation ensures an adequate level of protection for your personal data; or
  • The transfer of your personal data is subject to appropriate safeguards, which may include:
  • Binding corporate rules; or
  • Standard data protection clauses adopted by the EU Commission.
  • One of the derogations in the GDPR applies (including if you explicitly consent to the proposed transfer).

We currently transfer personal data outside the EEA as:

  • We store personal data on cloud systems based in the EEA that have backup systems that may sometimes be located outside the EEA;
  • Some software providers (data processors) use cloud storage located outside the EEA

What are your rights?

The GDPR provides the following rights for individuals:

  • The right to be informed about how and why we use personal data;
  • The right of access to data we hold;
  • The right to have your data amended or corrected if it is inaccurate or incomplete;
  • The right to have data erased in certain circumstances;
  • The right to restrict processing in certain circumstances;
  • The right to data portability in certain circumstances;
  • The right to object to us processing data in certain circumstances;
  • Rights in relation to automated decision making and profiling;
  • The right to withdraw consent when we have explicitly sought consent to use data;
  • The right to lodge a complaint with a supervisory authority (Information Commissioner’s Office, please see below).

Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.

Subject access requests

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the Trust holds about them.

If you make a subject access request, we will:

  • Provide you with the data you requested in an intelligible form;
  • Give you a description of it;
  • Tell you why we are holding and processing it, and how long we will keep it for;
  • Explain where we got it from, if not from you;
  • Tell you who it has been, or will be, shared with; and
  • Let you know whether any automated decision-making is being applied to the data, and any consequences of this.

If you would like to make a subject access request please contact your line manager or academy Business Manager.

Your right to object

You have the right to object, at any time to the processing of your personal data which is necessary for the:

  • Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Purposes of the legitimate interests pursued by us or a third party, including profiling.

If you object to the processing set out above, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.

 For more information on your rights, please see the Information Commissioner’s Website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/)

Breaches of data protection principles

 If you consider that the data protection principles have not been followed in respect of personal data about yourself or others, you should raise the matter with your line manager. Any breach of the GDPR will be taken seriously and may result in disciplinary action being taken.

Contact details

If you have any questions or concerns or would like more information about anything mentioned in this privacy notice, please contact your line manager or Academy Business Manager.

If you are unhappy with their response, you can contact the Trust’s Data Protection Officer:

Jim Gaff
Northern Education Trust
c/o Thorp Academy
Main Road
Ryton
Tyne and Wear
NE40 3AH

Telephone: 0191 406 6383

Email: [email protected]

You have the right to right to lodge a complaint with a supervisory authority.

Please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Website: https://ico.org.uk/concerns/

 

 

Last updated: 29 July 2020

 

 

 

All of Northern Education Trust's Primary Academies are rated as Good or Outstanding by Ofsted