Privacy Statement for Students, Families and Carers

The General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) came into force on 25 May 2018. They are new data protection laws designed to keep people’s personal information safe.

Our Academy is part of Northern Education Trust (the Trust) and the Trust is the data controller of the personal information you provide. This means the Trust determines how and why it collects and uses personal data relating to children and their families

Under the new law, we must tell you:

• What information we collect
• Why we collect it
• Who we share it with
• How long we keep it for
• What your rights are
• Who to contact if you need more information or have concerns

What information do we collect?

The categories of personal information that the Academy collects include the following:

• Personal information, including name, address, date of birth
• Characteristics, including ethnicity, language, nationality, country of birth and free school meal eligibility
• Attendance information
• Assessment information based on National Curriculum and informal test results and teacher assessments
• Relevant medical information
• Information relating to special educational needs and disabilities (SEND)
• Behaviour and effort information
• Photographs for use within the Academy, including photographs of individual students used for identification and safeguarding and photographs of activities for use in educational progress monitoring on internal displays
• Video using closed circuit television (CCTV cameras) captured from cameras mounted around the Academy and used only for the purpose of site security and safeguarding children

Why do we collect it?

• The law requires us to collect personal information relating to children and their families. We do this using information:
• From the local authority and taken from the application you made for a school place,
• From previous schools,
• From the Department for Education (DfE), or
• Given to us directly by you

We also collect information to perform the public task of running our academies.

The law also requires us to collect special categories of data. Examples include:

• Racial or ethnic origin,
• Political opinions,
• Religious or philosophical beliefs,
• Biometric data (for the purpose of uniquely identifying someone),
• Data concerning an individual’s health,
• Sex life or sexual orientation.

We will only process special category personal data if:

• We have to by law,
• We need it for medical or health purposes, or
• You have given us consent.

Sometimes we need your consent to collect and use personal information. We will tell you when we need consent and will provide more information. If you give us consent, you can withdraw it at any time by getting in touch with us.

We collect information about children and their families to:

• Support student learning,
• Monitor and report on student progress,
• Provide appropriate pastoral care,
• Assess the quality of our service,
• Comply with the law regarding data sharing,
• Protect student welfare, and
• Safeguard children.

CCTV

Our academies use Closed Circuit Television cameras for monitoring our premises and supporting student behavioural policies. There are visible signs showing that CCTV is in operation and images from this system are securely stored where only a limited number of authorised persons may have access to them. We may be required to disclose CCTV images to authorised third parties such as the police to assist with crime prevention or at the behest of a court order.

Biometric data

We sometimes use biometric information to provide cashless catering, library lending and access to photocopiers. Where these systems are in place, we use information taken from fingerprints to identify service users. We need your consent to use biometric information, which we ask for when students join the Academy. If you do not give us consent, we will find other ways for students to access these services.

Who do we share data with?

The Trust must share data with the Department for Education by law. This includes personal and special category data relating to all students in academies, including their characteristics, attendance and exclusions information. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools

The National Pupil Database (NPD) is owned and managed by the Department for Education and contains information about students in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is collected securely from a range of sources including schools, local authorities and awarding bodies.

The law requires us to provide information about our students to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.

For more information about the Department’s data sharing process, please visit:

https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

For information about which organisations the Department has provided student information, (and for which project), please visit: https://www.gov.uk/government/publications/national-pupil-database-requests-received

In order to meet statutory requirements around appropriate education provision, and to fulfil safeguarding requirements, we share information with Local Authorities about school history and the latest known student and parent address and contact details in the event of a Child Missing Education or becoming Electively Home Educated. This information also supports the in-year school admissions process.

Once students reach the age of 13, the law requires the Academy to share some information with the Local Authority or their nominated provider of youth support services. This enables youth services to provide information about post-16 education and training providers and careers advice, which they are required to do under section 507B of the Education Act 1996.

A parent or guardian can ask us to share only their child’s name, address and date of birth with their local authority or provider of youth support services. This right is transferred to the child / student once he/she reaches the age 13. For more information about services for young people, please visit your Local Authority website.

We may share personal details of students with health professionals who deliver services within academies, such as school nurses.

We sometimes need to share information with other organisations that provide systems for managing data and information within Academies. Where this is the case, those organisations will act as Data Processors on behalf of Northern Education Trust and they will need to comply with all current Data Protection legislation to keep information safe.

How long will we keep information for?

We keep information on computer systems and paper files. We will not keep your personal data for longer than is necessary for the purpose(s) for which we process it. This means that we will destroy or erase data from our systems when it is no longer required.

We hold education records for students securely and retain them until they reach the age of 25, after which they are safely destroyed.

What are your rights?

The GDPR provides the following rights for individuals:

• The right to be informed about how and why we use personal data
• The right of access to data we hold
• The right to have your data amended or corrected if it is inaccurate or incomplete
• The right to have data erased in certain circumstances
• The right to restrict processing in certain circumstances
• The right to data portability in certain circumstances
• The right to object to us processing data in certain circumstances
• Rights in relation to automated decision making and profiling
• The right to withdraw consent when we have explicitly sought consent to use data
• The right to lodge a complaint with a supervisory authority (Information Commissioner’s Office, please see below)

Subject access requests

You have a right to make a subject access request to gain access to personal information that the Trust holds about you. Parents, carers or children aged 13 or older can make a request. If a parent of a child over the age of 13 asks to see their child’s information, we may also need the consent of the child.

If you make a subject access request, we will:

• Tell you if we hold information,
• Tell you why we are holding and processing it, and how long we will keep it for,
• Explain where we got it from
• Tell you who it has been, or will be, shared with,
• Let you know whether any automated decision-making is being applied to the data, and any consequences of this
• Give you a copy of the information

If you would like to make a subject access request please get in touch using details in the contact details section of this notice below.

Profiling and automated processing

We may use profiling, which is an automated process to evaluate certain things about individuals. Examples of profiling include:

• Information used to set targets for students. We use software to help us understand how similar students might perform in future based on the performance of children with similar ability nationally. Teachers use the information to set challenging but realistic targets for students.
• The monitoring and analysis of emails sent and received using Academy email accounts and analysis of websites visited using Academy computers. We use software to log information and to alert Academy staff about access to inappropriate websites or emails sent with inappropriate content.

Transferring data internationally

We will not transfer personal data outside the European Economic Area (EEA) unless such transfer complies with the GDPR. This means that we cannot transfer any personal data outside the EEA unless:

• The EU Commission has decided that another country or international organisation ensures an adequate level of protection for personal data; or
• The transfer of personal data is subject to appropriate safeguards, which may include:
  • Binding corporate rules; or
  • Standard data protection clauses adopted by the EU Commission.
• One of the derogations in the GDPR applies (including if an individual explicitly consents to the proposed transfer).

We currently transfer personal data outside the EEA as some personal data is stored on cloud systems, the servers for which are based outside the EEA

What are your rights?

The GDPR provides the following rights for individuals:

• The right to be informed about how and why we use personal data
• The right of access to data we hold
• The right to have your data amended or corrected if it is inaccurate or incomplete
• The right to have data erased in certain circumstances
• The right to restrict processing in certain circumstances
• The right to data portability in certain circumstances
• The right to object to us processing data in certain circumstances
• Rights in relation to automated decision making and profiling
• The right to withdraw consent when we have explicitly sought consent to use data
• The right to lodge a complaint with a supervisory authority (Information Commissioner’s Office, please see below).

Subject access requests

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the Trust holds about them. Parents, carers or children aged 13 or older can make a request. If the parent or carer of a child over 13 makes a request, we may need the consent of the child before we can respond.

If you make a subject access request we will:

• Tell you what information we hold,
• Tell you why we are holding and processing it, and how long we will keep it for,
• Explain where we got it from,
• Tell you who it has been, or will be, shared with,
• Let you know whether any automated decision-making is being applied to the data,
• Give you a copy of the information.

If you would like to make a subject access request please get in touch using details in the contact details section of this notice below.

Your right to object

You have the right to object at any time to the processing of your personal data which is necessary for:

• The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• The purposes of the legitimate interests pursued by us or a third party, including profiling.

If you object to the processing set out above, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds to continue.

For more information on your rights, please see the Information Commissioner’s Website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/)

Contact details

If you have any questions or concerns relating to how we collect and use your information, please contact us.

If you are unhappy with our response, you can contact Northern Education Trust’s Data Protection Officer:

Jim Gaff
Northern Education Trust
Cobalt Business Exchange Central, Unit 5, Silver Fox Way, Cobalt Business Park
Newcastle upon Tyne
NE27 0QJ

[email protected]

+44 (0)191 594 5070

You have the right to lodge a complaint with a supervisory authority. Please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Website: https://ico.org.uk/concerns/