Privacy Notice for Pupils, Families and Carers

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) came into force on 25 May 2018. Data protection laws are designed to keep people’s personal information safe. Your personal privacy is of great importance to us.

Northern Education Trust c/o Thorp Academy, Main Road, Ryton, Tyne and Wear, NE40 3AH (the “Trust“) will process personal data (which may be held on paper, electronically or otherwise) about our students and their parents / guardians and we recognize the need to treat it in an appropriate and lawful manner, in accordance with the General Data Protection Regulation (“GDPR“) and the Data Protection Act 2018 (the “DPA“).

The Trust is the controller of the personal information you provide to it. This means the Trust determines how and why personal data relating to children and their families are collected and used.

Where we outsource data to a third-party processor, the same data protection standards that the Trust upholds are imposed on the processor.

This privacy notice sets out, amongst other things:

• What information we collect;
• Why we collect it;
• Who we share it with;
• How long we keep it for;
• What your rights are;
• Who to contact if you need more information or have concerns.

We reserve the right to amend this Privacy Notice at any time. Any amended versions of this Privacy Notice will be published on our website at https://www.northerneducationtrust.org/information/privacy-statement/ and we advise that you check this webpage periodically for any updated versions of this Privacy Notice.

What data do we collect?

The categories of personal information that the Trust collects, holds and shares includes, but is not limited to, the following:

• Personal information, including names, addresses, dates of birth;
• Characteristics, including ethnicity, language, nationality, country of birth and free school meal eligibility;
• Attendance information – number of absences and absence reasons;
• Assessment information – based on National Curriculum and informal test results and teacher assessments;
• Relevant medical information;
• Information relating to special educational needs and disabilities (SEND);
• Behavioural and effort information – including the full range instances from outstanding to unacceptable;
• Photographs for use within the academy, including photographs of individual students used for identification and safeguarding and photographs of activities for use in educational progress monitoring on internal displays;
• Video using closed circuit television (CCTV) captured from cameras mounted around the academy and used only for the purpose of site security and safeguarding children.

We may also hold data about students that we have received from other organisations, including other schools, local authorities and the Department for Education (“DfE”).

Whilst the majority of the personal data provided to the Trust is mandatory, some is provided on a voluntary basis. When we are collecting personal data, you will be informed if you are required to provide this data or if your consent is needed.

Where consent is required, the Trust will provide you with specific and explicit information with regards to the reasons why the data is being collected and how the data will be used.

Special category personal data

We may also collect, store and use information about you that is classed as special category personal data. This includes information about a person’s:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Genetic data (such as data relating to the inherited or acquired genetic characteristics of an individual);
• Biometric data (for the purpose of uniquely identifying an individual);
• Data concerning an individual’s health (including physical and mental health, medical conditions and sickness absence);
• Sex life or sexual orientation.

Criminal data is not included within the definition of special categories of data but we will process criminal data using the same safeguards we operate in respect of special categories of data.

We will only process special category personal data where a relevant processing condition is met. Usually this will mean that an individual has given explicit consent, the processing is necessary for medical and/or health purposes, for compliance with our obligations in the field of employment, social security or social protection law, necessary for scientific, research or statistical purposes or that the processing is necessary to protect the vital interests of a student or their family (where a person is physically or legally incapable of giving consent).

We will tell you when we need consent and will provide more information. If you give us consent, you can withdraw it at any time by getting in touch with us.

Ensuring your personal data is accurate

We will keep the personal data we store about you accurate and up to date. We will take every reasonable step to erase or rectify inaccurate data without delay. Please tell us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you. We will contact you periodically to check your details are still up to date.

Why do we collect it?

The Trust collects and uses personal data relating to students and their families, and we may also receive information regarding them from their previous school, local authorities and/or the DfE.

The personal data of students and their families is collected and used for reasons including:

• To support student learning;
• To monitor and report on student progress;
• To provide appropriate pastoral care;
• To safeguard children;
• To protect student and staff welfare;
• To assess the quality of our services;
• To administer admissions waiting lists;
• To comply with the law regarding collection and sharing of data;
• To undertake research in order to improve educational services.

If we are not provided with certain personal data, there may be consequences including:

• Academies’ inability to take students on roll and maintain a registers;
• Students not being eligible to take statutory tests or public examinations;
• The Trust failing to comply with its statutory recording and reporting obligations.

While the majority of information we collect about students is mandatory, there is some information that can be provided voluntarily.

Whenever we seek to collect information from you or your child, we make it clear whether providing it is mandatory or optional. If it is mandatory, we will explain the possible consequences of not complying.

Our lawful basis for processing your personal data

We only collect and use students’ and their family’s personal data when the law allows us to. Most commonly, we process it where:

• We need to comply with a legal obligation; or
• We need it to perform an official task in the public interest.

Less commonly, we may also process students’ or their family’s personal data in situations where:

• We have obtained consent to use it in a certain way.
• We or someone else has a legitimate interest to use the personal data where the use falls outside our official task
• We need to protect the individual’s vital interests (or someone else’s interests).

Where we have obtained consent to use students’ or their family’s personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and we will explain how consent can be withdrawn.

Some of the reasons listed above for collecting and using students’ or their family’s personal data overlap, and there may be several grounds which justify our use of this data.

Profiling and automated processing

The processing of personal data may include profiling, particularly to analyse a student’s performance at school. Examples of profiling may include the use of national data to help set targets for attainment and progress. Such data will be reviewed by teachers periodically.

We may also use profiling particularly to monitor student health and wellbeing and to ensure compliance with the Trust’s IT Acceptable Use policy. Examples of profiling may include the monitoring and analysis of:

• Emails sent and received using a Trust email account (including the patterns of use of emails and their content);
• Websites visited whilst using Trust IT;
• Analysis of keystroke data for safeguarding purposes.

How do we store your data?

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction or deletion. We will only transfer personal data to a third party if that third party agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

Who do we share data with?

We will not share information about our students (or their families) with anyone without consent unless the law and our policies allow us to do this.

The Trust is required to share data with the Department for Education. This includes personal and special category data relating to all students in academies, including their characteristics, attendance and exclusions information. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools

The National Student Database (NPD) is owned and managed by the Department for Education and contains information about students in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is collected securely from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our students to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Students) (England) Regulations 2013.

To find out more about the NPD, go to:

https://www.gov.uk/government/publications/national-pupil-database-user-guide-andsupporting-information

For more information about the Department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

For information about which organisations the department has provided student information, (and for which project), please visit: https://www.gov.uk/government/publications/national-pupil-database-requests-received

In order to meet statutory requirements around appropriate education provision, and to fulfil safeguarding requirements, we share information with Local Authorities about school history and the latest known student and parent address and contact details in the event of a Child Missing Education or becoming Electively Home Educated. This information also supports the in-year school admissions process.

Once students reach the age of 13, the academy is required by law to share some information with the Local Authority and / or their nominated provider for provider of youth support services, as they have responsibilities in relation to the education or training of 13-19 year olds under section 72 of the Education and Skills Act 2008. This enables them to provide services youth support services, information about post-16 education and training providers and careers advice.

A parent or guardian can request that only their child’s name, address and date of birth is passed to their Local Authority or provider of youth support services by informing us. This right is transferred to the child / student once he/she reaches the age 16. We will also share certain information about students aged 16+ with the Local Authority and/ or nominated provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 72 of the Education and Skills Act 2008.

This enables them to provide services as follows:

• Post-16 education and training providers
• Youth support services
• Careers advisers

A child / student once they reach the age of 16 can request that only their name, address and date of birth is passed to their Local Authority or provider of youth support services by informing us.

For more information about services for young people, please visit your Local Authority website.

We may share personal details of students with health professionals who deliver services within academies, such as school nurses.

We may share personal details of students, parents and carers with research organisations. These may be universities, colleges, charities or companies involved in educational research in this country or abroad. The information we share will be specific to the type of research being undertaken. We will usually contact you to check whether or not you want to be involved in the research. The information provided will only be used by these organisations and researchers to conduct research. Where we share information for research purposes we will take every step to ensure your data is protected including by pseudonymising or anonymising data where possible. Where research is published, it will contain no identifiable information unless your express consent was obtained.

We sometimes need to share information with other organisations that provide systems for managing data and information within the Trust. Where this is the case, those organisations will act as data processors on behalf of the Trust and they will need to comply with all current data protection legislation to keep information safe.

We may need to share information when we are involved in transactions regarding the acquisition or disposal of schools from the Trust or if all or part of the assets of the Trust are acquired by a third party (such as another trust, the DfE or a Local Authority), in which case the personal data held by us may be one of the transferred assets.

If personal data about students, students or parents is provided to any third parties, you are entitled to request details of the recipients of that personal data or the categories of recipients of that personal data.

How long will we keep information for?

We keep information electronically and in paper format. We will not keep your personal data for longer than is necessary for the purpose(s) for which we process it. This means that data will be destroyed or erased from our systems when it is no longer required.

For students in secondary academies, we hold education records for students securely and retain them until they reach the age of 25, after which they are safely destroyed.

For students in primary academies, we hold education records for students securely until they change school. Their records will then be transferred to their new school, where they will be retained either until the student subsequently changes school or until students reach the age of 25, after which they are safely destroyed.

Personal data of students’ family, guardians and carers will be held with student records and safely destroyed when the students’ records are safely destroyed.

The Trust’s Record Management and Retention policy provides further information.

Transferring data internationally

We will not transfer personal data outside the European Economic Area (“EEA“) unless such transfer is compliant with the GDPR. This means that we cannot transfer any personal data outside the EEA unless:

• The EU Commission has decided that another country or international organisation ensures an adequate level of protection for personal data; or
• The transfer of personal data is subject to appropriate safeguards, which may include:
  • Binding corporate rules; or
  • Standard data protection clauses adopted by the EU Commission.
• One of the derogations in the GDPR applies (including if an individual explicitly consent to the proposed transfer).

We currently transfer personal data outside the EEA as:

• We store personal data on cloud systems based in the EEA that have backup systems that may sometimes be located outside the EEA;
• Some software providers (data processors) use cloud storage located outside the EEA

What are your rights?

The GDPR provides the following rights for individuals:

• The right to be informed about how and why we use personal data;
• The right of access to data we hold;
• The right to have your data amended or corrected if it is inaccurate or incomplete;
• The right to have data erased in certain circumstances;
• The right to restrict processing in certain circumstances;
• The right to data portability in certain circumstances;
• The right to object to us processing data in certain circumstances;
• Rights in relation to automated decision making and profiling;
• The right to withdraw consent when we have explicitly sought consent to use data;
• The right to lodge a complaint with a supervisory authority (Information Commissioner’s Office, please see below).

Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.

Subject access requests

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the Trust holds about them.

Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent to the parents making a subject access request on their behalf.

Parents also have the right to make a subject access request with respect to any personal data the Trust holds about them.

If you make a subject access request, and if we do hold information about you or your child, we will:

• Give you a copy of the information in an intelligible form;
• Give you a description of it;
• Tell you why we are holding and processing it, and how long we will keep it for;
• Explain where we got it from, if not from you or your child;
• Tell you who it has been, or will be, shared with; and
• Let you know whether any automated decision-making is being applied to the data, and any consequences of this.

If you would like to make a subject access request please contact your child’s academy Business Manager.

Your right to object

You have the right to object, at any time to the processing of your personal data which is necessary for the:

• Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Purposes of the legitimate interests pursued by us or a third party, including profiling and research

If you object to the processing set out above, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.

For more information on your rights, please see the Information Commissioner’s Website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulationgdpr/individual-rights/)

Contact details

If you have any questions or concerns relating how we collect and use your information, please contact the Business Manager at your child’s academy.

If you are unhappy with the response from your child’s academy, you can contact the Trust’s Data Protection Officer:

Jim Gaff
Northern Education Trust
c/o Thorp Academy
Main Road
Ryton
Tyne and Wear
NE40 3AH

Telephone: 0191 406 6383
Email: [email protected]

You have the right to right to lodge a complaint with a supervisory authority. Please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Website: https://ico.org.uk/concerns/

Last updated: 29th July 2020