The categories of pupil information that we collect, hold and share include:
We use the pupil data:
Longlevens Infant School holds the legal right to collect and use personal data relating to pupils and their families, and we may also receive information regarding them from their previous school, LA and/or the DfE. We collect and use personal data in order to meet legal requirements and legitimate interests set out in the GDPR and UK law, including those in relation to the following:
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Pupil data is held securely by the school. For an overview of data retention please consult our Retention Schedule
We routinely share pupil information with:
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring. We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact the school on firstname.lastname@example.org or the Data protection officer, details at the end of this notice.
You also have the right to:
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact:
Gloucestershire County Council
School’s Data Protection Team
Information Management Service
West Gate Street
Longlevens Infant School is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act (DPA).
Changes to data protection legislation (GDPR May 2018) shall be monitored and implemented in order to remain compliant with all requirements.
The legal bases for processing data are as follows:
(a) Consent: the member of staff/student/parent/carer has given clear consent for the school to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for the member of staff’s employment contract or student placement contract.
(c) Legal obligation: the processing is necessary for Longlevens Infant School to comply with the law (not including contractual obligations)
All staff are responsible for data protection within our school and must treat all student information in a confidential manner and follow the guidelines as set out in this document.
We have appointed Gloucestershire County Council as our Data Protection Officer and they can be contacted on 01452 583619 or email@example.com
Longlevens Infant School is committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided by Gloucestershire County Council.
The requirements of this policy are mandatory for all staff employed by the school and any third party contracted to provide services within the school.
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
Breaches of personal or sensitive data shall be notified within 72 hours to the individual(s) concerned and the ICO.
All data within the school’s control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The definitions of personal and sensitive data shall be as those published by the ICO for guidance: The principles of the Data Protection Act shall be applied to all data processed: Key definitions of the Data Protection Act | ICO
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, parents/carers and pupils prior to the processing of an individual’s data.
Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation.
There may be circumstances where the school is required either by law or in the best interests of our students or staff to pass information on to external authorities, for example local authorities, Ofsted, or the Department of Health. These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect.
The intention to share data relating to individuals to an organisation outside of our school shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.
Any proposed change to the processing of individual’s data shall first be notified to
them. Under no circumstances will the school disclose information or data:
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them. Risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance. The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data.
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing to:
Kerry Cunningham, Longlevens Infant School, Paygrove Lane, Longlevens, Gloucester GL2 0AX
No charge will be applied to process the request.
Personal data about pupils will not be disclosed to third parties without the consent of the child’s parent or carer, unless it is obliged by law or in the best interest of the child. Data may be disclosed to the following third parties without consent:
• Other schools
If a pupil transfers from Longlevens Infant School to another school, their academic records and other data that relates to their health and welfare will be forwarded onto the new school. This will support a smooth transition from one school to the next and ensure that the child is provided for as is necessary. It will aid continuation which should ensure that there is minimal impact on the child’s academic progress as a result of the move.
• Examination authorities
This may be for registration purposes, to allow the pupils at our school to sit examinations set by external exam bodies.
• Health authorities
As obliged under health legislation, the school may pass on information regarding the health of children in the school to monitor and avoid the spread of contagious diseases in the interest of public health.
• Police and courts
If a situation arises where a criminal investigation is being carried out we may have to forward information on to the police to aid their investigation. We will pass information onto courts as and when it is ordered.
• Social workers and support agencies
In order to protect or maintain the welfare of our pupils, and in cases of child abuse, it may be necessary to pass personal data on to social workers or support agencies.
• Educational division
Schools may be required to pass data on in order to help the government to monitor the national educational system and enforce laws relating to education.
• Right to be Forgotten
Where any personal data is no longer required for its original purpose, an individual can demand that the processing is stopped and all their personal data is erased by the school including any data held by contracted processors.
Images of staff and pupils may be captured at appropriate times and as part of educational activities for use in school only. Unless prior consent from parents/carers/pupils/staff has been given, the school shall not utilise such images for publication or communication to external sources. It is the school’s policy that external parties (including parents/carers) may not capture images of staff or pupils during such activities without prior consent.
Hard copy data, records and personal information are stored out of sight and in a locked cupboard or office. The only exception to this is medical information that may require immediate access during the school day. This will be stored with the school medical officer.
Sensitive or personal information and data should not be removed from the school site, however the school acknowledges that some staff may need to transport data between the school and their home in order to access it for work in the evenings and at weekends. This may also apply in cases where staff have offsite meetings, or are on school visits with pupils.
The following guidelines are in place for staff in order to reduce the risk of personal data being compromised:
These guidelines are clearly communicated to all school staff, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.
The school recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk. All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services.
All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process. Disposal of IT assets holding data shall be in compliance with ICO guidance:
The school has identified a qualified source for disposal of IT assets and collections.
The school also uses Printwaste to dispose of sensitive data that is no longer required.