Updated privacy notice

Privacy Notice for Porthcawl Comprehensive School

The pdf version of this document will be added to the website in SCHOOL INFORMATION, Privacy Notices this week.

Porthcawl Comprehensive School is committed to protecting the privacy and security of personal information. This privacy notice describes how we collect and use personal information about pupils, in accordance with the General Data Protection Regulation (GDPR), section 537A of the Education Act 1996 and section 83 of the Children Act 1989.

Who Collects This Information?

Porthcawl Comprehensive School is a ’’data controller.’’ This means that we are responsible for deciding how we hold and use personal information about pupils and parents.
The Categories Of Pupil Information That We Collect, Process, Hold And Share
We may collect, store and use the following categories of personal information about you: –

• Personal information such as name, pupil number, date of birth, gender and contact information;
• Emergency contact and family lifestyle information such as names, relationship, phone numbers and email addresses;
• Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility);
• The pupil’s level of fluency in the Welsh language and how this has been assessed/provided;
• Attendance details (such as sessions attended, number of absences and reasons for absence);
• Financial information;
• Performance and assessment information (educational attainment and assessments);
• Behavioural information (including exclusions);
• Additional learning needs information;
• Relevant medical information (such as allergies);
• Special categories of personal data (including ethnicity, relevant medical disability status, if the pupil is in the care of the local authority, if the pupil is receiving support from other agencies);
• Images of pupils engaging in school activities, and images captured by the School’s CCTV system;
• Information about the use of our IT, communications and other systems, and other monitoring information;
• Counselling information/records;
• School history; and
  Registration status and full time or part time status

Collecting This Information

Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

How We Use Your Personal Information

We hold pupil data and use it for: –

• Providing education services and extra-curricular activities to pupils, and monitoring pupils’ progress and educational needs;
• Informing decisions such as the funding of schools;
• Assessing performance and to set targets for schools;
• Safeguarding pupils’ welfare and providing appropriate pastoral (and where necessary medical) care;
• Support teaching and learning;
• Giving and receive information and references about past, current and prospective pupils, and to provide references to potential employers of past pupils;
• Managing internal policy and procedure;
• Enabling pupils to take part in assessments, to publish the results of examinations and to record pupil achievements;
• To carry out statistical analysis for diversity purposes;
• Legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with legal obligations and duties of care;
• Enabling relevant authorities to monitor the school’s performance and to intervene or assist with incidents as appropriate;
• Monitoring use of the school’s IT and communications systems in accordance with the school’s IT policy;
• Making use of photographic images of pupils in school publications, on the school website and on social media channels;
• Security purposes, including CCTV; and
• Where otherwise reasonably necessary for the school’s purposes, including to obtain appropriate professional advice and insurance for the school; and
• To confirm the identity of prospective pupils and their parents
• The Lawful Basis On Which We Use This Information

We will only use your information when the law allows us to. Most commonly, we will use your information in the following circumstances:

• Consent: the individual has given clear consent to process their personal data for a specific purpose;
• Contract: the processing is necessary for a contract with the individual;
• Legal obligation: the processing is necessary to comply with the law (not including contractual obli672-gations);

Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law; and
The Education Act 1996
We need all the categories of information in the list above primarily to allow us to comply with legal obligations. Please note that we may process information without knowledge or consent, where this is require or permitted by law.

Sharing Data

We may need to share your data with third parties where it is necessary. There are strict controls on who can see your information. We will not share your data if you have advised us that you do not want it shared unless it’s the only way we can make sure you stay safe and healthy or we are legally required to do so.
We share pupil information with: –

• Welsh Government and agencies acting on its behalf;
• Estyn;
• Other Schools/Settings that pupils have attended/will attend;
• Health providers and other statutory agencies;
• Law enforcement officials such as police, HMRC;
• Professional advisors such as lawyers and consultants;
• Support services (including insurance, IT support, information security);
• The Local Authority (Bridgend County Borough Council);
• The Central South Consortium (this is the regional education consortium)
• Careers Wales
• Examination boards
• The Department for Education
• UCAS (Universities and Colleges Admissions Service)
• ALPS (allkemygold Ltd)
• Unifrog
• Edufocus Ltd (EVOLVE)
• FFT Education Ltd
• Capita SIMS
• Student Loans Company (EMA)
• Google for Education

Information will be provided to those agencies securely or anonymised where possible.
The recipient of the information will be bound by confidentiality obligations, we require them to respect the security of your data and to treat it in accordance with the law.

Why We Share This Information

We do not share information about our pupils with anyone without consent unless otherwise required by law.
For example, we share students’ data with the Welsh Government and the Local Authority on a statutory basis which underpins school funding and educational attainment.

Storing Pupil Data

The School keep information about pupils on computer systems and sometimes on paper.
Except as required by law, the School only retains information about pupils for as long as necessary in accordance with timeframes imposed by law and our internal policy. Full details on how long we keep personal data for is set out in our data retention policy.

Security

We have put in place measures to protect the security of your information (i.e. against it being accidentally lost, used or accessed in an unauthorised way).

Requesting Access To Your Personal Data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s education record, contact the Headteacher.

You also have the right to: –

• Object to processing of personal data that is likely to cause, or is causing, damage or distress;
• Prevent processing for the purposes of direct marketing;
• Object to decisions being taken by automated means;
• In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• Claim compensation for damages caused by a breach of the data protection regulations.

If you want to exercise any of the above rights, please contact the Headteacher in writing.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right To Withdraw Consent

In circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Headteacher. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Contact

If you would like to discuss anything within this privacy notice or have a concern about the way we are collecting or using your personal data, we request that you raise your concern with the Headteacher in the first instance.

We have appointed a data protection officer (DPO) to oversee compliance with data protection and this privacy notice. If you have any questions about how we handle your personal information which cannot be resolved by the Headteacher then you can contact the DPO on the details below: –

Data Protection Officer: Judicium Consulting Limited
Address: 72 Cannon Street, London, EC4N 6AE
Email: [email protected]
Web: www.judiciumeducation.co.uk
Lead Contact: Craig Stilwell

You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues at https://ico.org.uk/concerns.

Changes To This Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Privacy Notice Addendum For Collecting Medical Data during Coronavirus

The law on protecting personally identifiable information, known as the General Data Protection Regulation (GDPR), allows us to use the personal information collected from staff/parents/carers and pupils. This includes special category data such as medical data.

Due to this pandemic, we may need to ask for data that you have not previously supplied. This data will be collected for, and on behalf of the school to allow appropriate decisions to be made regarding assessing ability to return to school and ensure that appropriate measures are put in place to allow for this safe return.

We additionally may need to collect data about individuals that you reside with in order to factor in appropriate considerations for their wellbeing.

All data collected by the school will be processed in accordance with our retention, destruction, data protection and data security policies.

The legal bases for using your data in these circumstances will be either (a) with your consent, (b) where it is necessary to process this data for the ’vital interests’ of yourself or another person, (c) for the reasons of substantial public interest, (d) where it is necessary to assess the working capacity of an employee or (e) where is it in the interests of public health.
In the current pandemic, we may need to share select data with others. This can be with the NHS and emergency services, public authorities as well as other stakeholders. This will only be done where it is necessary and proportionate for us to do so.