The DPA law was passed in 1998, marking a big step forward in the way information about people is legally used and handled. The main purpose of the legislation was to protect individuals against misuse or abuse of information about them. This prevents companies, bodies or businesses selling or passing on information about their customers and staff.
Databases are easily accessed, searched and edited and with more and more organisations (including schools) storing information on computers to store and process personal information. With this comes the likelihood of this information ending up in the wrong hands, which is exactly why the DPA was introduced.
To put it simply, the GDPR is a new data protection regulation designed to strengthen and unify the safety and security of all data held within an organisation (including schools, academies and other educational establishments).
Article 5 of the GDPR requires that personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that:
"the controller shall be responsible for, and be able to demonstrate, compliance with the principles."
St Mary and St Joseph's Rc Primary School Privacy Notice
(How we use pupil information)
The categories of pupil information that we collect, hold and share include:
• Personal information (such as name, unique pupil number and address)
• Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
• Attendance information (such as sessions attended, number of absences and absence reasons)
• Assessment information
• Medical Information
• Special Educational Needs Information
• Exclusion/Behavioral information
Why we collect and use this information
We use the pupil data:
• to support pupil learning
• to monitor and report on pupil progress
• to provide appropriate pastoral care
• to assess the quality of our services
• to comply with the law regarding data sharing
The lawful basis on which we use this information
We collect and use pupil information under the following conditions contained within Article 6(1) of the GDPR:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(c) Legal obligation: the processing is necessary for you to comply with the law
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Where we process special category data we identify an additional processing condition within Article 9(2) of the GDPR:
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Storing pupil data
We hold pupil data for a specified period which is detailed in the School’s retention schedule which is contained within the IRMS’s Information Management Toolkit for Schools. A copy of the retention schedule is available on request from the School’s Data Protection Officer.
Who we share pupil information with
We routinely share pupil information with:
• schools that the pupil’s attend after leaving us
• our local authority
• the Department for Education
• National Health Service
Why we share pupil information
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Data collection requirements:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information about Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
• conducting research or analysis
• producing statistics
• providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
• who is requesting the data
• the purpose for which it is required
• the level and sensitivity of data requested: and
• the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact St Mary and St Joseph’s RC Primary School 01254 698301 or firstname.lastname@example.org
You also have the right to:
• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact:
Mr Lee Gardiner
Data Protection Officer
Blackburn Town Hall (G Floor), Blackburn, BB1 7DY or