Privacy Notice for Parents and Carers

 Gilbert Inglefield Academy is required by law to collect and process data and information about parents / carers of our pupils so that we can operate effectively as a school.  This privacy notice explains how and why we collect parent / carer data, what we do with it and what rights parents have.

This privacy notice provides you with information about how we collect and process personal data of our pupils and their parents/carers in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The term “parent” is widely defined in education law to include the natural or adoptive parents (regardless of whether parents are or were married, whether a father is named on a birth certificate or has parental responsibility for the pupil, with whom the pupil lives or whether the pupil has contact with that parent), and also includes non-parents who have parental responsibility for the pupil, or with whom the pupil lives.  It is therefore possible for a pupil to have several “parents” for the purposes of education law.  This privacy notice also covers other members of pupils’ families who we may process data about from time to time, including, for example, siblings, aunts and uncles and grandparents. 

Privacy Notice (How we use parent / carer information)

We are a middle school and an academy. 

Our registered name is Gilbert Inglefield Academy Trust.

Please contact our data protection lead at dpo@gilbertinglefield.org.

Our  data protection officer is:
HFL Education
Bank House,
Ground Floor - North Wing,
Primett Road,
Stevenage,
Hertfordshire SG1 3EE
Tel: 01438 544464 

Why do we collect and use parent / carer information?

We collect and use parent / carer information under the following lawful bases under the UK GDPR:

1. where we have the consent of the data subject (Article 6 (a));
2. where it is necessary for compliance with a legal obligation (Article 6 (c));
3. where processing is necessary to protect the vital interests of the data subject or another person (Article 6(d));
4. where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (e)).
5. where processing is necessary for our legitimate interests or the legitimate interests of a third party (Article 6 (f)).

Where the personal data we collect about parents / carers is sensitive (i.e. special category) personal data, we will only process it where:

1. we have explicit consent (Article 9 (2)(a));
2. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent [Article 9 (2)(c)]; and / or
3. processing is necessary for reasons of substantial public interest, and is authorised by UK law (see section 10 of the 2018 Data Protection Act) (Article 9 (2)(g)).

Please see the Glossary at the end of this privacy notice for definitions of key terms.

We use the parent / carer data to support our functions of running a school, including but not limited to:

1. to decide who to admit to the school;
2. to maintain a waiting list;
3. to support pupil learning;
4. to monitor and report on pupil progress;
5. to provide appropriate pastoral care;
6. to assess the quality of our services;
7. to comply with the law regarding data sharing;
8. for the protection and welfare of pupils and others in the school, including our safeguarding / child protection obligations;
9. for the safe and orderly running of the school;
10. to promote the school;
11. to send you communications that may be of interest to you, and which may include information about school events or activities, news, campaigns, appeals, other fundraising activities;
12. in order to respond to investigations from our regulators or to respond to complaints raised by our stakeholders;
13. in connection with any legal proceedings threatened or commenced against the school.

The categories of parent / carer information that we collect, hold and share include, but is not limited to:

1. Personal information (such as name, address, telephone number and email address);
2. Information relating to your identity, marital status, employment status, religion, ethnicity, language, medical conditions and free school meal / pupil premium eligibility / entitlement to certain benefits, information about court orders in place affecting parenting arrangements for pupils;
3. Child protection/safeguarding information

From time to time and in certain circumstances, we might also process personal data about parents / carers, some of which might be sensitive personal data, information about criminal proceedings / convictions or information about child protection / safeguarding.  This information is not routinely collected about parents / carers and is only likely to be processed by the school in specific circumstances relating to particular pupils, for example, if a child protection issue arises or if a parent / carer is involved in a criminal matter.  Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and / or the Police.  Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.

We collect information about parents / carers before pupils join the school and update it during pupils’ time on the roll as and when new information is acquired.

Collecting parent / carer information

Whilst the majority of information about parents / carers provided to us is mandatory, some of it is provided to us on a voluntary basis.  In order to comply with the UK GDPR, we will inform you whether you are required to provide certain parent / carer information to us or if you have a choice in this.  Where appropriate, we will ask parents / carers for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to ask your permission to use your information for marketing purposes or to request voluntary contributions.  Parents / carers may withdraw consent given in these circumstances at any time.

In addition, the School also uses CCTV cameras around the school site for security purposes and for the protection of staff and pupils.  CCTV footage may be referred to during the course of disciplinary procedures (for staff or pupils) or investigate other issues.  CCTV footage involving parents / carers will only be processed to the extent that it is lawful to do so.  Please see our CCTV policy.

Storing parent / carer data

We hold your data securely and have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. Access to information is limited to those who have a business need to know it and who are subject a duty of confidentiality. A significant amount of personal data is stored electronically, for example, on our MIS database.  Some information may also be stored in hard copy format.

Data stored electronically may be saved on a cloud based system which may be hosted in a different country.

Personal data may be transferred to other countries if, for example, we are arranging a school trip to a different country.  Appropriate steps will be taken to keep the data secure.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach involving your data where we are legally required to do so.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, insurance or reporting requirements.  Details of retention periods for different aspects of your personal information are available in our data retention policy. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.  Once you are no longer a parent / carer we will retain and securely destroy your personal information in accordance with our data retention policy.

Who do we share parent / carer information with?

We do not share information about our pupils or parents/carers with anyone without consent unless the law and our policies allow us to do so.  Notwithstanding this, we routinely share parent / carer information with:

• schools that pupils attend after leaving us;

From time to time, we may also share parent / carer information other third parties including, but not limited to, the following:

• our local authority
• a pupil’s home local authority (if different);
• the Department for Education (DfE);
• school governors / trustees;
• the Police and law enforcement agencies;
• NHS health professionals including the school nurse, educational psychologists,
• Education Welfare Officers;
• Courts, if ordered to do so;
• the Teaching Regulation Authority;
• Prevent teams in accordance with the Prevent Duty on schools;
• other schools, for example, if we are negotiating a managed move and we have your consent to share information in these circumstances;
• our legal advisors;
• our insurance providers / the Risk Protection Arrangement;
• other third parties we may engage the services of for the purpose of providing a public task or the administration of the school, for example our safeguarding monitoring software, our management information system provider;
• NHS

Some of the organisations referred to above are joint data controllers.  This means we are all responsible to you for how we process your data.

We may also share your data with a number of providers of software tools which may be used to: support pupil learning; monitor and report on pupil attainment and progress; deliver the educational curriculum; ensure the safety and wellbeing of pupils; communicate with parents; or to carry out other operational processes to support our core activities as a public authority, under Article 6(e) of the UK GDPR. These providers act as data processors on our behalf, and are required to take appropriate security measures to protect your personal information in line with our policies.  We do not allow them to use your personal data for their own purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will share your personal information with third parties where required by law, in connection with legal proceedings, where it is needed in the public interest or for official purposes or where we have your consent.  In the event that we share personal data about parents/carers with third parties or data processors, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.  Where necessary, we will carry out a Data Protection Impact Assessment (DPIA) to assess any risks involved.

Where we store personal information

The personal information that we collect is stored within the UK and European Economic Area (EEA). However, there may be some circumstances where it is necessary to transfer and store personal information at a destination outside the UK or the EEA.  In these circumstances, we will take all steps reasonably necessary to ensure that personal information is treated securely and in accordance with data protection law and, in the event that personal information is transferred outside the UK or the EEA, shall ensure that this is carried out subject to the requirements of the UK GDPR.

Requesting access to your personal data

Under data protection legislation, parents / carers have the right to request access to information about them that we hold (“Subject Access Request”).  To make a request for your personal data contact dpo@gilbertinglefield.org.

The legal timescales for the School to respond to a Subject Access Request is one calendar month.  As the School has limited staff resources outside of term time, we encourage parents / carers to submit Subject Access Requests during term time and to avoid sending a request during periods when the School is closed or is about to close for the holidays where possible.  This will assist us in responding to your request as promptly as possible.  For further information about how we handle Subject Access Requests, please see our Subject Access Request Policy;

You also have the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress;
• prevent processing for the purpose of direct marketing;
• object to decisions being taken by automated means;
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed;
• restrict our processing of personal data in certain circumstances; and
• claim compensation for damages caused by a breach of our data protection responsibilities.

We will always seek to comply any requests regarding your rights, however please note that we may still be required to hold or use your information to comply with our legal obligations.

For further information about your rights, including the circumstances in which they apply, see the guidance from the Information Commissioners Office (ICO) on individuals’ rights under the UK GDPR.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.  To withdraw your consent, please contact dpo@gilbertinglefield.org in writing. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Data Protection Officer

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice.  If you have any questions about this privacy notice or how we handle your personal information, please contact our data protection lead dpo@gilbertinglefield.org at first instance. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

If you have a concern about the way we are collecting or using your personal data we request that you raise your concern with us in the first instance. 

Alternatively, you can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Glossary of Terms

Biometric Data	Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics which allow or confirm the unique identification of that person, such as fingerprints.
Consent	Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.
Data Controller	Exercises overall control over the purposes and means of the Processing of personal data.
Data Processor	Acts on behalf of, and only on the instructions of, the relevant Controller.
Data Protection Officer (DPO)	Monitors internal compliance of an organisation, informs and advises on data protection obligations.
Data Subject	Data Subjects for the purpose of this policy include all living individuals about whom we hold Personal Data.
Data User	Data Users include employees, volunteers, governors whose work involves using Personal Data.
Information Commissioner’s Office (ICO)	Independent public body responsible for ensuring compliance with the UK’s data protection regulations by providing guidance, investigating breaches of the regulations and dealing with complaints.
Parent	Parent has the meaning given in the Education Act 1996 and includes any person having parental responsibility or care of a child
Personal Data	Any information relating to an identified or identifiable natural person, which could be as simple as a name or a number, or which could include other identifiers e.g. date of birth, photo, IP address etc.
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
Privacy by Design	Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR
Processing	Any operation which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, erasure or destruction.
Special Category Data	Personal Data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), health and sexual orientation.
Subject Access Request (SAR)	A formal request from a data subject for information, including Personal Data, which an organisation holds about them.

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.  We may also notify you in other ways from time to time about the processing of your personal information.