Gilbert Inglefield Academy

  • Visit the school's Facebook
  • Visit the Arbor website
  • Visit Studybugs

Privacy Notice for Learners

Gilbert Inglefield Academy is required by law to collect and process personal data relating to all of its pupils.  This privacy notice provides you with information about how we collect and process personal data of our pupils in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Who are we?

We are a middle school and an academy.  

Our registered name is Gilbert Inglefield Academy Trust.

Please contact our data protection lead at dpo@gilbertinglefield.org.

Our  data protection officer is:
HFL Education,
Bank House,
Ground Floor - North Wing,
Primett Road,
Stevenage,
Hertfordshire SG1 3EE
Tel: 01438 544464

Why do we collect and use pupil information?

We collect and use pupil information under section 537A of the Education Act 1996, section 83 of the Children Act 1989, and to carry out tasks in the public interest. If we need to collect special category (sensitive) personal information, we rely upon reasons of substantial public interest (equality of opportunity or treatment).

We collect and use pupil information under the following lawful bases under the UK General Data Protection Regulation (UK GDPR):

  1. where we have the consent of the data subject (Article 6 (a));
  2. where it is necessary for compliance with a legal obligation (Article 6 (c));
  3. where processing is necessary to protect the vital interests of the data subject or another person (Article 6 (d));
  4. where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (e)).
  5. where processing is necessary for our legitimate interests or the legitimate interests of a third party (Article 6 (f)).

Where the personal data we collect about pupils is sensitive (i.e. special category) personal data, we will only process it where:

  1. we have explicit consent (Article 9 (2)(a));                                           
  2. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (Article 9 (2)(c)); and / or
  3. processing is necessary for reasons of substantial public interest, and is authorised by UK law (see section 10 of the 2018 Data Protection Act) (Article 9 (2)(g)).

Please see the Glossary at the end of this privacy notice for definitions of key terms.

We use the pupil data to support our statutory functions of running a school, including but not limited to:

  1. to decide who to admit to the school;
  2. [to maintain a waiting list];
  3. to support pupil learning;
  4. to monitor and report on pupil progress;
  5. to provide appropriate pastoral care;
  6. to assess the quality of our services;
  7. to comply with the law regarding data sharing;
  8. for the protection and welfare of pupils and others in the school;
  9. for the safe and orderly running of the school;
  10. to promote the school;
  11. to communicate with parents / carers.

The categories of pupil information that we collect, hold and share include, but is not limited to:

  1. Personal information (such as name, unique pupil number and address)
  2. Characteristics (such as ethnicity, language, medical conditions and free school meal eligibility);
  3. Attendance information (such as sessions attended, number of absences and absence reasons);
  4. Assessment information such as their current pupil progress, their predicted progress and where appropriate data relating to any assessments, tests or exams they have undertaken;
  5. Relevant medical information including any conditions or allergies your child may have, the need for epi-pens/medication, emergency contact and doctor’s details;
  6. Special educational needs information. This includes information about any particular needs that your child has, any funding that is received specifically for your child, statements of individual need and health care plans;
  7. Behavioural information, which may include information about your child’s general classroom behaviour including any awards gained, together with any detentions fixed-term or permanent exclusions they have received;
  8. Pastoral and safeguarding information, including notes on any home visits undertaken;
  9. Photographs;
  10. CCTV images;

From time to time and in certain circumstances, we might also process personal data about pupils, some of which might be sensitive personal data, including information about criminal proceedings / convictions, information about sex life and sexual orientation, child protection / safeguarding.  This information is not routinely collected about pupils and is only likely to be processed by the school in specific circumstances relating to particular pupils, for example, if a child protection issue arises or if a pupil is involved in a criminal matter.  Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and / or the Police.  Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.

We collect information about pupils when they join the school and update it during their time on the roll as and when new information is acquired.

Collecting pupil information

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the UK GDPR, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. Where appropriate, we will ask parents for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to use photos or images of pupils on our website or on social media to promote school activities. Parents / pupils may withdraw consent at any time.

In addition, the School also uses CCTV cameras around the school site for security purposes and for the protection of staff and pupils.  CCTV footage may be referred to during the course of disciplinary procedures (for staff or pupils) or investigate other issues.  CCTV footage involving pupils will only be processed to the extent that it is lawful to do so.  Please see our CCTV policy/code of practice for more details.

Storing pupil data

We hold pupil data securely and have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. Access to information is limited to those who have a business need to know it and who are subject a duty of confidentiality. A significant amount of personal data is stored electronically, for example, on our MIS database.  Some information may also be stored in hard copy format.

Data stored electronically may be saved on a cloud based system which may be hosted in a different country.

Personal data may be transferred to other countries if, for example, we are arranging a school trip to a different country.  Appropriate steps will be taken to keep the data secure.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach involving your data where we are legally required to do so.

When a pupil moves to another educational setting or school phase, the vast majority of information that we hold will move to that setting, although we may need to retain a certain amount of personal data, as laid out in our Data Retention Policy and Schedule.

Who do we share pupil information with?

We routinely share pupil information with:

  • schools that pupils attend after leaving us;
  • our local authority Central Bedfordshire Council
  • a pupil’s home local authority (if different);
  • commissioned providers of local authority services
  • the Department for Education (DfE);
  • school governors / trustees;
  • exam boards;

From time to time, we may also share pupil information with other third parties including, but not limited to, the following:

  • the Police and law enforcement agencies;
  • NHS health professionals including the school nurse, educational psychologists,
  • Education Welfare Officers;
  • Courts, if ordered to do so;
  • the National College for Teaching and Learning;
  • the Joint Council for Qualifications;
  • Prevent teams in accordance with the Prevent Duty on schools;
  • other schools, for example, if we are negotiating a managed move and we have your consent to share information in these circumstances;
  • our HR providers, for example, if we are seeking HR advice and a pupil is involved in an issue
  • our legal advisors;
  • our insurance providers / the Risk Protection Arrangement;
  • NHS

Some of the above organisations may also be Data Controllers in their own right in which case we will be joint controllers of your personal data and may be jointly liable in the event of any data breaches. 

We may also share pupil data with a number of providers of software tools which may be used to: support pupil learning; monitor and report on pupil attainment and progress; deliver the educational curriculum; ensure the safety and wellbeing of pupils; communicate with parents; or to carry out other operational processes to support our core activities as a public authority, under Article 6(e) of the UK GDPR.  These providers act as data processors on our behalf, and are required to take appropriate security measures to protect your personal information in line with our policies.  We do not allow them to use your personal data for their own purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions.

In the event that we share personal data about pupils with third parties or data processors, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.  Where necessary, we will carry out a Data Protection Impact Assessment (DPIA) to assess any risks involved.

Why we share pupil information

We do not share information about our pupils with anyone without consent unless the law allows us to do so.

We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Youth support services

What is different about pupils aged 13+?

Once our pupils reach the age of 13, we also pass pupil information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide services as follows:

  • youth support services
  • careers advisers

The information shared is limited to the child’s name, address and date of birth. However, where a parent or guardian provides their consent, other information relevant to the provision of youth support services will be shared. This right is transferred to the child / pupil once they reach the age 16.

Data is securely transferred to the youth support service.

The National Pupil Database (NPD)

The NPD is owned and managed by the DfE and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the DfE. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the pupil information we share with the department, for the purpose of data collections, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.

To find out more about the NPD, go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.

The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data;
  • the purpose for which it is required;
  • the level and sensitivity of data requested; and
  • the arrangements in place to store and handle the data.

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received

To contact DfE: https://www.gov.uk/contact-dfe

 Requesting access to your personal data

Under data protection legislation, pupils, and in some circumstances, parents, have the right to request access to information about them that we hold (“Subject Access Request”).  From the age of 13, we generally regard pupils as having the capacity to exercise their own rights in relation to their personal data.  This means that where we consider a pupil to have sufficient maturity to understand their own rights, we will require a Subject Access Request to be made by the pupil and not their parent(s) on their behalf.  This does not affect any separate statutory right parents might have to access information about their child.

Subject to the section below, the legal timescales for the School to respond to a Subject Access Request is one calendar month.  As the School has limited staff resources outside of term time, we encourage parents / pupils to submit Subject Access Requests during term time and to avoid sending a request during periods when the School is closed or is about to close for the holidays where possible.  This will assist us in responding to your request as promptly as possible.  For further information about how we handle Subject Access Requests, please see our Data Protection Policy.

Parents of pupils who attend academies have a separate statutory right to receive an annual written report setting out their child’s attainment for the main subject areas which are taught.   This is an independent legal right of parents rather than a pupil’s own legal right which falls outside of the UK GDPR, therefore a pupil’s consent is not required even a pupil is able to make their own decisions in relation to their personal data, unless a court order is in place which states otherwise.

The term “parent” is widely defined in education law to include the natural or adoptive parents (regardless of whether parents are or were married, whether a father is named on a birth certificate or has parental responsibility for the pupil, with whom the pupil lives or whether the pupil has contact with that parent), and also includes non-parents who have parental responsibility for the pupil, or with whom the pupil lives.  It is therefore possible for a pupil to have several “parents” for the purposes of education law.

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress;
  • prevent processing for the purpose of direct marketing;
  • object to decisions being taken by automated means;
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of our data protection responsibilities.

We will always seek to comply any requests regarding your rights, however please note that we may still be required to hold or use your information to comply with legal duties.

For further information about your rights, including the circumstances in which they apply, see the guidance from the Information Commissioners Office (ICO) on individuals’ rights under the UK GDPR.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/

Contact:

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

If you would like to discuss anything in this privacy notice, please contact our data protection lead dpo@gilbertinglefield.org.

 Glossary of Terms

Biometric Data

Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics which allow or confirm the unique identification of that person, such as fingerprints.

Consent

Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.

Data Controller

Exercises overall control over the purposes and means of the Processing of personal data. 

Data Processor

Acts on behalf of, and only on the instructions of, the relevant Controller.

Data Protection Officer (DPO)

Monitors internal compliance of an organisation, informs and advises on data protection obligations.

Data Subject

Data Subjects for the purpose of this policy include all living individuals about whom we hold Personal Data.

Data User

Data Users include employees, volunteers, governors whose work involves using Personal Data.

Information Commissioner’s Office (ICO)

Independent public body responsible for ensuring compliance with the UK’s data protection regulations by providing guidance, investigating breaches of the regulations and dealing with complaints.

Parent

Parent has the meaning given in the Education Act 1996 and includes any person having parental responsibility or care of a child

Personal Data

Any information relating to an identified or identifiable natural person, which could be as simple as a name or a number, or which could include other identifiers e.g. date of birth, photo, IP address etc.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Privacy by Design

Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR

Processing

Any operation which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, erasure or destruction.

Special Category Data

Personal Data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), health and sexual orientation.

Subject Access Request (SAR)

A formal request from a data subject for information, including Personal Data, which an organisation holds about them.

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.  We may also notify you in other ways from time to time about the processing of your personal information.

 

Website Design by Greenhouse School Websites