The new GDPR (General Data Protection Regulation) is replacing the current Data Protection Act (DPA) and is set to strengthen and unify all data held within an organisation. For schools, GDPR brings a new responsibility to inform parents and stakeholders about how they are using pupils’ data and who it is being used by.
What does GDPR mean for schools?
A great deal of the processing of personal data undertaken by schools will fall under a specific legal basis, ‘in the public interest’. As it is in the public interest to operate schools successfully, it will mean that specific consent will not be needed in the majority of cases in schools.
GDPR will ensure data is protected and will give individuals more control over their data, however this means schools will have greater accountability for the data:
- Under GDPR, consent must be explicitly given to anything that isn’t within the normal business of the school, especially if it involves a third party managing the data. Parents (or the pupil themselves depending on their age) must express consent for their child’s data to be used outside of the normal business of the school.
- Schools must appoint a Data Protection Officer and be able to prove that they are GDPR compliant.
- Schools must ensure that their third party suppliers who may process any of their data is GDPR compliant and must have legally binding contracts with any company that processes any personal data. These contracts must cover what data is being processed, who it is being processed by, who has access to it and how it is protected.
- It will be compulsory that all data breaches which are likely to have a detrimental effect on the data subject are reported to the ICO within 72 hours
If you require further information on this, please contact Karen Prout (senior business manager) – email@example.com
The documents and a short video below contain all of the relevant GDPR information for parents/carers.
(How we use pupil information)
Why do we collect and use pupil information?
We collect and use pupil information under the Education Act 1996 and the EU General Protection Regulation (GDPR) which took effect from May 25 2018, including Article 9 ‘lawfulness of processing’ and GDPR Article 9 ‘processing of special categories of personal data’ .
We use the pupil data:
- to support pupil learning
- to monitor and report on pupil progress
- to provide appropriate pastoral care
- to assess the quality of our services
- to comply with the law regarding data sharing
The lawful bases for processing are set out in GDPR Article 6 of the GDPR.
At least one of these must apply whenever you process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contractLegal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Central Hub Brighton has a number of policies to ensure all staff and management committee members are aware of their responsibilities and outlines how the school complies with the following core principles of the GDPR.
The categories of pupil information that we collect, hold and share include:
- Personal information (such as name, unique pupil number, date of birth, siblings and address).
- Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility).
- Attendance information (such as sessions attended, number of absences and absence reasons).
- Safeguarding information (such as court orders and professional involvement).
- Special educational needs (including the needs and ranking).
- Medical and administration (such as doctors information, child health, dental health, allergies, medication and dietary requirements).
- Exclusions and behavioural information.
- Assessment and attainment (such as key stage 1 and phonics results, post 16 courses enrolled for and any relevant results).
- Contact details for parents and carers.
- Post 16 destinations and learning information.
- Safeguarding and Child Protection reports and disclosures.
- Photographs and video clips.
- CCTV images.
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Where we share pupil data such as school photographs on the school website, on social media or in the local press, you have a choice in this and we request your consent for this to be shared. Consent can be withdrawn at any time by contacting the headteacher and asking for pupil photographs not to be shared where public have access.
Storing pupil data
Where information forms part of a student’s statutory education record (The Education Regulations 2005 SI 2005 No. 1437), the school will retain the information for 25 years from the child’s date of birth. Other information will be retained only where it is required to perform our legal obligations or where it is retained to safeguard and promote the welfare of children.
Who do we share pupil information with?
We routinely share pupil information with:
- Schools and colleges that the pupils attend after leaving us;
- Brighton and Hove council;
- the Department for Education (DfE);
- School nurse and NHS;
- SIMS, Groupcall Messenger, CPOMS, Evolve and Exam Boards.
Aged 14+ qualifications
For pupils enrolling for post 14 qualifications, the Learning Records Service will give us a pupil’s unique learner number (ULN) and may also give us details about the pupil’s learning or qualifications.
Why we share pupil information
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Youth support services
What is different about pupils aged 13+?
Once a pupil reaches the age of 13, we also pass pupil information to Brighton and Hove Council and/or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
- youth support services
- careers advisers
A parent/guardian can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child/pupil once s/he reaches the age 16.
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the pupil information we share with the department, for the purpose of data collections, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis;
- producing statistics;
- providing information, advice or guidance.
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit:
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact firstname.lastname@example.org
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress;
- prevent processing for the purpose of direct marketing;
- object to decisions being taken by automated means;
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please email email@example.com