Privacy Notice - General Data Protection Regulation - Data Protection Act
How we use Student Information
The EU General Data Protection Regulation (GDPR)
With effect from the 25th May 2018 the General Data Protection Regulation (GDPR) became applicable and the existing Data Protection Act (DPA) was updated by a new Act.
Holy Trinity Church of England Secondary School complies with the GDPR and is registered as a ‘Data Controller’ with the Information Commissioner’s Office (Reg. No. Z7244027).
The Data Protection Officer (DPO) for the school is the Business Manager, Mr. I Mitchell.
We ensure that your personal data is processed fairly and lawfully, is accurate, is kept secure and is retained for no longer than is necessary.
The Legal Basis for Processing Personal Data
We process personal data because it is necessary in order to comply with the schools legal obligations and to enable it to perform tasks carried out in the public interest. We are required by The Education (Pupil Information) (England) Regulations 2005 to maintain a Pupil’s Educational Record.
How we use information
We collect and hold personal information relating to our pupils and those involved in their care, we may also receive information from previous schools, the local authority(s) and/or the Department for Education (DfE). We use this personal data to:
- support our pupils’ learning
- support our pupils’ welfare
- monitor and report on their progress
- provide appropriate pastoral care;
- assess the quality of our services;
- process any complaints;
- protecting vulnerable individuals;
- the prevention and detection of crime
- comply with the law regarding data sharing
This information will include a child’s Unique Pupil Number (UPN), name, address, contact details, careers details, national curriculum assessment results, examination results, internal assessment results, school reports, behavioral information, attendance information, any exclusion information, where they go after they leave us and personal characteristics such as their ethnic group, any special educational needs or disabilities they may have as well as relevant medical information.
Individual examination results for students, who have achieved high grades or made excellent progress, are published in the local press and media and also on Holy Trinity’s website and social media accounts.
For pupils enrolling for post 14 qualifications, the Learning Records Service will give us the unique learner number (ULN) and may also give us details about your learning or qualifications.
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Who we share data with
We may pass data to:
- third-party organizations, as allowed by law
- agencies that provide services on our behalf
- agencies with whom we have a duty to co-operate
- ongoing schools
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
For further information about who we share with and why please see APPENDIX A below.
In addition we use some systems to process student data where the data is held either in a website or an external supplier’s system. For further detail about such systems please see APPENDIX B at the foot of this page.
Personal data will be retained by the school in accordance with the Data Retention guidelines in the Information Management Toolkit for Schools (IRMS). Electronic and paper student records (excluding contact information) will be held until a student reaches the age of 25 in accordance with the Limitation Act 1980 (Section 2) (or age of 30 if the student was statemented or had an EHCP in order to protect against a “failure to provide a sufficient education” case.)
After this time the school will maintain a school roll detailing the names of students who have been to the school with their dates of birth and recording between which dates they attended Holy Trinity. This will enable ex-students to allow potential employers to check this information.
As part of our recording of events, celebrations and achievements, The Holy Trinity Church of England Secondary School may wish to take photographs of activities that involve your child. The photographs may be used for displays, publications and website(s) by the school, Local Authority (LA), local newspapers and other approved partners such as charities we support and local businesses working in partnership with the school on such things as enterprise challenges.
Photography and/or filming will only take place with the permission of the Head teacher and under appropriate supervision. When filming or photography is carried out by the news media, children may be named but home addresses will not be disclosed. Images that might cause embarrassment or distress will not be used, including images associated with material on sensitive issues.
When a student joins the school parents are asked to indicate whether they are happy for photographs of their son/daughter to be used on school, local authority or press websites; inside school only; or do not want any photographs of their son/daughter to be published at all.
All students have a photograph taken and stored internally in order to identify them for safeguarding purposes. This photograph will also be used on their student id card.
The school operates CCTV on the school site, as it is considered necessary to protect pupils’ safety and/or the school’s property
The school operates biometric recognition systems for purchasing food in the refectory.
All data collected will be processed in accordance with the GDPR Data Protection Principles and the Protection of Freedoms Act 2012.The written consent of at least one parent will be obtained before biometric data is taken and used. If one parent objects in writing, then the school will not take or use a child’s biometric data.
For more information about biometric data please refer to the ICO Guidance at the link below:
You have the right to:
- be informed of data processing (which is covered by this Privacy Notice)
- access information (also known as a Subject Access Request)
- have inaccuracies corrected
- have information erased
- restrict processing
- data portability (this is unlikely to be relevant to schools)
- intervention in respect of automated decision making (automated decision making is rarely operated within schools)
- Withdraw consent (see below)
- Complain to the Information Commissioner’s Office (See below)
To exercise any of these rights please email firstname.lastname@example.org and mark the email for the attention of the Performance and Improvement Manager.
Withdrawal of Consent
The lawful basis upon which the school processes personal data is that it is necessary in order to comply with the schools legal obligations and to enable it to perform tasks carried out in the public interest.
Where the school processes personal data solely on the basis that you have consented to the processing, you will have the right to withdraw that consent.
Complaints to ICO
If you are unhappy with the way your request has been handled, you may wish to ask for a review of our decision by contacting the DPO.
If you are not content with the outcome of the internal review, you may apply directly to the Information Commissioner for a decision. Generally, the ICO cannot make a decision unless you have exhausted our internal review procedure. The Information Commissioner can be contacted at:
The Information Commissioner's Office,
Who we share data with and why
Once pupils reach the age of 13, the law requires us to pass on certain information to the provider of Youth Support Services in our area. This is the local authority support service who have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
We may also share certain personal data relating to children aged 16 and over with post-16 education and training providers in order to secure appropriate services for them. A parent/guardian can request that only their child’s name, address and date of birth be passed to the provider of Youth Support Services in your area by informing Mrs Farr. This right is transferred to the child once he/she reaches the age 16.
For more information about services for young people, please go to the local authority website https://www.westsussex.gov.uk/ .
Caterlink staff are contractually engaged to operate catering within school and are responsible for operating our refectory. Therefore student names and biometric information are passed to Caterlink for the purpose of maintaining lunch accounts.
As part of our statutory obligation to provide impartial careers advice and guidance we will work with the WSCC Careers Adviser and pass names of students needing additional information, advice or guidance at transitional points on to them. We will also work with The Careers Enterprise Company through their Enterprise Advisory Network [provided by Coast to Capital, LEP] and the National Collaboration Outreach Project [NCOP]and provide statistical data about students to aid the allocation of funding and resources. The school will also provide its independent careers adviser with student names and age for the purpose of 1-1 guidance interviews delivered on site.
Students’ exams-related data may be shared with the following organisations:
- Awarding bodies
- Joint Council for Qualifications
- Department for Education; Local Authority;
This data may relate to exam entries, access arrangements, the conduct of exams and non-examination assessments, special consideration requests and exam results/post-results/certificate information.
Department for Education (DfE).
We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013. To find out more about the data collection requirements placed on us by the Department for Education go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
Some of this information is then stored in the National Pupil Database (NPD). The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information
The DfE may also share pupil level personal data that we supply to them, with third parties. This will only take place where legislation allows it to do so and it is in compliance with GDPR
Decisions on whether DfE releases this personal data to third parties are subject to a robust approval process and are based on a detailed assessment of who is requesting the data, the purpose for which it is required, the level and sensitivity of data requested and the arrangements in place to store and handle the data. To be granted access to pupil level data, requestors must comply with strict terms and conditions covering the confidentiality and handling of data, security arrangements and retention and use of the data.
For more information on how this sharing process works, please visit: https://www.gov.uk/guidance/national-pupil-database-apply-for-a-data-extract
For information on which third party organizations (and for which project) pupil level data has been provided to, please visit:
If you need more information about how the local authority and/or DfE collect and use your information, please visit:
- our local authority at https://www.westsussex.gov.uk/ or
the DfE website at https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
Clinical Commissioning Groups (CCGs)
We are required, by law, to pass certain information about our pupils to CCGs.
CCGs use information about pupils for research and statistical purposes, to develop, monitor and evaluate the performance of local health services. These statistics will not identify individual pupils. It is necessary for certain health information about children (for example, such as their height and weight) to be retained for a certain period of time (designated by the Department of Health) and requires these CCGs to maintain children’s names and addresses for this purpose. CCGs may also provide individual schools and Local Authorities (LAs) with aggregated health information which will not identify individual children.
Local Authority - education and training
We are required, by law, to pass certain information about our pupils to local authorities.
The LA holds information about young people living in its area, including about their education and training history. This is to support the provision of their education up to the age of 20 (and beyond this age for those with a special education need or disability). Education institutions and other public bodies (including the Department for Education (DfE), police, probation and health services) may pass information to the LA to help them to do this.
The LA shares some of the information it collects with the Department for Education (DfE) to enable them to; produce statistics, assess performance, determine the destinations of young people after they have left school or college and to evaluate Government funded programmes.
The LA may also share information with post-16 education and training providers to secure appropriate support for them. They may also share data with education establishments which shows what their pupils go on to do after the age of 16.
For children under 16, a parent or guardian can ask that no information other than their child’s name, address and date of birth (or their own name and address) be passed to a local authority. This right transfers to the child on their 16th birthday. Pupils and/or a parent/guardian will need to inform the school/LA if this is what they wish. If you want to see a copy of information about you that the LA holds, please contact the WSCC Data Protection Officer: FOI@westsussex.gov.uk
Local Authority – social services
In order to comply with our statutory safeguarding duties we are required, by law, to pass certain information about our pupils to local authorities. Information will only be shared where it is fair and lawful to do so.
If you want to see a copy of information about you that the LA holds, please contact the WSCC Data Protection Officer: FOI@westsussex.gov.uk
Police, Fire and Rescue Service, Ambulance Service and other emergency or enforcement agencies
In order to comply with our duty of care to pupils, our statutory safeguarding duties and our obligations in respect of the prevention and detection of crime, we may also share personal data with other statutory and partnership agencies.
APPENDIX B – SYSTEMS USED BY THE SCHOOL WHERE DATA IS NOT HELD IN SCHOOL
It is anticipated that in these circumstances student data will still be processed by Holy Trinity staff, but there may be occasions where a member of the supplier’s staff will need to look at our data in order to resolve technical problems.
Click Here to view Appendix B.