THE CORSHAM SCHOOL ACADEMY GROUP
This policy is to let you know how The Corsham School Academy Group (‘the Trust’, ‘we’, ‘us’ or ‘our’) will collect, use and process Personal Data. It is also designed to let you know your rights and what you can do if you have questions about Personal Data.
The Trust is the controller for the purposes of data protection laws.
This document sets out the types of Personal Data (meaning information about an individual from which that individual can be personally identified) we handle, the purposes of handling those Personal Data and any recipients of it.
We are: The Corsham School Academy Group, a company limited by guarantee registered in England and Wales (company number 07550425)
Address: The Corsham School, The Tynings, Corsham, Wiltshire SN13 9DF
Our Website address is: www.corsham.wilts.sch.uk
Information Commissioner’s Office Registration Number: Z2993634.
Our Data Protection Officer is: Christine Chaloner-Sandell
and their contact details are:
Email – [email protected]
THE CORSHAM SCHOOL ACADEMY GROUP
2. Why we collect data
We collect and hold personal information relating to our pupils, parents, employees, governors, trustees, directors and others. We may also receive information about pupils from their previous schools, the Local Authority, Department for Education (DfE) and other bodies linked to their education, development and welfare.
We may share Personal Data with other agencies as necessary under our legal duties or otherwise in accordance with our duties/obligations as a Trust.
Whilst the majority of Personal Data we are provided with or collect is mandatory, some of it is provided to us on a voluntary basis. We will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Below are set out the reasons why we collect and process Personal Data, as well as the legal basis on which we carry out this processing:
3. Legal Basis for Processing
The lawful bases for processing are set out in Article 6 of the GDPR, these are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The lawful basis for us to collect/process this Personal Data is in order to provide education in accordance with statute law (such as the Education Act 1996 and other legislation), our funding agreements with the Secretary of State, our memorandum and articles of association and other guidance provided for in law (c).
We also process Personal Data where processing is necessary for the performance of tasks carried out in the public interest. It is in the public interest to provide educational services to our pupils and to offer extra-curricular activities such as reading sessions and afterschool clubs to benefit the personal and academic growth of our pupils (e).
An additional lawful basis for us to collect/process employees’ Personal Data is by reason of necessity for the performance of a contract of employment to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract (b).
In addition, Personal Data will be collected and/or processed for the purposes of relevant contracts for the provision of services which are paid for. This may include but is not limited to:
We do not process any special categories of Personal Data except where necessary for reasons of substantial public interest in complying with legal obligations including under the Equality Act 2010 or where necessary to protect the vital interests of the Data Subject or of another natural person and where safeguards are in place to ensure that this Personal Data is kept secure. For the avoidance of doubt where special categories of Personal Data are collected it shall not be used for the purposes of automated decision making and/or profiling.
Special categories of data means Personal Data revealing:
Further Personal Data including special categories of Personal Data may be collected and/or processed where consent has been given (for example, school photographs for non-educational purposes). If consent has been given then this may be revoked in which case the Personal Data will no longer collected/processed.
4. Categories of information we collect
We may collect the following types of Personal Data (please note this list does not include every type of Personal Data and may be updated from time to time):
5. Who will have access to your data
Personal Data will be accessible by members of staff. Where necessary, volunteers, trustees and governors will also have access to Personal Data.
We will not share information about our pupils with third parties without consent unless we are required to do so by law or our policies. We will disclose Personal Data to third parties:
This may include our Local Authority, the DfE (please see Section 6), the Police and other organisations where necessary; for example, for the purposes of organising a school trip or otherwise enabling students to access services or for the purposes of examination entry. Information may also be sent to other schools where necessary; for example, schools that pupils attend after leaving us.
Certain data collection obligations are placed on us by the DfE. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) visit: https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The above listed third party suppliers will process data on our behalf. Therefore, we investigate these third party suppliers to ensure their compliance with Relevant Data Protection Laws and specify their obligations in written contracts.
6. PUPIL DATA – The National Pupil Database (NPD)
The NPD is owned and managed by the DfE and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the DfE. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The DfE may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the DfE has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact the DfE please visit: https://www.gov.uk/contact-dfe
7. EMPLOYEE DATA – DfE Data Collection Requirements
The DfE collects and processes Personal Data relating to those employed by schools (including Multi Academy Trusts) and local authorities that work in state funded schools (including all maintained schools, all academies and free schools and all special schools including Pupil Referral Units and Alternative Provision). All state funded schools are required to make a census submission because it is a statutory return under sections 113 and 114 of the Education Act 2005.
To find out more about the data collection requirements placed on us by the DfE including the data that we share with them, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The DfE may share information about school employees with third parties who promote the education or well-being of children or the effective deployment of school staff in England by:
The DfE has robust processes in place to ensure that the confidentiality of Personal Data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether the DfE releases Personal Data to third parties are subject to a strict approval process and based on a detailed assessment of:
To be granted access to school employee data, organisations must comply with the DfE’s strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the DfE’s data sharing process, please visit:
To contact the DfE: https://www.gov.uk/contact-dfe
8. How data will be processed
Personal Data may be processed in a variety of ways, this will include but is not limited to:
9. Where we store data and how we keep data secure
Paper copies of Personal Data are kept securely at the school; for example, in secure filing cabinets.
Electronic copies of Personal Data are kept securely and information will only be processed where we are satisfied that it is reasonably secure.
All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. You must not share your password with anyone.
10. Retention periods
We will only retain Personal Data for as long as is necessary to achieve the purposes for which they were originally collected. As a general rule, Personal Data will be kept for the entire period that a child is a pupil at the Trust, or an employee is employed at the Trust. Other records (for example, safeguarding or in relation to special educational needs) will be kept for longer in accordance with guidance from the Information and Records Management Society. Further information on retention periods can be obtained by contacting us via the details in Section 1 of this Notice.
Once the retention period concludes the data is securely and safely destroyed/ deleted.
11. Your data rights
The General Data Protection Regulation and associated law gives you rights in relation to Personal Data held about you and your child. These are:
Where any exercise by you of your right to restriction determines that our processing of particular Personal Data are to be restricted, we will then only process the relevant Personal Data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.
You can find out more about the way these rights work from the website of the Information Commissioner’s Office (ICO).
Where the Trust holds Personal Data concerning you, you are entitled to access that Personal Data and the following information (unless an exception applies):
If you want to receive a copy of the information about your son/daughter that we hold, please contact us via the details in Section 1 of this Notice.
13. Making a Complaint
If you are unhappy with the way we have dealt with any of your concerns, you can make a complaint to the ICO, the supervisory authority for data protection issues in England and Wales. We would recommend that you complain to us in the first instance, but if you wish to contact the ICO on the details you can do so on the details below. The ICO is a wholly independent regulator established in order to enforce data protection law.
ICO Concerns website: www.ico.org.uk/concerns
ICO Helpline: 0303 123 1113
ICO Email: [email protected]
ICO Postal Address:
Information Commissioner’s Office
Cheshire SK9 5AF
14. Changes to this notice
Any changes we make to this notice in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.