Privacy Policies

Bucks UTC / Privacy Policies

Page last reviewed: 22 March 2022

This page contains our privacy policies, related to how we protect your data, how we use your data, and your legal rights. For PDF copies of these policies, please click here. Please contact the Trust Business Manager, Lynne Harrison with questions about the policies or requests for further information. Email GDPR@wallingfordschool.com.

+ - Privacy Notice - Pupils

Privacy Notice – Pupils

This privacy notice advises pupils of the school’s data protection responsibilities on the collection and processing of pupil’s personal information.

You are being provided with this notice because current guidelines state that pupils from the age of 13 are considered mature enough to make decisions about their own personal information.

This notice provides details about:

  • The personal information we collect on pupils.
  • How we collect that personal information.
  • What we do with the personal information.
  • Your rights in relation to any personal information held and processed by the school.

We have appointed Lynne Harrison, Trust Business Manager as the person with responsibility for ensuring that pupils’ personal information is held and processed in the correct way. She can be contacted at GDPR@wallingfordschool.com Questions about this policy, or requests for further information, should be directed to her.

What is personal information and what does processing mean?

Personal information is any information that relates to you that can be used directly or indirectly to identify you. This includes information such as your name, date of birth and address as well as information relating to your exam results, medical details and behaviour records. This may also include sensitive personal information, such as your religion or ethnic group, photos and video recordings.

Personal information and processing are defined as follows:

  • Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
  • Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).

Data protection principles

We process personal data about pupils in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent way.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • We keep personal data in a form which permits identification from personal data for no longer than is necessary for the purpose of the processing or, if for longer periods, for such reasons as permitted by the GDPR.
  • We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.

In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.

Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.

Our legal basis (grounds) for using pupils’ personal data

There are several reasons why we hold, process and share pupils’ personal data. Under data protection laws, the lawful reasons for processing personal data include:

  • Consent.
  • For the performance of a contract.
  • To comply with a legal obligation.
  • To protect the vital interests of the pupil or another person.
  • For a task carried out in the public interest.
  • For a legitimate interest of the school or one of the organisations it shares data with (eg legal adviser) except where those rights are overridden by the interests or fundamental rights and freedoms of the data subject which require protection, particularly in the case of a child.

Sometimes the handling of pupils’ personal data falls within several of the above lawful grounds.

Consent

We may ask for your consent to use your information in certain ways. If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid. The use of photographs for the school website or other publicity would be an example of when we would do this.

Legal obligation

This is where we need to use pupils’ personal data to comply with a legal obligation. Statutory reporting requirements to the Department for Education (DFE) are included within this section. As is disclosing information to third parties such as the courts or the police where we are legally obliged to do so.

Vital interests

This legal basis can be used where, for example, we need to disclose information about pupils to prevent them or someone else from being seriously harmed. An example can include providing information to a medical professional about a pupil in circumstances where they are unable to provide the information themselves. It is likely to cover an emergency medical situation.

Public interest

We consider that we are acting in the public interest when providing education. Specifically, we have a public interest in:

  • Providing an education.
  • Fulfilling our safeguarding obligations and investigating complaints that may be directly connected with you or may require access to your personal data when investigating complaints by others.
  • Promoting the interests of the school.
  • Managing the school efficiently.

Legitimate interests

We have many legitimate interests for which we hold, retain, process and share pupils’ personal data. The GDPR states that the exception to using this ground is where it is detrimental to a pupil’s rights.

Why do we collect and process pupils’ personal data?

We use pupils’ personal data to:

  • Support pupil learning.
  • Monitor and report on pupil progress.
  • Provide appropriate pastoral care.
  • Assess the quality of our services.
  • Comply with the law regarding data sharing.

How do we obtain personal data?

We obtain personal data in a variety of ways. Some of the information comes from the admissions forms and acceptance forms which have been supplied to us. We also receive information about pupils from other schools and agencies, such as healthcare professionals. Data is also obtained from your parents, carers or guardians, your teachers and other pupils.

With whom do we share pupils’ personal data?

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. We share pupils’ data with the DFE on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring. Pupils’ data, where it is reasonable to do so, may also be shared with other professionals contracted by the school, such as legal and professional advisers or insurers. In addition, a data security contract with a third-party IT services provider or as part of cloud-based storage may also process your personal data for the purpose of securely holding and protecting your data.

The National Pupil Database (NPD)

The NPD is owned and managed by the DFE. It contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the DFE. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities (LAs) and awarding bodies.

We are required by law to provide information about our pupils to the DFE as part of statutory data collections, such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the NPD, go to this link.

Third parties

The DFE may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

  • Conducting research or analysis.
  • Producing statistics.
  • Providing information, advice or guidance.

The DFE has robust processes in place to ensure the confidentiality of our data is maintained. There are stringent controls in place regarding access to and use of the data. Decisions on whether the DFE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • Who is requesting the data.
  • The purpose for which it is required.
  • The level and sensitivity of the requested data.
  • The arrangements in place to store and handle the data.

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the DFE’s data sharing process, please visit this link.

For information about which organisations the DFE has provided pupil information to (and for which project), please visit this link.

Pupils aged 13+

Once our pupils reach the age of 13, we also pass pupil information to our LA and/or provider of youth support services, because they have responsibilities in relation to the education or training of 13–19 year olds under section 507B of the Education Act 1996.

This enables them to provide services such as:

  • Youth support.
  • Careers advice.
  • Post-16 education and training providers.

A parent, carer or guardian can request that only your name, address and date of birth is passed to their LA or provider of youth support services by informing us. This right is transferred to you once you reach the age of 16.

Further examples of why we collect, hold and share pupils’ personal data

Here are some further examples of why we collect, hold and share pupils’ personal data. If you would like more information about any of these, please contact our Data Protection Officer.

  • We may need to share information about your health and wellbeing with those who have responsibility for pupil welfare.
  • We need to tell all appropriate members of staff if you have specific medical needs.
  • We need to tell all appropriate members of staff if you might need extra help with some tasks.
  • We may need to provide information containing your personal data to other schools and colleges. We may need to pass on information which they need to look after you. For example, how well you have behaved at other schools and your test results.
  • We may need to share data with external examination boards.
  • Where we have the right to do so, we may share your academic and behaviour records with your parent, carer or guardian.
  • We may share information about you between the schools in the multi-academy trust. For example, how well you have behaved at other schools and your test results.
  • We will only share your information with other people and organisations when we have a legitimate reason to do so.
  • If you are involved in a serious incident, and the police have become involved, we may need to share information with the police and record any action taken.
  • (For maintained schools) We are required to share information about our pupils with our LA and the DFE under the Education (Information About Individual Pupils) (England) Regulations 2013.
  • (For academies, free schools and pupil referral units) We are required to share information about our pupils with the DFE under the Education (Information About Individual Pupils) (England) Regulations 2013.
  • Sometimes we need to share information with the police or our legal advisers to help with an inquiry. For example, safeguarding issues or injuries.
  • We might need to share pupils’ information with consultants, experts and other advisers who assist us in the running of the school, if this is relevant to their work.
  • On occasions external consultants/contractors may have temporary access to personal data held by the school. For example, IT consultants might be granted temporary access to pupils’ personal data in order to fulfil their contract(s). Access will only be granted to consultants who have demonstrated compliance with the school’s data protection standards.
  • The school uses various IT systems. This may include using cloud-based storage systems to hold pupil data. Before use, the school ensures that adequate security measures are in place.
  • We may need to share some information with our insurance provider to ensure we maintain cover or to process any claims.
  • We may need information about any court proceedings or judgements concerning you. This is We may monitor your use of the school’s email, internet and other electronic devices provided by the school eg iPads. We monitor in order to ensure appropriate use of these technologies and to confirm that you are not putting yourself at risk of harm.
  • We have CCTV in operation to make sure the school sites are safe. CCTV is not used in private areas such as changing rooms.
  • We may use photographs or videos of you on our website, social media sites, newsletters and publications as part of our advertising of the school.
  • We publish our exam results and other news on the website. We also send articles, photographs and videos to local and national news outlets to celebrate the school’s successes.
  • Sometimes we use photographs and videos to support curriculum activities, for example, to provide feedback on a presentation you may have given.

Automated decision-making and profiling

We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).

Special categories of personal data

We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.

Some of the reasons we process such data on pupils include:

  • Legal claims. The processing is necessary for the establishment, exercise or defence of legal claims. This allows us to share information with our legal advisers and insurers.
  • Medical purposes. This includes medical treatment and the management of healthcare services. • For compiling census data as required by law.
  • So that we can safeguard your welfare and the welfare of other pupils at the school.

How do we protect pupils’ personal data?

We take the security of pupils’ personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices where practical, uses passwords, virus protection and has appropriate firewalls.

Sending information to other countries

With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions. Our servers and storage systems are based in the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect pupils’ personal data.

How long do we keep pupils’ personal data?

We keep pupils’ personal data for the time they are at our school. We will also keep certain information after pupils have left the school. A copy of our Retention Schedule is available from the school website or from the Data Protection Officer.

What rights do you have in relation to your information?

When the GDPR comes into force in May 2018, you will have the following rights in relation to your personal data. Some of these rights are new.

  • The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
  • The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
  • The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
  • The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes.
  • The right to object. Individuals have the right to object to:
    • Processing based on legitimate interests or the performance of a task in the public interest/ exercise of official authority.
    • Direct marketing.
    • Processing for scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling.

There are specific rights in relation to a child’s personal data. Further guidance and advice on the above rights can be obtained from the ICO’s website.

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Officer. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s rights application form.

Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.

+ - Privacy Notice - Employees, Consultants and Volunteers

Privacy Notice – Employees, Consultants and Volunteers

This privacy notice advises employees, workers, self-employed staff and/or consultants, governors and volunteers of the school’s data protection responsibilities on the collection and processing of their personal information.

We collect and process your personal data to assist in the running of the school and to manage the employment relationship of, or otherwise manage, those who are engaged to work or perform services for us.

We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

We are required to explain how and why we collect such data and what we do with that information. This notice will also provide information as to what you can do about your personal information that is held and processed with us.

We have appointed Lynne Harrison, Trust Business Manager as the person with responsibility for ensuring that individuals’ personal information is held and processed in the correct way. She can be contacted at GDPR@wallingfordschool.com. Questions about this policy, or requests for further information, should be directed to her.

What is personal information and what does processing mean?

Personal information is any information that relates to you that can be used directly or indirectly to identify you.

Personal information and processing are defined as follows:

  • Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
  • Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).

Data protection principles

We process personal data about pupils in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent way.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • We keep personal data in a form which permits identification from personal data for no longer than is necessary for the purpose of the processing or, if for longer periods, for such reasons as permitted by the GDPR.
  • We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.

In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.

Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.

Our legal basis (grounds) for using your personal data

There are several reasons why we hold, process and share individuals’ personal data. Under data protection laws, the lawful reasons for processing personal data include:

  • Consent.
  • For the performance of a contract.
  • To comply with a legal obligation.
  • To protect the vital interests of the pupil or another person.
  • For a task carried out in the public interest.
  • For a legitimate interest of the school or one of the organisations it shares data with (eg legal adviser) except where those rights are overridden by the interests or fundamental rights and freedoms of the data subject which require protection, particularly in the case of a child.

Sometimes the handling of pupils’ personal data falls within several of the above lawful grounds.

Consent

We may ask for your consent to use your information in certain ways, for example use of photographs on trust or school websites, occupational health referrals, reference requests or rental/mortgage application reference requests. If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid.

Performance of a contract

We need to process data to enter into an employment contract or other contract of engagement with you and to meet our obligations under such contract. For example, we need to process your data to provide you with a contract, to pay you in accordance with your contract and to administer benefit, pension and insurance entitlements.

Your personal data, where it is reasonable to do so, may also be shared with other professionals contracted by the school, such as legal and professional advisers or HR providers.

Other examples include:

  • We operate and keep a record of absence and absence management procedures, to allow effective workforce management and to ensure that employees are receiving the pay or other benefits to which they are entitled.
  • We obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled.
  • We operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with contractual or legal duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rights.
  • Ensure effective general HR and business administration.

Legal obligation

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we must check an employee’s or worker’s entitlement to work in the UK, deduct tax, comply with health and safety laws and enable staff to take periods of leave to which they are entitled. Safer recruitment procedures in schools also require appropriate checks to be made on people who work with children.

Statutory reporting requirements are included within this section. As is disclosing information to third parties such as the courts or the police where we are legally obliged to do so.

Other examples include:

  • We obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
  • We operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with legal duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.

Vital interests

This legal basis can be used where, for example, we need to disclose information about you to prevent you or someone else from being seriously harmed or killed. An example can include providing information to a medical professional about you in circumstances where you are unable to provide the information yourself. It may cover an emergency situation.

Legitimate Interests

We have a legitimate interest in processing personal data before, during and after the end of the employment or contractual relationship/engagement. Processing employee data allows us to:

  • Run recruitment and promotion processes.
  • Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace.
  • Operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes.
  • Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with contractual or legal duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
  • Respond to and defend against legal claims or other investigatory processes.

Why do we collect and process individuals’ personal data?

We process data relating to those we employ to work at, or otherwise engage to work or support the school. The purpose of processing this data is to assist in the running of the school, including to:

  • Enable individuals to be paid.
  • Facilitate safe recruitment.
  • Support the effective performance management of staff.
  • Improve the management of workforce data across the sector.
  • Inform our recruitment and retention policies.
  • Allow better financial modelling and planning.
  • Enable ethnicity and disability monitoring.
  • Support the work of the School Teachers’ Review Body.

What data do we hold on you?

The personal data we hold regarding you can include, but is not limited to, information such as:

  • Your name and address.
  • Email address and telephone number.
  • Date of birth.
  • Gender.
  • Marital status.
  • Emergency contacts.
  • Your nationality and entitlement to work in the UK.
  • Bank details.
  • National insurance number.
  • Your employment contract(s).
  • Salary and benefits.
  • Pension details and insurance cover.
  • Your hours and days of work.
  • Details of periods of leave taken by you, such as holiday, sickness, maternity/paternity leave or other leave and the reasons.
  • Qualifications and skills.
  • Car registration details.
  • Work experience and employment history.
  • Information about your criminal record.
  • Your disciplinary or grievance records.
  • Appraisals and related correspondence.
  • Details of medical or health conditions.
  • Disability status.
  • Records of any reasonable adjustments.
  • Equal opportunities monitoring information.

Any staff member engaged by us wishing to see a copy of the information about them that we hold should contact Lynne Harrison, Trust Business Manager.

How do we obtain personal data?

We may collect this information in a variety of ways. For example, data might be collected through:

  • Application forms, CVs or resumés.
  • Your passport or other identity documents, such as your driving licence.
  • From third parties such as the Disclosure and Barring Service (DBS) in carrying out safeguarding checks.
  • Forms completed by you at the start of or during your employment or engagement with us (such as benefit nomination forms).
  • Correspondence with you.
  • Interviews, meetings or other assessments.

We will not share information about those engaged at the school with third parties unless the law or our policies allows us to. In circumstances where consent is the basis for processing, such as with references, we will not share your data with third parties unless we have your consent.

We are required, by law, to pass certain information about staff or those engaged by us to specified external bodies, such as our local authority (LA) and the Department for Education (DFE), so that they are able to meet their statutory obligations.

In some cases, the school may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

On some occasions, the school will process your personal data for the performance of a contract that it may hold with a third party. For example, a data security contract with a third-party IT services provider or as for facilitating access to the library or homework systems.

Who has access to your personal data?

Your personal data may be shared internally with other members of staff in order for them to perform their roles. This can include sharing personal data with the senior leadership team, governors, trustees, HR (including payroll), your line manager, managers and IT staff. We may also share your personal data with third parties. This can include when obtaining background checks as part of safer recruitment guidelines, pre-employment references and criminal records checks from the DBS. The school may also share your data with third parties in the context of a TUPE transfer.

We share your data with third parties that process data on our behalf, for example, in connection with payroll, the provision of benefits such as your pension and the provision of occupational health services. Throughout these processes we maintain strict confidentiality and only process and retain the personal data for as long as is necessary in accordance with our retention schedule and the processing purposes we state.

Sending information to other countries

With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions.

Our servers and storage systems are based in house and within the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your personal data.

Automated decision-making and profiling

We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).

Special categories of personal data

We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.

Some special categories of personal data, such as information about health or medical conditions, are processed to comply with employment law and health and safety obligations (such as those in relation to employees with disabilities).

The school also processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief. This is done for the purposes of equal opportunities monitoring and in accordance with its Public Sector Equality Duty in accordance with the Equality Act.

Some of the reasons we process such data on employees include:

  • Legal claims. The processing is necessary for the establishment, exercise or defence of legal claims. This allows us to share information with our legal advisers and insurers.
  • Medical purposes. This includes medical treatment and the management of healthcare services.

How do we protect individuals’ personal data?

We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices where possible, uses secure software data exchange applications, uses secure shared folders, uses passwords, virus protection and has appropriate firewalls.

How long do we keep your personal data?

We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.

We will keep certain information after you have left the school. A copy of our Retention Schedule is available from the school website or from the Data Protection Officer.

What rights do you have in relation to your information?

When the GDPR comes into force in May 2018 out of date, needs rewording, you will have the following rights in relation to your personal data. Some of these rights are new.

  • The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
  • The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
  • The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
  • The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes.
  • The right to object. Individuals have the right to object to:
  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
  • Direct marketing.
  • Processing for scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling.

Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights .

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Officer. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s rights application form.

Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.

+ - Privacy Notice - Job Applicants

Privacy Notice – Job Applicants

This privacy notice advises pupils of the school’s data protection responsibilities on the collection and processing of their personal information.

We collect and process your personal data as part of the recruitment process in relation to the role you are applying for. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

We are required to explain how and why we collect such data and what we do with that information. This notice will also provide information as to what you can do about your personal information that is held and processed with us.

We have appointed Lynne Harrison, Trust Business Manager as the person with responsibility for ensuring that pupils’ personal information is held and processed in the correct way. She can be contacted at GDPR@wallingfordschool.com Questions about this policy, or requests for further information, should be directed to her.

What is personal information and what does processing mean?

Personal information is any information that relates to you that can be used directly or indirectly to identify you. Personal information and processing are defined as follows:

  • Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
  • Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).

Data protection principles

We process personal data about pupils in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent way.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • We keep personal data in a form which permits identification from personal data for no longer than is necessary for the purpose of the processing or, if for longer periods, for such reasons as permitted by the GDPR.
  • We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.

In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.

Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.

Our legal basis (grounds) for using pupils’ personal data

The academy will obtain your consent to hold, process and share your personal data in relation to the recruitment process.

You are under no obligation to provide your consent to provide data to the school during the recruitment process. If you do not consent to the school holding, processing and sharing your personal data during the recruitment process, the school may not be able to process your application.

In some cases, the school will need to process data to ensure that it is complying with its legal obligations. For example, the school must check an applicant’s entitlement to work in the UK. Safer recruitment procedures in schools also require appropriate checks to be made on people who work with children.

Why do we collect and process applicant’s personal data?

The school processes data relating to applicants to assist in the recruitment process, including to:

  • Enable the school to manage its recruitment process.
  • Facilitate safer recruitment by ensuring the school is complying with its legal obligations in relation to safer recruitment checks.
  • Ensure the school is complying with its legal obligations in relation to the right to work in the UK.
  • Ensure a candidate is suitable for the role.
  • Enter into an employment contract with you, should you be successful.
  • Enable ethnicity and disability monitoring.
  • Ensure reasonable adjustments can be made for those applicants who have a disability.
  • Ensure a fair recruitment process has taken place.

What data do we hold on you?

The personal data we hold regarding you can include, but is not limited to, information such as:

  • Your name and address.
  • Email address and telephone number.
  • Date of birth.
  • Equal opportunities monitoring information.
  • Your nationality and entitlement to work in the UK.
  • National insurance number.
  • Information about your current salary and benefits.
  • Qualifications and skills.
  • Work experience and employment history.
  • Information about your criminal record.
  • Disability status to enable the school to make any reasonable adjustments throughout the recruitment process.

Any applicant wishing to see a copy of the information about them that we hold should contact the Trust Business Manager.

How do we obtain personal data?

We may collect this information in a variety of ways. For example, data might be collected through:

  • Application forms, CVs or resumés.
  • Your passport or other identity documents, such as your driving licence.
  • Forms completed by you as part of the recruitment process.
  • Correspondence with you.
  • Interviews, meetings or other assessments as part of the recruitment process.

In accordance with the school’s safer recruitment obligations, the school will also collect personal information about you from third parties. This will include obtaining references from your previous employer and from third parties such as the Disclosure and Barring Service (DBS) to ensure the relevant safeguarding checks are completed.

We will not share information about you with third parties without your consent, unless the law or our policies allows us to.

In the event you are successful, we are required, by law, to pass certain information about those engaged by us to specified external bodies, such as our local authority (LA) and the Department for Education (DFE), so that they are able to meet their statutory obligations.

Who has access to your personal data?

Your personal data may be shared internally with other members of staff involved in the recruitment process in order for them to perform their roles. This can include sharing personal data with the senior leadership team, governors, trustees and HR (including payroll). We may also share your personal data with third parties. This can include when obtaining background checks as part of safer recruitment guidelines, pre-employment references and criminal records checks from the DBS.

Throughout these processes we maintain strict confidentiality and only process and retain the personal data for as long as is necessary in accordance with our retention schedule and the processing purposes we state.

Sending information to other countries

With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions.

Our servers and storage systems [are/are not] based in the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your personal data.

Automated decision-making and profiling

We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).

Special categories of personal data

We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.

Some special categories of personal data, such as information about health or medical conditions, are processed to comply with employment law and health and safety obligations (such as those in relation to employees with disabilities).

The school also processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief. This is done for the purposes of equal opportunities monitoring and in accordance with its Public Sector Equality Duty in accordance with the Equality Act.

Some of the reasons we process such data on applicants include:

  • Legal claims. The processing is necessary for the establishment, exercise or defence of legal claims. This allows us to share information with our legal advisers and insurers.
  • For equal opportunities monitoring.
  • For medical reasons to ensure that we comply with our health and safety obligations to you.

How do we protect applicants’ personal data?

We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices where practical, uses passwords, virus protection and has appropriate firewalls.

How long do we keep your personal data?

We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.

If you are successful in being appointed to the role, all personal data collected by the school will be processed and transferred to your personnel file. We are not required to keep certain documents, such as a copy of your passport, for longer than is required to confirm your identity and to establish your right to work in the UK. Details of how long we retain certain documents is contained in our Retention Schedule. A copy of our Retention Schedule is available from the school website or from the Data Protection Officer.

Ongoing collection and processing of your personal data in relation to your employment with the school is explained in our privacy notice for employees, a copy of which will be provided to you during induction.

If you are unsuccessful in your application, the school will retain your personal information for a period of 6 MONTHS after the end of the recruitment process. With your consent, the school will keep your personal data on file for a further 6 months for consideration of future employment opportunities. Should you withdraw your consent within that time, or once that time period has expired, your data will be deleted or destroyed.

What rights do you have in relation to your information?

When the GDPR comes into force in May 2018, you will have the following rights in relation to your personal data. Some of these rights are new.

  • The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
  • The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
  • The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
  • The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes.
  • The right to object. Individuals have the right to object to:
  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
  • Direct marketing.
  • Processing for scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling.

Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Officer. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s rights application form.

Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.

+ - Management and Retention of Records Policy

MANAGEMENT AND RETENTION OF RECORDS POLICY

Introduction

This guidance applies to the retention of all records within schools. Some of the guidance below relates to records within schools that will contain ‘personal data’. Personal data is defined under the General Data Protection Regulation (GDPR) as:

  • Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).

Under the new data protection laws, it is each organisation’s responsibility to ensure compliance with the GDPR which comes into force on 25 May 2018. Therefore, where records contain personal data, schools need to be aware of the additional obligations they need to meet.

In brief, the GDPR introduces several legal obligations in relation to records containing personal data. This includes obligations such as advising data subjects of the information you hold on them, the purpose for which you hold or process such information, how long you hold it for (the retention period), the legal basis for which you process the personal data and what the data subject’s rights are in relation to the data.

Overall, personal data should be kept for no longer than necessary. This means that schools need to be aware of how long each type of record needs to be retained in law, where it might be judicious to retain records for a longer period, and how to destroy records that are no longer needed. To assist schools in identifying records that may contain personal data, they are advised to complete a data protection audit. One is available on the CEFM website under the GDPR section.

Under the Freedom of Information Act 2000, schools are required to maintain a retention schedule listing the record series which the school creates in the course of its business. The retention schedule lays down the length of time for which the record needs to be maintained and the action which is taken when it is of no further administrative use (what is destroyed, when it was destroyed and by whom).

This policy is based upon the policy recommended by the Records Management Society for maintained schools in England and that produced by Buzzacott LLP for compliance with the Charity Commission’s requirements. Wallingford School recognises that the efficient management of its records is necessary to comply with its legal and regulatory obligations and to contribute to the effective overall management of the organisation. This document provides the policy framework through which this effective management can be achieved and audited.

Objectives and targets

This policy applies to all records created, received or maintained by staff of the school in the course of carrying out its functions. This policy also applies to all accounting records required for retention by the Charity Commission under the Charities Act 2011 and under the Companies Act 2006, as well as those records required by HMRC and others to be retained.  Records are defined as all those documents which facilitate the business carried out by the school and which are thereafter retained (for a set period) to provide evidence of its transactions or activities. These records may be created, received or maintained in hard copy or electronically.

A small percentage of the school’s records will be selected for permanent preservation as part of the school’s archives and for historical research.

Action plan

The school keeps records under a wide variety of headings:

  • Child protection.
  • Personnel records of staff.
  • Health and safety.
  • School meals.
  • DFE, local authority (LA), work experience and careers, family liaison.

The school has a corporate responsibility to maintain these records and record keeping systems in accordance with the regulatory environment.

The person with overall responsibility for this policy is Trust Business Manager who will give guidance for good records management practice and will promote compliance with this policy so that information will be retrieved easily, appropriately and in a timely fashion.

The storage and retention of digital information will be handled on a day-to-day basis by the IT Network Manager under guidance of the Head, ensuring that records are held securely, backed-up on suitable systems, archived when necessary and checked regularly for ease of retrieval when required. Guidance may also be required from the school’s nominated data protection officer to ensure compliance.

Individual staff and employees must ensure that records for which they are responsible, particularly any that are kept on personally owned devices, are accurate, kept securely, and are maintained and disposed of in accordance with the school’s records management guidelines. Loss and destruction of records that contain personal data can carry significant penalties from the Information Commissioner’s Office (ICO). It is important for schools to be aware of this and ensure personal data is not placed at risk and that there are appropriate safeguards in place. There may be further consequences for individuals who fail to comply with safe record keeping guidelines and policies.

The chief financial officer is responsible for the secure retention of all financial documents for the period required by the Companies Act and charity legislation. These documents may be requested by authorised external agencies at any time, for example the academy’s auditors or the EFA. The chief financial officer makes arrangements with the IT Network Manager for the secure retention of electronic accounting records.

The guidelines follow those set out in the Records Management Toolkit for schools version 5 (updated in February 2016), and can be found on the Information and Records Management Society’s website http://irms.org.uk/page/SchoolsToolkit.

There are a number of benefits from the use of a complete retention schedule:

  • Managing records against the retention schedule is deemed to be ‘normal processing’ and employees can be confident that they are managing data in an appropriate manner.
  • Members of staff can be confident about shredding/erasing information at the appropriate time and with appropriate safeguards in place.
  • Information which is subject to freedom of information and data protection legislation will be available when required.
  • The school is not maintaining and storing information unnecessarily.
  • Additional guidelines specifically for academies, which have financial reporting responsibilities under the Companies Act 2006 and to the Charity Commission, are also followed and are set out in the Charity Commission’s guidance document ‘Retention of accounting records and other corporate records’ produced by Buzzacott LLP: buzzacott.co.uk/insights/retention-of-accounting-records-(1).

Archives

Old accounting and personnel records, and some other records, will be archived until being disposed of. Archived records will:

  • Be treated as being as confidential as current records.
  • Not necessarily be as accessible as current records, but will still be retrievable.
  • Have adequate storage made available or may be kept electronically or on microfilm.

Before deciding on whether records will be stored electronically the school will consider:

  • Whether the records may need to be kept in the original format (for legal reasons).
  • Whether the medium chosen to archive the records has an acceptable lifespan for records that will have to be retained for a very long time.
  • Where records are archived electronically or on microfilm, whether there will have an adequate means for accessing and printing the record.

A record of all documents that have been archived electronically or on microfilm will be kept.

Disposal of records

When the period of retention has expired, and there is no other reason to keep them, the records may be disposed of safely and securely. Particular regard must be paid when disposing of records containing personal data. The records will be completely destroyed by shredding paper, cutting up CDs and similar items and dismantling and destroying hard drives. Non-sensitive papers will be bundled and disposed of to a waste paper recycling merchant. A list is kept of records which have been destroyed. This list includes:

  • The file reference.
  • The file title or a brief description.
  • The number of files and date range.
  • The name of the authorising officer.
  • The date the file was destroyed.

Monitoring and evaluation

This policy has been drawn up within the context of the Freedom of information policy, the Data protection policy and with other legislation or regulations (including audit, equal opportunities and ethics) affecting the school and will be monitored to ensure that the retention guidelines updated by the Records Management Society periodically are adhered to.  In addition Wallingford School, being an academy, recognises the specific requirements for the retention of accounting records and other corporate records by the Charity Commission, HMRC and under the Companies Act 2006 and will therefore monitor the guidelines as recommended by the Charity Commission in the document ‘Retention of accounting records and other corporate records’

Retention

The governing board is responsible for the maintenance of this policy and will review it annually in the light of recommendations and any changes made by the Information and Records Management Society and the Charity Commission.

Next school review date: May 2019