Privacy Notice – General Data Protection Regulation (GDPR)
This Privacy Notice has been written to inform parents and pupils of St George’s RC Primary School about what we do with your personal information. This Notice may be subject to change as the Data Protection Bill progresses.
Who are we?
St George’s RC Primary School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.
The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:
01609 53 2526
What information do we collect?
The categories of information that we collect, hold and share include the following:
- Personal information of pupils and their family members e.g. name, pupil number, DOB and address
- Educational attainment
- Free school meal eligibility
- Attendance information
- Assessment information
- Behavioural information
- Safeguarding information
We will also process certain ‘special category’ data about our pupils including:
- Relevant medical information- please note that where the pupil has a severe allergy or is thought to be at risk of needing emergency care for a medical issue then this will be shared with all the staff. We may do this in the form of photo identification in the staff room to ensure that all staff are aware of the issues should an emergency situation arise
- Special Educational Needs and Disabilities information
- Race, ethnicity and religion
Why do we collect your personal data?
We use the information we collect:
- to support pupil learning
- to monitor and report on pupil progress
- to provide appropriate pastoral care
- to assess the quality of our services
Any personal data that we process about our pupils and parents is done so in accordance with Article 6 and Article 9 of GDPR.
Our legal basis for processing your personal data, in line with Article 6(1)(c) include:
- Education Act 1944,1996, 2002
- Education and Adoption Act 2016
- Education (Information About Individual Pupils)(England) Regulations 2013
- Education (Pupil Information) (England) Regulations 2005
- Education and Skills Act 2008
- Children Act 1989, 2004
- Children and Families Act 2014
- Equality Act 2010
- Education (Special Educational Needs) Regulations 2001
We also process information in accordance with Article 6(e) and Article 9(2)(g) as part of the official authority vested in us as Data Controller and for reasons of substantial public interest. Such processing, which is not mandatory but is considered to be in our pupils’ interests, include:
- School trips
- Extra curricular activities
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. When we do process this additional information we will ensure that we ask for your consent to process this.
Who do we obtain your information from?
Much of the information we process will be obtained directly from you (pupils and parents). We will also process information received from:
- Department for Education (DfE)
- Local Education Authority – City of York
- Previous schools attended
- Who do we share your personal data with?
We routinely share pupil information with:
- schools that the pupils attend after leaving us
- our Local Education Authority – City of York
- the Department for Education (DfE)
- National Health Service bodies
For more information on information sharing with the DfE (including the National Pupil Database and Census) please go to:
We will not share any information about you outside the school without your consent unless we have a lawful basis for doing so.
How long do we keep your personal data for?
St George’s RC Primary School will keep your data in line with our Information Policy. Most of the information we process about you will be retained as determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is necessary to fulfil our organisational needs.
What rights do you have over your data?
Under GDPR parents and pupils have the following rights in relation to the processing of their personal data:
to be informed about how we process your personal data. This notice fulfils this obligation
to request access to your personal data that we hold, and be provided with a copy of it
to request that your personal data is amended if inaccurate or incomplete
to request that your personal data is erased where there is no compelling reason for its continued processing
to request that the processing of your personal data is restricted
to object to your personal data being processed
If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.
If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:
First Contact Team
Information Commissioner’s Office
email@example.com // 03031 231113