Privacy Notice – Pupils & Families

GDPR Privacy notice for pupils and families

The Trust processes pupil and some parent personal data and is the Data Controller of this
personal data.

The Trust’s Data Protection Lead can be contacted at:
dporequests@npcat.org.uk
This notice sets out how the school manages the personal data it uses.
The categories of pupil information that we collect, hold and share include:

  • Personal information (such as name, unique pupil number and address)
  • Characteristics (such as ethnicity, language, nationality, country of birth and free school
    meal eligibility)
  • Attendance information (such as sessions attended, number of absences and absence
    reasons)
  • assessment information
  • relevant medical information
  • special educational needs information
  • exclusions / behavioural information
    Why we collect and use this information We
    use the pupil data:
  • to support pupil learning e.g.
    personal information to enable accurate pupil records
  • attendance data
    behavioural information.
    Where relevant, details of special educational needs or medical conditions
    to monitor and report on pupil progress e.g. assessment data, including
    from previous schools to provide appropriate pastoral care e.g.
    attendance or behavioural data may provide an indication of the
    requirement for pastoral support.
    Information about any family circumstances which might affect your child’s
    welfare or happiness.
    e.g. assessment data
  • to comply with the law regarding data sharing
  • to comply with a legal obligation e.g safeguarding of pupils.
    We also use personal data of parents/carers to support pupil learning and provide appropriate
    pastoral care by maintaining up to date contact information to enable efficient communication
    including in case of emergency.

    The lawful bases on which we use this information
    The School holds the legal right to collect and use personal data relating to pupils and their
    families, and may also receive information regarding them from their previous school, LA and/or
    the Department for Education (DfE).
    We collect and use personal data in order to meet legal requirements and legitimate interests
    set out in the General Data Protection Regulation (GDPR) and UK law, including those in relation
    to the following:
  • Article 6 and Article 9 of the GDPR (from 25 May 2018) consent of the Data
    Subject e.g use of images and videos of your child
  • the legitimate interest of providing educational services to your child o compliance with a legal obligation e.g. safeguarding pupils
  • to protect the vital interests of a Data Subject or another person e.g. promoting the
    welfare of pupils
  • Education Act 1996 e.g. submission of school census returns
  • Regulation 5 of The Education (Information About Individual Pupils) (England) Regulations
    2013
    Collecting pupil information
    Whilst the majority of pupil information you provide to us is mandatory, some of it is provided
    to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we
    will inform you whether you are required to provide certain pupil information to us or whether
    this will need pupil or parental consent, which we will contact you about accordingly.
    Storing pupil data
    Personal data relating to pupils and their families is stored in line with the Trust’s GDPR Data
    Protection Policy. A copy of which can be found at:
    www.npcat.org.uk
    In accordance with the GDPR, the school does not store personal data indefinitely; data is only
    stored for as long as is necessary to complete the task for which it was originally collected. A full
    list of data retention periods is available in the Trust’s GDPR Data Protection Policy.
    Who we share pupil information with
  • We routinely share pupil information with:
  • schools that the pupil attends after leaving us
  • our Local Authority (LA)
  • the Department for Education (DfE)
  • The NHS
  • The LA, under strict information sharing protocols and policies, may be required to share this
    information with other public sector partners such as other Local Authorities or local Children’s
    Centres.
    Why we share pupil information
    We do not share information about our pupils with anyone without consent unless the law and
    our policies allow us to do so. Data is always shared using secure methods.
    Privacy Notice for pupils and their families 3
    The legal basis for sharing data with other schools and the LA is “the performance of a task
    carried out in the public interest or in the exercise of official authority vested in the Data
    Controller.”
    We share pupils’ data with the DfE on a statutory basis. This data sharing underpins school
    funding and educational attainment policy and monitoring.
    We are required to share information about our pupils with the DfE under regulation 5 of The
    Education (Information About Individual Pupils) (England) Regulations 2013.
    Data collection requirements:
    To find out more about the data collection requirements placed on us by the DfE (for example;
    via the school census) go to https://www.gov.uk/education/data-collection-and-censusesforschools.
    If you are enrolling for post 14 qualifications we will be provided with your unique learner
    number (ULN) by the Learning Records Service and may also obtain from them details of any
    learning or qualifications you have undertaken. Further information regarding the Learning
    Records Service can be provided by the office at Christ the King or found at
    www.gov.uk/government/publications/lrs-organisation-portal/lrs-organisation-portal.
    Youth support services Pupils aged 13+
    Once our pupils reach the age of 13 (or any other such age as is confirmed by the Government
    under the Data Protection Bill), we also pass pupil information to our LA and/or provider of
    youth support services as they have responsibilities in relation to the education or training of
    13-19 year olds under section 507B of the Education Act 1996.
    This enables them to provide services as follows:
  • youth support services
  • careers advisers
  • post-16 education and training providers
    A parent or guardian can request that only their child’s name, address and date of birth is
    passed to their local authority or provider of youth support services by informing us. This right is
    transferred to the child/pupil once he/she reaches the age defined in GDPR.
    The National Pupil Database (NPD)
    The NPD is owned and managed by the DfE and contains information about pupils in schools in
    England. It provides invaluable evidence on educational performance to inform independent
    research, as well as studies commissioned by the Department. It is held in electronic format for
    statistical purposes. This information is securely collected from a range of sources including
    schools, local authorities and awarding bodies.
    We are required by law, to provide information about our pupils to the DfE as part of statutory
    data collections such as the school census and early years’ census. Some of this information is
    then stored in the NPD. The law that allows this is the Education (Information About Individual
    Pupils) (England) Regulations 2013.
    To find out more about the NPD, go to
    https://www.gov.uk/government/publications/nationalpupil-database-user-guide-andsupporting-information.
    Privacy Notice for pupils and their families 4

    The department may share information about our pupils from the NPD with third parties who
    promote the education or well-being of children in England by:
  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance
    The DfE has robust processes in place to ensure the confidentiality of its data is maintained and
    there are stringent controls in place regarding access and use of the data. Decisions on whether
    DfE releases data to third parties are subject to a strict approval process and based on a detailed
    assessment of:
  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested: and
  • the arrangements in place to store and handle the data
    To be granted access to pupil information, organisations must comply with strict terms and
    conditions covering the confidentiality and handling of the data, security arrangements and
    retention and use of the data.
    For more information about the DfE’s data sharing process, please visit:
    https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
    For information about which organisations the department has provided pupil information, (and
    for which project), please visit the following website:
    https://www.gov.uk/government/publications/national-pupil-database-requests-received
    To contact DfE: https://www.gov.uk/contact-dfe
    Requesting access to your personal data
    Under data protection legislation, parents and pupils have the right to request access to
    information about them that we hold. Contact the Data Protection Officer to make a request for
    your personal information, or be given access to your child’s educational record.
    You also have the right to:
  • object to processing of personal data that is likely to cause, or is causing, damage or
    distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • data portability
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or
    destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations
    Where the processing of your data is based on your consent, you have the right to withdraw this
    consent at any time.
    If you have a concern about the way we are collecting or using your personal data, we request
    that you raise your concern with us in the first instance. Alternatively, you can contact the
    Information Commissioner’s Office at https://ico.org.uk/concerns/
    Privacy Notice for pupils and their families 5

    Contact
    If you would like to discuss anything in this privacy notice, please contact the school’s Data
    Protection Lead at:
    Nicholas Postgate Catholic Academy Trust
    Postgate House, Trinity Catholic College,
    Saltersgill Avenue, Middlesbrough, TS4 3JW
    Where can you find out more information?
    If you would like to find out more information about how we and/or the DfE collect, use and
    store your personal data, please visit our website www.npcat.org.uk or download our GDPR
    Data Protection Policy.

https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information