Cardinal Heenan High School is the Data Controller of the personal information you provide to us. This means we determine the purposes for which, and the manner in which, any personal data relating to pupils and their families is to be processed. The Headteacher acts as a representative for the school with regard to its data responsibilities.
In some cases, your data will be outsourced to a third party processor who provides a service to us. Where the school outsources data to a third party processor, the same data protection standards that the school upholds are imposed on the processor.
Mr R Lewis-Ogden is the Data Protection Officer for this school. His role is to oversee and monitor the school’s data protection procedures, and to ensure they are compliant with the GDPR. The Data Protection Officer can be contacted at: firstname.lastname@example.org
What is this Privacy Notice for?
The notice sets out the different areas where user privacy is concerned and outlines the obligations and requirements of the users and the school. The aim of the notice is to give pupils, parents and carers an insight into how information about pupils is used at our school and how our websites work.
The categories of pupil information that we collect, hold and share includes:
- Personal information (such as name, unique pupil number and address)
- Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Assessment, attainment and curricular information
- Medical information,
- special educational needs and disabilities information,
- Behaviour information (such as exclusions and alternative provision information)
- safeguarding information (such as child in need referral information)
- biometric data (such as fingerprint for lunch payments)
- next of kin information
- emergency contact information
- Admissions information
- CCTV images captured in school
- transport to school information
Within school we use pupil data to:
- safeguard pupils
- support pupil learning
- monitor and report on pupil progress and equality of opportunity
- provide appropriate pastoral and safeguarding care
- allocate the correct teaching resource
- provide appropriate additional support
- assess the quality of our services
- provide a service such as cash free catering
- administer admissions waiting lists
- provide information to families about events and activities at the school
- comply with the law regarding education
- administer and protect public funds
- have accurate medical information on each child (such as food allergies)
- hold emergency contacts for each child
Most commonly, we process data where:
- We need to comply with a legal obligation (K from the list above)
- We need it to perform an official task in the public interest (a-j above)
- We need it to perform a contract (l above)
Less commonly, we may also process pupils’ personal data in situations where:
- We have obtained consent to use it in a certain way
- We need to protect the individual’s vital interests (m and n above) - or someone else’s interests
Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.
Legal Obligation to collect and use pupil information
We are legally obliged to collect data to comply with the following legislation:
- Section 537a and Section 29 of The Education Act 1996
- Section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013
- Regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013
- the Education (School Performance Information)(England) Regulations 2007
- Article 6 and Article 9 of the new GDPR laws, provide some of the underpinning purposes for school’s data collection.
- To follow DFE guidance on school attendance 2016 and Early Education and Childcare guidance 2018
- regulations 5 and 8 School Information (England) Regulations 2008
- the Education (Pupil Registration) (England) (Amendment) Regulations 2013
Collecting pupil information
We obtain pupil information via registration forms at the start of each academic year. In addition, when a child joins us from another school we are sent a secure file containing relevant information.
Pupil data is essential for a schools’ operational use. Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with GDPR we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this. Where consent is required, the school will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.
Storing pupil data
We follow legislation on how long we should hold pupil data in school in line with our Record Management and Data Handling Policies.
In accordance with the GDPR, the school does not store personal data indefinitely; data is only stored for as long as is necessary to complete the task for which it was originally collected.
We comply with the GDPR strict terms and conditions covering the confidentiality and handling of the data, security arrangements and use of the data.
Who do we share pupil information with?
We routinely share pupil information with:
- schools that the pupil attends after leaving us
- Your local authority and Leeds Local Authority
- Cardinal Heenan High School Governors
- the Department for Education (DfE)
- the Diocese of Leeds
- School Nursing Service
- NHS services and medical providers abroad when on overseas trips
- Police forces, courts and tribunals
- Pupils’ family and representative
- Educators and examining bodies
- Selected partners to benefit educational attainment/provide a service which we have contracted them for
- Youth Support Services (pupils aged 13+)
Why we share pupil information
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We share certain data with 3rd party suppliers who provide a service to us. All our suppliers follow GDPR data processing regulations.
We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information about Individual Pupils) (England) Regulations 2013.
We are required to share information about our pupils with our local authority (LA), the students LA and the Department for Education (DfE) under section 3 of The Education (Information about Individual Pupils) (England) Regulations 2013
Youth support services
What is different about pupils aged 13+?
Once our pupils reach the age of 13, we also pass pupil information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
• youth support services
• careers advisers
A parent / guardian can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child / pupil once he/she reaches the age 16.
Our pupils aged 16+
We will also share certain information about pupils aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide the following services:
- post-16 education and training providers
- youth support services
- careers advisers
For more information about services for young people, please visit our local authority website.
DfE Data Collection requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to: https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (NPD)
Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD). The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies. To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information .
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
For more information, follow the link below:
To contact DfE: https://www.gov.uk/contact-dfe
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
Data sharing security
To be granted access to pupil information, organisations must comply with GDPR strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
We will not without your express consent provide your personal information to any third parties for the purpose of direct marketing.
What are your Rights?
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact the Headteacher.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with the headteacher or our Data Protection Officer at email@example.com in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Resources & Further Information
- General Data Protection Regulation
- Privacy and Electronic Communications Regulations 2003
- Privacy and Electronic Communications Regulations 2003 – The Guide
Data Protection Officer
If you would like to discuss anything in this privacy notice, please contact our Data Protection Officer at firstname.lastname@example.org
Cardinal Heenan High School, Tongue Lane, Leeds, LS6 4QE Tel: 0113 8873240
Cardinal Heenan High School
Tel: 0113 8873240
Fax: 0113 2940320