Under the data protection law, individuals have a right to be informed about how Castlewood School uses any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ to individuals where we are processing their personal data. This privacy notice explains how we collect, store and use personal data about our pupils.
Manor Hall Academy Trust is the ‘data controller’ for the purposes of data protection law.
Our data protection officer is Mrs T Lawlor.
How we use pupil information
The categories of pupil information that we collect, hold and share include:
- Personal information (such as name, unique pupil number and address)
- Characteristics (such as ethnicity, language, nationality, country of birth and free school meals eligibility)
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Assessment information
- Relevant medical information
- Special education needs information
- Exclusions/behaviour information
Why we collect this information
We use the pupil data:
- To support pupil learning
- To monitor and report pupil progress
- To provide appropriate pastoral care
- To assess the quality of our services
- To comply with the law regarding data sharing
The lawful basis on which we use this information
We collect and use pupil information in accordance with the rules relating to the lawful processing of data under Article 6 GDPR 2018 for use in school censuses, in compliance with the Education Act 1996. In the interest of safeguarding, we also collect and process special categories of data in accordance with Article 9 GDPR where necessary.
For more information please visit the Department of Education website using the following link: https://www.gov.uk/education/data-collection-and-censuses-for-schools
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Who we share pupil information with
We do not share information about your child with any third party without consent unless the law and our policies allow us to do so.
Where it is legally required or necessary (and it complies with UK data protection law), we may share personal information about your child with:
- Our local authority (Solihull MBC) – to meet our legal obligations to share certain information with it, such as safeguarding concerns and information about exclusions
- Government departments or agencies
- Our youth support services provider
- Our regulator, Ofsted
- Suppliers and service providers:
- Catering Provider
- Teachers2Parents (texting service)
- Arbor (School MIS system)
- Careers Service provider
- Financial organisations
- Our auditors
- Health authorities
- Security organisations
- Health and social welfare organisations
- Professional advisers and consultants
- Police forces, courts, tribunals
The National Pupil Database (NPD)
We are required to provide information about pupils to the Department for Education as part of statutory data collections such as the school census.
Some of this information is then stored in the National Pupil Database (NPD), which is owned and managed by the Department and provides evidence on school performance to inform research.
The database is held electronically so it can easily be turned into statistics. The information is securely collected from a range of sources including schools, local authorities and exam boards.
The Department for Education may share information from the NPD with third parties, such as other organisations which promote children’s education or wellbeing in England. These third parties must agree to strict terms and conditions about how they will use the data.
For more information, see the Department’s webpage on how it collects and shares research data.
You can also contact the Department for Education with any further questions about the NPD.
How to access personal information that we hold about your child
You have a right to make a ‘subject access request’ to gain access to personal information that we hold about your child.
If you make a subject access request, and if we do hold information about your child, we will (subject to any exemptions that apply):
Give you a description of it
Tell you why we are holding and processing it, and how long we will keep it for
Explain where we got it from, if not from you
Tell you who it has been, or will be, shared with
Let you know whether any automated decision-making is being applied to the data, and any consequences of this
Give you a copy of the information in an intelligible form
You may also have the right for your child’s personal information to be transmitted electronically to another organisation in certain circumstances.
If you would like to make a request, please contact us (see ‘Contact us’ below).
Once your child is able to understand their rights over their own data (generally considered to be age 12, but this has to be considered on a case-by-case basis), we will need to obtain consent from your child for you to make a subject access request on their behalf.
Your other rights regarding your child’s data
Under UK data protection law, you have certain rights regarding how your child’s personal data is used and kept safe. For example, you have the right to:
Object to our use of your child’s personal data
Prevent your child’s data being used to send direct marketing
Object to and challenge the use of your child’s personal data for decisions being taken by automated means (by a computer or machine, rather than by a person)
In certain circumstances, have inaccurate personal data corrected
In certain circumstances, have the personal data we hold about your child deleted or destroyed, or restrict its processing
Withdraw your consent, where you previously provided it for the collection, processing and transfer of your child’s personal data for a specific purpose
In certain circumstances, be notified of a data breach
Make a complaint to the Information Commissioner’s Office
Claim compensation for damages caused by a breach of the data protection regulations
To exercise any of these rights, please contact us (see ‘Contact us’ below).
Once your child is able to understand their rights over their own data (generally considered to be age 12, but this has to be considered on a case-by-case basis), we will need to obtain consent from your child for you to make these requests on their behalf.
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
Alternatively, you can make a complaint to the Information Commissioner’s Office:
Report a concern online at https://ico.org.uk/make-a-complaint/
Call 0303 123 1113
Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer:
David Williscroft on the school number or via email at firstname.lastname@example.org
Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
0121 748 9760
Jensen Avenue, Off Lanchester Way, Birmingham,
B36 9LF, United Kingdom