Privacy Notice
PRIVACY NOTICE FOR PARENTS/CARERS OF STUDENTS ATTENDING
Croxley Danes School
Croxley Danes School collects data and information about parents/carers of our students so that we can operate effectively as a school. This privacy notice explains how and why we collect parent/carer data, what we do with it and what rights parents have.
The term “parent” is widely defined in education law to include the natural or adoptive parents (regardless of whether parents are or were married, whether a father is named on a birth certificate or has parental responsibility for the student, with whom the student lives or whether the student has contact with that parent), and also includes non-parents who have parental responsibility for the student, or with whom the student lives. It is therefore possible for a student to have several “parents” for the purposes of education law. This privacy notice also covers other members of students’ families who we may process data about from time to time, including, for example, siblings, aunts and uncles and grandparents.
Privacy Notice (How we use parent/carer information)
Croxley Danes School is a secondary school that is part of the Danes Educational Trust. This is a Multi Academy Trust. The Danes Educational Trust is the Data Controller and can be contacted via email at dpo@danesedtrust.org.uk.
The Data Protection Officer at Croxley Danes School is Mr David Dwight, Assistant Headteacher.
Why do we collect and use parent/carer information?
We collect and use parent/carer information under the following lawful bases under the UK General Data Protection Regulation (UK GDPR):
- where we have the consent of the data subject (Article 6 (a));
- where it is necessary for compliance with a legal obligation (Article 6 (c));
- where processing is necessary to protect the vital interests of the data subject or another person (Article 6(d));
- where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (e)).
Where the personal data we collect about parents/carers is sensitive personal data, we will only process it where:
- we have explicit consent [Article 9 (2)(a)];
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent [Article 9 (2)(c); and/or
- processing is necessary for reasons of substantial public interest, and is authorised by UK law (see section 10 of the 2018 Data Protection Act) [Article 9 (2)(g)].
Please see our Data Protection Policy for a definition of sensitive personal data.
We use the parent/carer data to support our functions of running a school, in particular:
- to decide who to admit to the school;
- to maintain a waiting list;
- to support student learning;
- to monitor and report on student progress;
- to provide appropriate pastoral care;
- to assess the quality of our services;
- to comply with the law regarding data sharing;
- for the protection and welfare of students and others in the school, including our safeguarding/child protection obligations;
- for the safe and orderly running of the school;
- to promote the school;
- to send you communications that may be of interest to you which may include information about school events or activities, news, campaigns, appeals, other fundraising activities;
- in order to respond to investigations from our regulators or to respond to complaints raised by our stakeholders;
- in connection with any legal proceedings threatened or commenced against the school.
The categories of parent/carer information that we collect, hold and share include:
- Personal information (such as name, address, telephone number and email address);
- Information relating to your identity, marital status, employment status, religion, ethnicity, language, medical conditions, nationality, country of birth and free school meal/student premium eligibility/entitlement to certain benefits, information about court orders in place affecting parenting arrangements for students.
From time to time and in certain circumstances, we might also process personal data about parents/carers, some of which might be sensitive personal data, information about criminal proceedings/convictions or information about child protection/safeguarding. This information is not routinely collected about parents/carers and is only likely to be processed by the school in specific circumstances relating to particular students, for example, if a child protection issue arises or if a parent/carer is involved in a criminal matter. Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and/or the Police. Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.
We collect information about parents/carers before students join the school and update it during students’ time on the roll as and when new information is acquired.
Collecting parent/carer information
Whilst the majority of information about parents/carers provided to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the UK GDPR, we will inform you whether you are required to provide certain parent/carer information to us or if you have a choice in this. Where appropriate, we will ask parents/carers for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to ask your permission to use your information for marketing purposes or to request voluntary contributions. Parents/carers may withdraw consent given in these circumstances at any time.
In addition, the School also uses CCTV cameras around the school site for security purposes and for the protection of staff and students. CCTV footage may be referred to during the course of disciplinary procedures (for staff or students) or when investigating other issues. CCTV footage involving parents/carers will only be processed to the extent that it is lawful to do so. Please see our Data Security policy for more details.
Storing parent/carer data
We hold your data securely and have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. Access to information is limited to those who have a business need to know it and who are subject to a duty of confidentiality. A significant amount of the personal data is stored electronically, for example, on our MIS database. Some information may also be stored in hard copy format.
Data stored electronically may be saved on a cloud-based system which may be hosted in a different country.
Personal data may be transferred to other countries if, for example, we are arranging a school trip to a different country. Appropriate steps will be taken to keep the data secure.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach involving your data where we are legally required to do so.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, insurance or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a parent/carer we will retain and securely destroy your personal information in accordance with applicable laws and regulations.
Who do we share parent/carer information
We routinely share parent/carer information with:
- schools that students attend after leaving us;
From time to time, we may also share information with other third parties including the following:
- our local authority Hertfordshire County Council;
- a student’s home local authority (if different);
- the Department for Education (DfE);
- school governors/trustees; the central team at The Danes Educational Trust;
- the Police and law enforcement agencies;
- NHS health professionals including the school nurse, educational psychologists,
- Education Welfare Officers;
- Courts, if ordered to do so;
- the Teaching Regulation Authority;
- Prevent teams in accordance with the Prevent Duty on schools;
- other schools, for example, if we are negotiating a managed move and we have your consent to share information in these circumstances;
- Capita sims.net: school information system
- Parentpay: school payments
- Show My Homework: online homework planner
- CPOMS: Child Protection
- Capita sims.net: school information management system
- School Comms: school parent communication
- Sims SchoolView: parent app
- Arbor Education: management information system (MIS)
- Edval: timetabling software
- cyberalarm.police.uk/cyber-alarm-tool-privacy-policy/
Some of the above organisations may also be Data Controllers in their own right in which case we will be joint controllers of your personal data and may be jointly liable in the event of any data breaches.
We may also share your data with a number of providers of software tools which may be used to support pupil learning, monitor and report on pupil attainment and progress; deliver the educational curriculum; ensure the safety and wellbeing of pupils; communicate with parents; or to carry out other operational processes to support our core activities as a public authority, under Article 6(e) of the UK GDPR. [A full list of these providers is available on request.] These providers act as data processors on our behalf, and are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow them to use your personal data for their own purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions.
In the event that we share personal data about students with third parties or data processors, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data. Where necessary, we will carry out a Data Protection Impact Assessment (DPIA) to assess any risks involved.
Requesting access to your personal data
Under data protection legislation, parents/carers have the right to request access to information about them that we hold (“Subject Access Request”). To make a request for your child’s personal data, or be given access to your child’s educational record, contact Mr David Dwight, Data Protection Officer and Assistant Headteacher, although any written request for personal data will be treated as a Subject Access Request.
The legal timescales for the School to respond to a Subject Access Request is one calendar month. As the School has limited staff resources outside of term time, we encourage parents/carers to submit Subject Access Requests during term time and to avoid sending a request during periods when the School is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible. For further information about how we handle Subject Access Requests, please see our Data Protection Policy.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress;
- prevent processing for the purpose of direct marketing;
- object to decisions being taken by automated means;
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of our data protection responsibilities.
We will always seek to comply with any requests regarding your rights, however please note that we may still be required to hold or use your information to comply with legal duties.
For further information about your rights, including the circumstances in which they apply, see the guidance from the Information Commissioners Office (ICO) on individuals’ rights under the UK GDPR.
RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact The Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
DATA PROTECTION OFFICER
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO via enquiries@croxleydanes.herts.sch.uk . You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You can contact the Information Commissioner's Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
CHANGES TO THIS PRIVACY NOTICE
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.