Henry Allen Privacy Notice 2023-4

We, Henry Allen Nursery School, are a data controller for the purposes of the General Data Protection Regulations (GDPR). 

The purpose of this document is to conform with your legal right to be informed about how the school collects, stores, uses or shares any information we hold about you or your child.  For the purpose of this document, ‘pupil information’ includes any relevant details about parents, carers or persons responsible for the child.

Why do we collect and use pupil information?

Under Article 6 of the General Data Protection Regulation (GDPR), we collect and use information because we are legally required to collect some information about pupils and staff and we need to process this information due to our legal obligation (6,c) to provide an education to our pupils.  This includes sharing information with exam boards, other schools and the Department of Education (DfE) where necessary.  Our operation necessitates the use of contracts (6,b) including home-school contracts and contracts with staff and suppliers.  In addition, due to our safeguarding responsibilities, we also collect information for the reason of vital interest (6,d) where the processing is necessary to protect someone’s life. CCTV footage is recorded and a separate CCTV policy exists. Occasionally we collect and process data as a requirement for a public task (6,e), which could include collecting evidence of our duty to educate children, in the form of a learning or communication platform, or the capture of images/video/sound at school events, such as sports day and concerts/productions.

Under Article 6 and Article 9 of GDPR, where the above lawful bases do not allow us to collect essential personal information, we will use consent (6,a) where the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

We may receive information about them from their previous school, the Department for Education (DfE) and Buckinghamshire County Council. We hold this personal data to: 

• support the learning in our school
• monitor and report on pupil progress
• provide appropriate pastoral care
• assess the quality of our services
• keep our pupils and staff safe
• comply with the law regarding data sharing

The categories of information that we collect, hold and share include:

Personal details (such as name, Unique Pupil Number and address), national curriculum assessment results, attendance information (such as sessions attended, number of absences and absence reasons), any exclusion information, where they go after they leave us, personal characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility), any special educational needs they may have as well as relevant medical information.  Sensitive personal information may also be processed for safeguarding purposes (on the Legal Basis of Vital Interest) at any time.  Explicit consent would be sought if biometric data was ever to be collected/used by the school in the future.

Collecting pupil information

We collect pupil information by using registration forms, data collection forms (which may be used annually) or file transfer from previous schools.

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulations, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.  

Storing data

An annual sweep of the school network will be used to ensure that data is removed from general access where appropriate.  We shred or destroy redundant data onsite.

We may hold data on USB memory devices if adequately protected, although their use is discouraged.

Photographs, videos and sound media will be captured by the school using school equipment and in line with any consent granted. 

Data is backed up regularly (details can be obtained from the School Office), SIMS and CPOMS are online services, backed up by the service providers (details are held within our Supplier Compliance Log). We maintain a supplier compliance log to ensure that Data Processors (our suppliers) are compliant and effectively safeguard your data.

The school has robust processes in place to minimise the risk of data breaches. In the unlikely event of a Data Breach, the school has an internal Data Breach Procedure and documentation which would be followed.  These documents are overseen by the school’s Data Protection Officer (DPO).  In the event of a data breach, we would act in accordance with the General Data Protection Regulations 2018. 

Data Retention

Data will be retained by the school for the duration of the pupil’s time with us.  We cannot agree to delete data during this time. 

We will agree to remove data held on pupils, if requested, after they have left us (provided we are not required to keep it due to ratified policy or law).  We will have to send their information to a new school or education establishment if applicable.

We hold pupil data until they reach 25 years of age for pupils with SEN* (Data will be securely deleted in the academic year of their 25th birthday).  Ordinarily, data will be removed from general access two years after they have left the school, where educational records and/or child protection records have been passed to an alternative provision (or to Buckinghamshire or another county or country). A yearly sweep of school documentation will be carried out to ensure that such data is protected and removed from general access where appropriate.

Some school data will be kept for 7 years – this includes financial accounting information (legal reasons) and Data Breach Logs. Emails will usually be retained within school for a period of two years, unless the information contained needs to be kept longer than this (professional judgement/SLT discretion).

* and children without SEN if there is a major incident (for example, a safeguarding or critical/medical incident requiring external agency support).  We may be required to keep the entire file until the youngest child involved turns 25 years of age, or longer for specific and regulated incidents.

Who do we share information with?

We will not give information about you or your child to anyone without your consent unless the law and our policies allow us to. 

Where our school is involved in collaborative delivery with other schools and learning providers, pupil information may also be shared to aid the preparation of learning plans and the use of data to achieve the objectives identified above or with schools that the pupil attends after leaving us. We need to share information, on occasion with (but not limited to) Virtual Schools, Education Psychologist, transfer schools, Social Services Assessment Team, Children’s Services, school governors/trustees, county council support services including the NHS, police and courts as necessary, and other health related assessment teams including disability allowance. We are required, by law, to share some information with the Department for Education (DfE). This information will, in turn, then be made available for the use by the county council.  Additionally, the curriculum may require the use of third party web-based learning platforms, if GDPR compliant.  We may share information with our Parents’ Association if we have your consent.

Why we share information

We are required to share information about our pupils with the (DfE) under regulation 4 and 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Whilst we share information as an ongoing school management requirement, which would include non-standard operational activity such as promoting the school and complaints/legal proceedings as required, we do not share information about our pupils with anyone without your consent unless the law and our policies allow us to do so. 

Safeguarding

GDPR does not prevent, or limit, the sharing of information for the purposes of keeping children safe. Legal and secure information sharing between schools, Children’s Social Care, and other local agencies, is essential for keeping children safe and ensuring they get the support they need. Information can be shared without consent if to gain consent would place a child at risk. Fears about sharing information must not be allowed to stand in the way of promoting the welfare and protecting the safety of children. As with all data sharing, appropriate organisational and technical safeguards should still be in place.

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.

If you need more information about how Buckinghamshire County Council and/or DfE collect and use your information, please visit:

• Buckinghamshire County Council at https://schoolsweb.buckscc.gov.uk/school-management-support/privacy-notice-for-pupils-and-staff/

or

• the DfE website at https://www.gov.uk/guidance/data-protection-how-we-collect-and-share-research-data

How Government uses your data

The pupil data that we lawfully share with the DfE through data collections:

• underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
• informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
• supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)

The National Pupil Database (NPD)

Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD).

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.

It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

To find out more about the NPD, go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information

To contact DfE: https://www.gov.uk/contact-dfe

Requesting access to your personal data

Under data protection legislation, parents, carers have the right to request access to information that we hold about them or their child. To make a request for your personal information, or be given access to your child’s educational record, contact the appropriate school office or email the Data Protection Officer (see ‘Contact’ below).  Please be aware that in certain situations such as, but not restricted to safeguarding, this data may not be disclosed.

You also have the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purposes of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
• claim compensation for damages caused by a breach of the Data Protection regulations
• withdraw any consent that you have provided**

To find out more about your rights, visit https://ico.org.uk/your-data-matters/

**Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

No fee usually required

You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Cookies

Our website uses Cookies to track visits to our website but we do not use it to identify you or for marketing purposes.  You do not have to use our website as the information can be provided to you by the school office at your request.

Concerns

We understand that there are penalties for inadequately protecting your data or for non-compliance with the GDPR. If you have a concern about the way we are collecting or using your personal data, you can raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/, on 0303 123 1113 or via email by visiting https://ico.org.uk/global/contact-us/email/

Contact
If you wish to access personal data held about you or your child, please contact:

Mrs Julie Manning, Co-Headteacher

Henry Allen Nursery School

Mitchell walk

Amersham

Bucks HP6 6NW

headteacher@henryallen.bucks.sch.uk

or

Data Protection Officer

Richard Maskrey

dpo@henryallen.bucks.sch.uk

Additional Contact Details

• LA’s Data Protection Office: Information Governance Unit, Room C1, County Hall, Pegs Lane, Hertford, SG13 8DQ, email: dataprotectionhertscc.gov.uk
• QCA’s Data Protection Officer: 83 Piccadilly, London, W1J 8QA
• DfE’s Data Protection Office Caxton House, Tothill St, London, SW1H 9NA
• Ofsted Data Protection Office: Alexandra House, 33 Kingsway, London, WC2B 6SE