St. Anne's school is a co educational school for students aged 4 to 16. We take our responsibilities as a data controller seriously and are committed to using the personal data we hold in accordance with the law.
This privacy notice provides detailed information about how we process personal data. Please read it carefully and, if you have questions regarding your personal data or its use, please contact the School secretary by email on email@example.com; by telephone on01481 822173or, by post.
TYPES OF PERSONAL DATA WE PROCESS
We process personal data about prospective, current and past: pupils and their parents; staff, suppliers and contractors; donors, friends and supporters; and other individuals connected to or visiting our school.
The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual. Examples include:
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- family details;
- admissions, academic, disciplinary and other education related records, information about special educational needs, references, examination scripts and marks;
- education and employment data;
- images, audio and video recordings;
- financial information (eg for bursary assessment or for fundraising);
- courses, meetings or events attended.
As a school, we need to process special category personal data (eg concerning health, ethnicity, religion or biometric data) and criminal records information about some individuals (particularly pupils and staff). We do so in accordance with applicable law (including with respect to safeguarding or employment) and, where necessary, relying on individuals’ explicit consent.
COLLECTING, HANDLING AND SHARING PERSONAL DATA
We collect most of the personal data we process directly from the individual concerned (or in the case of pupils, from their parents). In some cases, we collect data from third parties (for example, referees, previous schools, the Disclosure and Barring Service, or professionals or authorities working with the individual) or from publicly available resources (for example, for fundraising purposes, as further set out below).
Personal data held by us is processed by appropriate members of staff for the purposes for which the data was provided, in accordance with section 4 below. We take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to school systems. We do not transfer personal data outside of the European Economic Area unless we are satisfied that the personal data will be afforded an equivalent level of protection.
In the course of school business, we share personal data (including special category personal data where appropriate) with third parties such as examination boards, the school doctors, the school’s professional advisors and relevant authorities (eg the Local Children Safeguarding Board, Disclosure and Barring Service, National College for Teaching and Leadership, UK Visas and Immigration, HM Revenue and Customs, Department for Education and Department for Work and Pensions). Some of our systems are provided by third parties, eg hosted databases, school website, school calendar, class dojo or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with our specific directions.
PURPOSES FOR WHICH WE PROCESS PERSONAL DATA
We process personal data to support the school’s operation as a co-educational school for 4 to 16 years old, and in particular for:
The admission of pupils;
The provision of education to pupils including the administration of the school curriculum and timetable; monitoring pupil progress and educational needs; reporting on the same internally and to parents; administration of pupils’ entries to public examinations, reporting upon and publishing the results; providing references for pupils (including after a pupil has left);
The provision of educational support and related services to pupils (and parents) including the maintenance of discipline; provision of careers and library services; administration of sports fixtures and teams, school trips; provision of the school’s IT and communications system and virtual learning environment (and monitoring the same) all in accordance with our IT policies;
The safeguarding of pupils’ welfare and provision of pastoral care, welfare, health care services by school staff or school nursing services.
Compliance with legislation and regulation including the preparation of information for school inspections
Operational management including the compilation of pupil records;
the administration of invoices, fees and accounts; the management of the school’s property;
the management of security and safety arrangements including monitoring of the school’s IT and communications systems in accordance with our Acceptable Use Policy;
management planning and forecasting; research and statistical analysis;
the administration and implementation of the school’s rules and policies for pupils and staff;
the maintenance of historic archives and other operational purposes;
Staff administration including the recruitment of staff/ engagement of contractors (including compliance with DBS procedures);
administration of payroll, pensions and sick leave; review and appraisal of staff performance;
conduct of any grievance, capability or disciplinary procedures; and the maintenance of appropriate human resources records for current and former staff;
and providing references;
The promotion of the school through its own websites, the prospectus and other publications and communications (including through our social media channels);
LAWFUL BASES FOR PROCESSING
We may process your personal data for the above purposes because:
it is necessary for the performance of a contract (eg a Parent Contract, or an employment contract with a member of staff) or in order to take steps at a contracting party’s request prior to entering into such a contract;
it is necessary for our compliance with our legal obligations. In this respect, we may use personal data to exercise or perform any right or obligation conferred or imposed by law in connection with employment; and/or for the prevention and detection of crime, and in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities;
it is necessary for our or a third party’s legitimate interests. Our “legitimate interests” include our interests in providing the best education possible to our pupils, fostering relationships with those in the school community including OEs, pupils and parents, including for fundraising purposes and for keeping in touch, and our interests in managing and operating the College to the highest standards of a school;
it is necessary to protect an individual’s vital interests (in certain limited circumstances, for example where a pupil has a life-threatening accident or illness while at school and we have to process his personal data in order to ensure he receives prompt and appropriate medical attention);
it is necessary for the establishment, exercise or defence of legal claims;
it is necessary for reasons of substantial public interest, including safeguarding purposes;
it is necessary for medical purposes, including medical diagnosis and the provision of health care or treatment for pupils, managing related health care systems, and/or for assessing the working capacity of staff;
it is necessary for archiving, research or statistical purposes; we have an individual’s specific or, where necessary, explicit consent to do so.
HOW LONG WE KEEP PERSONAL DATA
We retain personal data only for legitimate purposes, relying on one or more of the lawful bases as set out above, and only for so long as necessary for those purposes, or as required by law. We have adopted Records Retention Guidelines (available on request) which set out the time period for which different categories of data are kept. If you have any specific queries about our record retention periods, please contact the school .
You have various rights under data protection law to:
- obtain access to, and copies of, the personal data that we hold about you;
- require us to correct the personal data we hold about you if it is incorrect;
- require us to erase your personal data in certain circumstances;
- require us to restrict our data processing activities in certain circumstances;
- receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of your transmitting that personal data to another data controller;
- object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights (including a right to object to receiving fundraising or communications, and to object to our profiling you for the purposes of fundraising or keeping in touch);
where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal.
Please note that these rights are not absolute, and we may be entitled or required to refuse requests where exceptions or exemptions apply.
If you would like to exercise any of your rights under data protection law for which we are the data controller, please make your request in writing to the :
St Anne's School
We will respond to any such written requests as soon as is reasonably practicable and in any event within statutory time limits, which is typically one month but may be extended where your request is complex. We will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly unfounded or excessive (particularly because of their repetitive character, where they are similar to previous requests), we may ask you to reconsider or charge a proportionate fee, but only where data protection law allows this.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal privilege. We are also not required to disclose any pupil examination scripts (though examiners’ comments may fall to be disclosed), nor any confidential reference given or received by the school for the purposes of the education, training or employment of any individual.
PUPIL DATA AND PARENTAL CONSENT
The rights under data protection law belong to the individual to whom the data relates. However, where consent is required as the lawful basis for processing personal data relating to pupils (because no other lawful basis applies) we will often rely on parental consent unless, given the nature of the processing in question, and the pupil’s age and understanding, it is more appropriate to rely on the pupil’s consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and taking in to account all the relevant circumstances.
In general, we will assume that pupils’ consent is not required (and that other lawful bases are more appropriate, as described above) for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil’s activities, progress and behaviour, and in the interests of the pupil’s welfare, unless, in the school’s opinion, there is a good reason to do otherwise.
However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example where the school believes disclosure will be in the best interests of the pupil or other pupils, or is required by law.
Pupils can make subject access requests (or other requests to exercise individual rights under data protection law) for their own personal data, provided that they have sufficient maturity to understand the request they are making. Our pupils are generally assumed to have this level of maturity. A person with parental responsibility will generally be entitled to make a subject access request (or other requests to exercise individual rights under data protection law) on behalf of pupils, but the information in question is always considered to be the child’s at law. A pupil of any age may ask a parent or other representative to make a subject access request (or other requests to exercise individual rights under data protection law) on their behalf. Moreover, if a pupil is of sufficient maturity, their consent or authority may need to be sought by the parent making such a request.
CHANGE OF DETAILS
We try to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Please notify of any significant changes to important information, such as contact details, held about you.
Our privacy notice should be read in conjunction with our other policies and terms and conditions which make reference to personal data, including our Parent Contract, our Safeguarding Policy, Health & Safety Policies, Acceptable Use Policies and IT Policies.
We will update this Privacy Notice from time to time. Any substantial changes that affect how we process your personal data will be notified on our website and to you directly, as far as practicable.
If you believe that we have not complied with this policy or have acted otherwise than in accordance with data protection law, you should notify the. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with us before involving them. You can also find out more about your rights under data protection law from the ICO website available at: www.ico.org.uk.