THE CORSHAM SCHOOL ACADEMY GROUP
This policy is to let you know how The Corsham School Academy Group ('the Trust', 'we', 'us' or 'our') will collect, use and process Personal Data. It is also designed to let you know your rights and what you can do if you have questions about Personal Data.
The Trust is the controller for the purposes of data protection laws.
This document sets out the types of Personal Data (meaning information about an individual from which that individual can be personally identified) we handle, the purposes of handling those Personal Data and any recipients of it.
We are: The Corsham School Academy Group, a company limited by guarantee registered in England and Wales (company number 07550425)
Address: The Corsham School, The Tynings, Corsham, Wiltshire SN13 9DF
Our Website address is: www.corsham.wilts.sch.uk
Information Commissioner's Office Registration Number: Z2993634.
Our Data Protection Officer is: Christine Chaloner-Sandell
and their contact details are:
Email – Christine@marccomputers.co.uk
THE CORSHAM SCHOOL ACADEMY GROUP
2. Why we collect data
We collect and hold personal information relating to our pupils, parents, employees, governors, trustees, directors and others. We may also receive information about pupils from their previous schools, the Local Authority, Department for Education (DfE) and other bodies linked to their education, development and welfare.
We may share Personal Data with other agencies as necessary under our legal duties or otherwise in accordance with our duties/obligations as a Trust.
Whilst the majority of Personal Data we are provided with or collect is mandatory, some of it is provided to us on a voluntary basis. We will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Below are set out the reasons why we collect and process Personal Data, as well as the legal basis on which we carry out this processing:
to support our pupils’ learning: we will process Personal Data to help every child achieve his or her potential in all areas of learning and to promote excellence in our teaching and learning environment.
monitor and report on their progress: we will process Personal Data to record pupils' progress to help set and monitor targets and boost achievements and aspirations of all pupils.
provide appropriate pastoral care: we will process Personal Data to ensure that all pupils are properly supported in their time with us. We will process data to help staff understand and respond to the unique circumstances of all pupils.
assess the quality of our services: we will process Personal Data so that we may reflect on our own practices to help us improve and provide the highest quality education that we can to all pupils.
to ensure proper management of school trips and afterschool clubs and activities: when pupils and parents participate in school trips and afterschool clubs and activities Personal Data will need to be processed.
to promote and protect health and safety: in order to protect pupils, parents and staff in their involvement at the Trust, we must process Personal Data relating to matters such as incidents and responses to incidents.
for employment purposes: to assist in the running of the Trust and to enable individuals to be paid, we will process Personal Data of those employed to teach or otherwise engaged to work at the Trust.
to assist with the continuing development of our recruitment and retention policies and practices: to enable us to better our recruitment and retention policies and practices, we will process Personal Data of those currently employed by the Trust.
to develop our understanding of our workforce and how employees are deployed: to help us create a fully informed, comprehensive picture of the make-up of our workforce and how each employee is utilised as a member of our workforce, we will process Personal Data of those employed to teach or otherwise engaged to work at the Trust.
3. Legal Basis for Processing
The lawful bases for processing are set out in Article 6 of the GDPR, these are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The lawful basis for us to collect/process this Personal Data is in order to provide education in accordance with statute law (such as the Education Act 1996 and other legislation), our funding agreements with the Secretary of State, our memorandum and articles of association and other guidance provided for in law (c).
We also process Personal Data where processing is necessary for the performance of tasks carried out in the public interest. It is in the public interest to provide educational services to our pupils and to offer extra-curricular activities such as reading sessions and afterschool clubs to benefit the personal and academic growth of our pupils (e).
An additional lawful basis for us to collect/process employees' Personal Data is by reason of necessity for the performance of a contract of employment to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract (b).
In addition, Personal Data will be collected and/or processed for the purposes of relevant contracts for the provision of services which are paid for. This may include but is not limited to:
The provision of music tuition;
Entering students for examinations.
We do not process any special categories of Personal Data except where necessary for reasons of substantial public interest in complying with legal obligations including under the Equality Act 2010 or where necessary to protect the vital interests of the Data Subject or of another natural person and where safeguards are in place to ensure that this Personal Data is kept secure. For the avoidance of doubt where special categories of Personal Data are collected it shall not be used for the purposes of automated decision making and/or profiling.
Special categories of data means Personal Data revealing:
racial or ethnic origin;
political opinions; religious or philosophical beliefs or trade union membership;
genetic or biometric data that uniquely identifies you;
data concerning your health, sex life or sexual orientation; or
data relating to criminal convictions or offences or related security measures.
Further Personal Data including special categories of Personal Data may be collected and/or processed where consent has been given (for example, school photographs for non-educational purposes). If consent has been given then this may be revoked in which case the Personal Data will no longer collected/processed.
4. Categories of information we collect
We may collect the following types of Personal Data (please note this list does not include every type of Personal Data and may be updated from time to time):
name and contact details;
date of birth;
national insurance number;
health and/or other medical information;
information in connection with education (included but not limited to unique pupil numbers, test results, post 16 learning information and other records);
behavioural and disciplinary information;
free school meal eligibility;
information received in connection with any complaint;
information required for employment purposes, such as:
right to work information;
employee position and/ or role;
employment start date;
remuneration details (including national insurance and other financial details).
personal characteristics of pupils, such as:
their nationality and ethnic group;
any special educational needs they may have;
any relevant protected characteristics.
5. Who will have access to your data
Personal Data will be accessible by members of staff. Where necessary, volunteers, trustees and governors will also have access to Personal Data.
We will not share information about our pupils with third parties without consent unless we are required to do so by law or our policies. We will disclose Personal Data to third parties:
if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, for example:
We are required to share information about our employees with the DfE in order to comply with our legal obligations as set out by acts of Parliament and associated legislation and guidance.
We share pupils' Personal Data with the DfE in relation to school funding / expenditure and the assessment of educational attainment in order to comply with our legal obligations as set out by acts of Parliament and associated legislation and guidance.
in order to enforce any agreements with you;
in order to perform contracts with third party suppliers for purposes listed in Section 2. Our third party suppliers include:
HCSS (The Access Group)
School Pupil Tracker Online
Up and Under Sports Ltd
Wiltshire Local Authority
Wiltshire Outdoor Learning Trust
The Corsham School
This may include our Local Authority, the DfE (please see Section 6), the Police and other organisations where necessary; for example, for the purposes of organising a school trip or otherwise enabling students to access services or for the purposes of examination entry. Information may also be sent to other schools where necessary; for example, schools that pupils attend after leaving us.
Certain data collection obligations are placed on us by the DfE. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) visit: https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The above listed third party suppliers will process data on our behalf. Therefore, we investigate these third party suppliers to ensure their compliance with Relevant Data Protection Laws and specify their obligations in written contracts.
6. PUPIL DATA – The National Pupil Database (NPD)
The NPD is owned and managed by the DfE and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the DfE. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The DfE may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
conducting research or analysis;
providing information, advice or guidance.
The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
who is requesting the data;
the purpose for which it is required;
the level and sensitivity of data requested: and
the arrangements in place to store and handle the data.
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the DfE has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
The DfE collects and processes Personal Data relating to those employed by schools (including Multi Academy Trusts) and local authorities that work in state funded schools (including all maintained schools, all academies and free schools and all special schools including Pupil Referral Units and Alternative Provision). All state funded schools are required to make a census submission because it is a statutory return under sections 113 and 114 of the Education Act 2005.
To find out more about the data collection requirements placed on us by the DfE including the data that we share with them, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
conducting research or analysis;
providing information, advice or guidance.
The DfE has robust processes in place to ensure that the confidentiality of Personal Data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether the DfE releases Personal Data to third parties are subject to a strict approval process and based on a detailed assessment of:
who is requesting the data;
the purpose for which it is required;
the level and sensitivity of data requested; and
the arrangements in place to securely store and handle the data.
To be granted access to school employee data, organisations must comply with the DfE's strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the DfE's data sharing process, please visit:
8. How data will be processed
Personal Data may be processed in a variety of ways, this will include but is not limited to:
maintaining written records for educational or employment purposes;
medical or allergy information displays;
sending by e-mail;
adding to spreadsheets, word documents or similar for the purposes of assessing personal data;
for educational software use (this could be for the purposes of helping children learn, discipline, reports and other educational purposes).
9. Where we store data and how we keep data secure
Paper copies of Personal Data are kept securely at the school; for example, in secure filing cabinets.
Electronic copies of Personal Data are kept securely and information will only be processed where we are satisfied that it is reasonably secure.
All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. You must not share your password with anyone.
10. Retention periods
We will only retain Personal Data for as long as is necessary to achieve the purposes for which they were originally collected. As a general rule, Personal Data will be kept for the entire period that a child is a pupil at the Trust, or an employee is employed at the Trust. Other records (for example, safeguarding or in relation to special educational needs) will be kept for longer in accordance with guidance from the Information and Records Management Society. Further information on retention periods can be obtained by contacting us via the details in Section 1 of this Notice.
Once the retention period concludes the data is securely and safely destroyed/ deleted.
11. Your data rights
The General Data Protection Regulation and associated law gives you rights in relation to Personal Data held about you and your child. These are:
Right to be informed: you have the right to be informed about the collection and use of your data. This policy contains information in relation to the collection of your Personal Data; however, if we collect additional data for other purposes, we will inform you about this.
Right of Access: if your Personal Data is held by the Trust, you are entitled to access your Personal Data (unless an exception applies) by submitting a written request. We will aim respond to that request within one month. If responding to your request will take longer than a month, or we consider that an exception applies, then we will let you know. You are entitled to access the Personal Data described in Section 12.
Right of Rectification: you have the right to require us to rectify any inaccurate Personal Data we hold about you. You also have the right to have incomplete Personal Data we hold about you completed. If you have any concerns about the accuracy of Personal Data that we hold then please contact us.
Right to Restriction: you have the right to restrict the manner in which we can process Personal Data where:
the accuracy of the Personal Data is being contested by you;
the processing of your Personal Data is unlawful, but you do not want the relevant Personal Data to be erased; or
we no longer need to process your Personal Data for the agreed purposes, but you want to preserve your Personal Data for the establishment, exercise or defence of legal claims.
Where any exercise by you of your right to restriction determines that our processing of particular Personal Data are to be restricted, we will then only process the relevant Personal Data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.
Right to Erasure: You have the right to require we erase your Personal Data which we are processing where one of the following grounds applies:
the processing is no longer necessary in relation to the purposes for which your Personal Data were collected or otherwise processed;
our processing of your Personal Data is based on your consent, you have subsequently withdrawn that consent and there is no other legal ground we can use to process your Personal Data;
the Personal Data have been unlawfully processed; and
the erasure is required for compliance with a law to which we are subject.
Right to Data Portability: you have the right to receive your Personal Data in a format that can be transferred. We will normally supply Personal Data in the form of e-mails or other mainstream software files. If you want to receive your Personal Data which you have provided to us in a structured, commonly used and machine-readable format, please contact us via the details in Section 1 of this Notice.
Right to object: you have the right to object to the processing of your Personal Data where one of the following grounds apply:
the processing is based on legitimate interests or the performance of a task in the public interest;
the processing is for direct marketing; or
the processing is for the purposes of scientific/ historical research and statistics.
You can find out more about the way these rights work from the website of the Information Commissioner's Office (ICO).
Where the Trust holds Personal Data concerning you, you are entitled to access that Personal Data and the following information (unless an exception applies):
a copy of the Personal Data we hold concerning you, provided by the Trust;
details of why we hold that Personal Data;
details of the categories of that Personal Data;
details of the envisaged period for which that Personal Data will be stored, if possible;
information as to the source of Personal Data where that Personal Data was not collected from you personally.
If you want to receive a copy of the information about your son/daughter that we hold, please contact us via the details in Section 1 of this Notice.
13. Making a Complaint
If you are unhappy with the way we have dealt with any of your concerns, you can make a complaint to the ICO, the supervisory authority for data protection issues in England and Wales. We would recommend that you complain to us in the first instance, but if you wish to contact the ICO on the details you can do so on the details below. The ICO is a wholly independent regulator established in order to enforce data protection law.
ICO Concerns website: www.ico.org.uk/concerns
ICO Helpline: 0303 123 1113
ICO Email: firstname.lastname@example.org
ICO Postal Address:
Information Commissioner's Office
Cheshire SK9 5AF
14. Changes to this notice
Any changes we make to this notice in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.