WHO WE ARE
In terms of current legislation, the Data Controller is St Mary’s School, Calne, a company limited by guarantee. Registered Company 00235572. Registered Charity 309482.
St Margaret’ Preparatory School is an operational subsidiary of St Mary’s School, Calne and generally operates within the policy frameworks of that entity.
WHAT THIS PRIVACY NOTICE IS FOR
This policy is intended to provide information about how the School will use personal data about individuals within the School community, including pupils (past, current, prospective), parents (past, current, prospective), carers and guardians, Governors and staff and members and supporters of the Calne Girls Association (CGA) and Calne Foundation Trust (CFT).
This information is provided because Data Protection Law gives every individual the right to understand how their data is used. Accordingly, all within the School community are encouraged to read this Privacy Notice and understand the School’s obligations to them.
This Privacy Notice applies, alongside other relevant terms and conditions and policies, including:
• contract with parents and staff
• the school’s policies relating to the treatment of images of children, retention of records and use of CCTV
• the school’s Safeguarding, Pastoral and Health and Safety policies
• the school’s IT policies, including Acceptable Use policy, eSafety policy and Remote Working policy
RESPONSIBILITY FOR DATA PROTECTION
The Bursar is the Data Compliance Manager (DCM) and will deal with all requests and enquiries concerning the use of personal data and endeavour to ensure that all personal data is processed in compliance with this Policy and Data Protection Law.
WHY THE SCHOOL NEEDS TO PROCESS PERSONAL DATA
In order to carry out its ordinary duties to the wider School community, the School needs to process a wide range of personal data about individuals as part of its legitimate daily operations.
The School will need to carry out some of this activity in order to fulfil its legal rights, duties or obligations – including those under the personal contracts (Parents/ staff). Other uses of personal data will be made in accordance with the school’s legitimate interests, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data.
The School expects that the following uses will fall within that category of ‘legitimate interests’:
• For the purposes of pupil and staff selection (and to confirm the identity of individuals).
• To provide education services, including musical education, physical training and spiritual development, careers services, and extra-curricular activities to, and monitoring pupil progress and educational needs.
• Maintaining relationships within the School community, including fundraising and social activities.
• For the purposes of management, planning, forecasting, research and statistical analysis, including that imposed or provided for by law.
• To enable relevant authorities to monitor the School’s performance and to intervene or assist with incidents as appropriate.
• To give and receive information and references about past, current and prospective pupils and staff, including relating to outstanding fees or payment history, to/from any educational institution which the student attended in the pastor where it is proposed they attend; and to provide references to potential employers and institutions for higher education and employment.
• To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils at the School.
• To safeguard pupil and staff welfare and provide appropriate pastoral care.
• To monitor (as appropriate) use of the School’s IT and communications systems in accordance with the School’s IT policies.
• To make use of photographic images of individuals in school publications, promotional materials, on the School website and on social media channels in accordance with the School’s policy on taking, storing and using images of children.
• For security purposes.
• To carry out or co-operate with any complaints (either within the School or external), disciplinary or investigation process.
• Where otherwise reasonably necessary for the School’s purposes, including to obtain appropriate professional advice.
In addition, the School will on occasion need to process special category personal data (concerning, for example, health, ethnicity and religion) in accordance with the rights and duties imposed by law, such as safeguarding; as appropriate explicit consent where required will be requested. These reasons might include:
• To safeguard pupil and staff welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition or other relevant information where it is in the individual’s interest to do so: for example, for medical advice, for social protection, safeguarding, and co-operation with the police or social services, for insurance purposes or to caterers or organisers of school trips who need to be made aware of dietary or medical needs.
• To provide educational services in the context of any special educational needs of a pupil.
• As part of any complaints, disciplinary or investigation process which involves such data, for example if there are issues relating to SEN, health or safeguarding elements.
• For legal and regulatory purposes (for example, child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duty of care.
TYPES OF PERSONAL DATA PROCESSED BY THE SCHOOL
The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual. Examples include;
• Names, addresses, telephone numbers, email addresses and other contact details.
• Bank details and other financial information, for example, about individuals who pay fees to the School.
• Past, present and prospective pupil academic, disciplinary, admissions and attendance records (including information about special needs) and examination scripts and results.
• Personnel files concerning academic, pastoral or safeguarding issues.
• Where appropriate, information about pupil and staff health and welfare, and contact details for next of kin and guardians.
• References given or received by the school about pupils, and relevant information provided by previous schools and/or other professionals or organisations working with children.
• Images of individuals engaging in school activities. Parents will have been requested to provide consent specifically for the processing of images at the time of enrolment – this consent can be withdrawn at any time (or withdrawn by an individual pupil, if 13 years of age or over). Please advise the DCM in writing if you wish to make a change to consent previously given.
HOW THE SCHOOL COLLECTS AND HANDLES DATA
Generally, the School will receive personal data directly from individuals. This may be via a form, or simply in the ordinary course of interaction or communication (such as email, letter or written assessments). Sometimes, personal data might be provided to the School by third parties, such as other schools or other professionals working with that individual.
Personal data held by the School is processed by appropriate members of staff for the purposes for which that data information was provided. We take appropriate technical and organisational steps to ensure the security of this information, including policies around use of technology and devices, and access to school systems.
WHO HAS ACCESS TO PERSONAL DATA AND WHO IS IT SHARED WITH?
Occasionally, the school might need to share personal information relating to its pupils and staff with third parties, such as:
• Professional advisors, for example medical practitioners or counsellors.
• Government authorities, such as DfE, the police or local authorities.
• Regulatory authorities, such as the Charity Commission of Information Commissioner.
• The Calne Girls’ Association (CGA).
• The Calne Foundation Trust (CFT).
For the most part, personal data collected by the school will remain within the School, and will be processed by appropriate staff only in accordance with access protocols (that is, on a ‘need to know basis’). More stringent access is provided for:
• Medical records (held and accessed only by the School doctor and Health Centre nursing staff).
• Pastoral and safeguarding files.
A certain amount of pupil SEN information is routinely made accessible to a wider number of staff, but only those concerned with providing the necessary care and education of any particular student.
The School is obliged by law and statutory guidance (specifically Keeping Children Safe in Education) to record or report incidents and concerns which arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in nature or frequency. This is likely to include file notes on personal or safeguarding issues, and in some cases referrals to relevant authorities such as the Local Authority Designated Officer or the police. For further information about this, please view the school’s Safeguarding Policy.
Personal data in not transferred outside of the European Economic Area unless the School is satisfied that the data will be afforded an equivalent level of protection.
Finally, in accordance with Data Protection Law, some of the School’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers, mailing houses and cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the School’s specific instructions.
HOW LONG WE KEEP PERSONAL DATA
The School will retain personal data securely and only in line with standard guidance in respect of how long it is necessary to keep for legitimate and lawful reasons. Typically, the legal recommendation for how long personal files should be kept is up to seven years following departure from the School. However, incident reports and safeguarding files are kept longer, in accordance with specific legal requirements.
Specific queries about the length for which the retention policy is applied for, or requests that personal data that you no longer believe to be relevant is considered for erasure, please contact the DCM. However, please remember that the School will often have lawful and necessary reasons to hold some personal data even following such a request.
A limited and reasonable amount of information will be kept for archiving purposes, for example, even when you have requested that we no longer communicate with you, we will need to keep a record of that fact in order to fulfil your wishes (a ‘suppression record’).
KEEPING IN TOUCH AND SUPPORTING THE SCHOOL
The School will use your contact details to keep you updated about events and activities of the school, the CGA and the CFT, including sending updates and newsletters by email and post. Unless you object, the School may also contact you by post or email in order to seek to raise funds for the School. Should you wish to limit or object to any such use, or would like further information about them, please contact the Development Office in writing. You always have the right to withdraw consent, where given, or otherwise object to marketing or fundraising communications.
However, the School is nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to a particular address, email or telephone number).
• Whose rights? The rights under Data Protection Law belong to the individual. However, the School will often rely on parents’ authority or notice in respect of the necessary ways it processes personal data relating to pupils.
Where consent is required, it may in some cases be necessary or appropriate (given the nature of the processing in question, and the pupil’s age and understanding) to seek that pupil’s direct consent. Parents should be aware that in such situations they may not be consulted, depending on the interests of the pupil, your parental rights and all the relevant circumstances.
Where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to her personal data being disclosed to her parents, the School may be under an obligation to maintain that confidentiality unless, in the School’s opinion, there is a good reason to do otherwise, for example where the School believes disclosure will not be in the best interests of any pupil(s), or if required by law.
• Rights of access, etc. All individuals have various rights under Data Protection Law to access and understand personal data about them which is held by the School, and, in some cases, to ask for it to be erased or amended or have it transferred to others, or for the school to stop processing it – but this is subject to certain exemptions and limitations.
Individuals wishing to access or amend personal data, or wishing that it be transferred to another person or organisation, or having some other objection to how personal data is used, should put their request in writing to the DCM.
The School will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits (which is 30 days in the case of requests for access to information).
The School will be better able to respond quickly to smaller, targeted requests for information. If the request for information is manifestly excessive or is similar to previous requests, the school may ask you to reconsider, or require a proportionate fee (but only where Data Protection Law allows).
• Requests that cannot be fulfilled: Parents will generally receive, as appropriate, educational and pastoral updates relating to pupils. Where parents are separated, the School will in most cases aim to provide the same information to each person with parental responsibility, but may need to consider also all circumstances, including the express wishes of the pupil concerned.
Individuals should be aware that the right of access is limited to their own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals, or information which is subject to legal privilege.
The School is not required to disclose any pupil examination scripts (or other information consisting solely of pupil test answers), provide examination or other test marks ahead of ordinary publication, nor share any confidential reference given by the School itself for the purposes of education, training or employment.
DATA ACCURACY AND SECURITY
The School will endeavour to ensure that all personal data held is as up to date and as accurate as possible. Individuals should notify the School Office of any significant changes to important information held, such as contact details.
Individuals have the right to request that any out-of-date, irrelevant or inaccurate information held be erased or corrected (subject to certain exemptions and limitations under Data Protection Law). The School will take appropriate technical and organisational steps to ensure the security of personal data.
QUERIES AND COMPLAINTS
Any queries about the application of the Privacy Notice should be directed to the DCM.
If you believe that the School has not complied with any aspect of this policy or acted otherwise than in accordance with Data Protection Law, you should use the school’s grievance procedures and also notify the DCM. You can also make a referral or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the school before involving the regulator.
Created by SLT: DJB
Date of SLT Review: May 2019
Reviewed by Governors on: June 2019