Privacy Notice (How we use pupil information)

Cumbria Education Trust (CET) is the data controller under the UK General Data Protection Regulation (UK GDPR) for the use of personal data explained in this notice.

Personal data is any information that can be used to identify a living person, either on its own, or in combination with other pieces of data. Data processing includes the collection, use, and storage of data.

The categories of pupil and related information that we process include: 

  • personal identifiers like name, address, unique pupil number, and contact details;
  • characteristics like ethnicity, language, free school meal, and pupil premium eligibility;
  • image and voice recordings for assessment, celebration, and in CCTV for safety and security reasons;
  • safeguarding information like court orders and the involvement of other professionals;
  • special educational needs including the needs and ranking;
  • medical information like sex, doctors’ details, child health, dental health, allergies, medicines, and dietary requirements;
  • financial information like bank details and entitlement to meals, transport, and premium funding to manage catering, school trips etc;
  • attendance, for example, sessions attended, absences, absence reasons, previous schools attended;
  • assessment and attainment like key stage 1 and phonics results, post 16 courses enrolled for and any relevant results;
  • behavioural information like behaviour management plans, exclusions, and alternative provision.

This list is not exhaustive.

Why we collect and use this information

 The personal data we collect is essential for the school to fulfil official functions and meet legal requirements and we use it to:

  1. support learning;
  2. monitor and report on pupil attainment progress;
  3. provide appropriate pastoral care;
  4. assess the quality of what we do;
  5. keep children safe e.g., food allergies, emergency contact details, CCTV;
  6. meet statutory duties placed on us by the Department for Education, UK Health Security Agency etc.;
  7. celebrate or promote school, for scientific interest, or to record our own school history;
  8. control access to services e.g., to biometric controlled catering services.

Under UK GDPR, the lawful bases we rely on for processing personal information about pupils are:

  • to perform a public task i.e., to provide education (mainly reasons a, b, c, and d above);
  • to protect vital interests (and sometimes carry out a contract too) e.g., to provide safe meals, trips, transport, uniform, professional photos, childcare (mainly reasons a, and e above);
  • to comply with the law ( mainly reasons b, and f above) e.g., recording attendance, publishing results, recording the census (see Sharing with the DfE below), data sharing with child protection partners like social care, the NHS, and the Local Authority etc. (see sharing with the DfE below for legislation);
  • having consent (mainly reason g above, and to process ethnicity data) e.g., use images or names publicly.

When we process special category data like medical information or biometrics, we need to have one lawful basis from the list above and one of the following list:

  • to prevent medical problems, assess needs, and provide services (mainly reasons e, and f above) e.g., Education Health & Care Plans (EHCP), records of medicines administration;
  • to improve public health e.g., report notifiable diseases to local and national government departments;
  • to make or defend legal claims e.g., some special educational needs and all accident records including, where necessary, providing accident/ill-health data to the Health and Safety Executive (HSE);
  • having consent (mainly reason h above) e.g., to use biometric data to access catering services.

Collecting pupil data

We collect relevant pupil information via registration forms at the start of each academic year or a secure file sent to us when a child joins us from another school.

Most of the pupil information we ask for is required by law or necessary so we can provide a good education and some of it is voluntary. To comply with UK GDPR, if you have a choice about providing information, we will tell you when we ask for it. We will also tell you what to do if you do not want to share this information with us.

Storing pupil data

We hold pupil data securely in line with the Information and Records Management Society (IRMS) Records Management Toolkit for Schools. This personal data is retained for a wide range of time periods from days after a successful trip for the consent form to many years after a pupil has left us for an accident report.

 Who we share pupil information with and why

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. The laws listed in this notice that require us to collect information also require us to share it. Data is transferred securely by hand delivery or registered post, via a government data transfer system like School to School, via a contractor’s secure data sharing system like our online school trips safety system, and sometimes in other secure ways.

We routinely share pupil information with:

  • other parts of our Trust to monitor the quality of our provision, benchmark locally, and to make decisions about local policy, practice, and funding;
  • schools and other education providers pupils go to after leaving us to support their continuing education;
  • child development and protection partners like our local Authority Children’s Services, Public Health, Inclusion & Social Care etc. to check attendance, monitor, and protect children; the NHS for medical referrals & support; private companies offering counselling and other family or support services;
  • the DfE to help decide our school funding, monitor attainment, and benchmark it nationally, compile league tables, develop national education policy and monitor it;
  • our Local Authority to ensure they can conduct their statutory duties such as under the Schools Admission Code, including conducting Fair Access Panels, and careers guidance legislation;
  • medical services like therapists, the school nurse, or the NHS for things like screening, vaccinations, health/ eye/ dental checks, Education Health, and Care Plan (EHCP) provision etc. and UK Health Security Agency about certain contagious infections our pupils come into contact with;
  • Government departments like UK Health Security Agency, local authority public health, and HSE to comply with the law and support public health action;
  • voluntary and charitable organisations (with your permission only), such as Barnardo’s, our local Foodbank and similar organisations who can offer families practical help and support.

Sharing with Youth Support Services

 Pupils aged 13 +

Once our pupils reach the age of 13, we pass pupil information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide youth support services and careers advisers.

The information shared is limited to the child’s name, address, and date of birth and the name and address of a parent or guardian. Consent to share this data is not required from a parent or guardian, but we do need parental consent to share any other information relevant to the provision of youth support services.

Pupils aged 16+

We will also share certain information about pupils aged 16+ with our local authority and / or provider of youth support services because they also have responsibilities in relation to the education or training of 13–19-year-olds under the same section 507B of the Education Act 1996.

This enables them to provide services as follows:

  • post-16 education and training providers
  • youth support services
  • careers advisers

The information shared is limited to the pupil’s name, address, and date of birth and the name and address of a parent or guardian. Consent to share this data is not required from a parent or guardian, but we do need a pupil’s consent to share any other information about them that is relevant to the provision of youth support services.

For more information about services for young people, please visit our local authority website Welcome to Cumberland | Cumberland Council / Welcome to Westmorland and Furness | Westmorland and Furness Council

Sharing with the Department for Education (DfE)

We are required to share information about our pupils with the DfE directly or via our local authority for the purpose of statutory data collections, under the following legislation:

All data is transferred securely and held by DfE under a combination of software and hardware controls, which meet the current government security policy framework.

 For more information, please see ‘How Government uses your data’ section.

For privacy information on the data the Department for Education collects and uses, please see: https://www.gov.uk/government/publications/privacy-information-early-years-foundation-stage-to-key-stage-3 and https://www.gov.uk/government/publications/privacy-information-key-stage-4-and-5-and-adult-education

Requesting access to your personal data

The UK GDPR gives parents and pupils certain rights about how their information is collected and used. To make a request for your personal information, or be given access to your child’s educational record, please contact the Data Protection Officer for CET.

You also have the following rights:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed.’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access,’ this is also known as a subject access request (SAR), data subject access request or right of access request.
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification.’
  • the right to ask us to delete your personal information – this is called ‘right to erasure’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing.’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • rights in relation to automated decision making and profiling.
  • the right to withdraw consent at any time (where relevant).
  • the right to complain to the Information Commissionerif you feel we have not used your information in the right way.

There are legitimate reasons why we may refuse your information rights request, which depends on why we are processing it. For example, some rights will not apply:

  • right to erasure does not apply when the lawful basis for processing is legal obligation or public task.
  • right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task, or legitimate interests.
  • right to object does not apply when the lawful basis for processing is contract, legal obligation, or vital interests. And if the lawful basis is consent, you don’t haven’t the right to object, but you have the right to withdraw consent.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at raise a concern with ICO.

For further information on how to request access to personal information held centrally by DfE, please see the ‘How Government uses your data’ section of this notice below.

Withdrawal of consent and the right to lodge a complaint

 Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the Data Protection Officer for CET.

Last updated

This privacy notice was compiled using DfE advice and model documents. We may need to review it periodically, so we recommend that you revisit this information from time to time. This version was last updated September 2024.

Contact

If you would like to discuss anything in this privacy notice, please contact Sally McAllister, CET Data Protection Officer on 016977 45300.

How Government uses your data

The pupil data that we lawfully share with the DfE through data collections:

  • underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school;
  • informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures);
  • supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school).

Data collection requirements

To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) go to www.gov.uk/education/data-collection-and-censuses-for-schools.

The National Pupil Database (NPD)

The NPD is owned and managed by the DfE and contains information about pupils in schools in England This information is securely collected from a range of sources including schools, local authorities, and awarding bodies.

The data in the NPD is provided as part of the operation of the education system and is used for research and statistical purposes to improve, and promote, the education and well-being of children in England.

The evidence and data provide DfE, education providers, Parliament and the wider public with a clear picture of how the education and children’s services sectors are working in order to better target, and evaluate, policy interventions to help ensure all children are kept safe from harm and receive the best possible education.

To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-npd-privacy-notice/national-pupil-database-npd-privacy-notice.

Sharing by the DfE

The law allows the DfE to share pupils’ personal data with certain third parties, including:

  • schools and local authorities;
  • researchers;
  • organisations connected with promoting the education or wellbeing of children in England;
  • other government departments and agencies;
  • organisations fighting or identifying crime.

For more information about the DfE’s NPD data sharing process, please visit: www.gov.uk/data-protection-how-we-collect-and-share-research-data.

Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically supplies data on around 600 pupils per year to the Home Office and roughly 1 per year to the Police.

For information about which organisations the DfE has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares.

How to find out what personal information the DfE holds about you

Under the terms of the UK GDPR, you are entitled to ask the DfE:

  • if they are processing your personal data;
  • for a description of the data they hold about you;
  • the reasons they’re holding it and any recipient it may be disclosed to;
  • for a copy of your personal data and any details of its source.

If you want to see the personal data held about you by the DfE, please make a ‘subject access request’ to them. Find out how in the DfE’s personal information charter published at:

https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter or  https://www.gov.uk/government/publications/requesting-your-personal-information/requesting-your-personal-information#your-rights 

To contact the DfE, please visit www.gov.uk/contact-dfe.