How we process data about our pupils.
Under data protection law, individuals have a right to be informed about how we use any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data.
This privacy notice explains how we collect, store and use personal data about our pupils.
We, Thurston Community College, are the ‘data controller’ for the purposes of data protection law.
Our data protection officer is Phil Williams.
Why do we collect and use pupil information?
In law, we collect and use pupil information under the General Data Protection Regulations (GDPR) and UK law, including:
- Article 6 and Article 9 of the GDPR - processing is necessary for the performance of a task carried out in the public interest.
- Education Act 1996.
- Regulation 5 of the Education (Information About Individual Pupils) (England) Regulations 2013.
We use pupil data:
- to support pupil learning and progression.
- to monitor and report on pupil progress.
- to provide appropriate pastoral care and safeguard pupils.
- to assess the quality of our services.
- to comply with the law regarding data sharing.
The categories of pupil information that we collect include:
- Personal information (such as name, unique pupil number and address)
- Contact information (names and contact details for parents, carers)
- Characteristics (such as ethnicity, languages spoken at home)
- Attendance information (such as sessions attended, number of absences and reasons for absence)
- Assessment information (such as termly subject marks, exam results)
- Medical information and details of any support received, including care packages and support plans
- Behaviour and achievement information (such as commendations, detentions, exclusions)
- Post-16 learning information (including courses studied and learning hours)
- Information about safeguarding concerns
- Photographs and moving images
- CCTV images captured in school
- Biometric data for accessing the school canteen
We may also hold data about pupils that we have received from other organisations, including other schools, local authorities and the Department for Education.
Legal basis for using data
We only collect and use pupils’ personal data when the law allows us to. Most commonly, we process it where:
- We need to comply with the law.
- We need it to perform a task in the public interest (to provide our pupils with an education).
Sometimes, we may also process pupils’ personal data in situations where:
- Pupils (or parents/carers) have given consent for us to use it in a certain way.
- We need to protect the individual’s vital interests (or someone else’s interests).
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation (GDPR), we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Where we have obtained consent to use pupils’ personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.
Storing pupil data
We hold pupil data until the pupil reaches the age of 25. Where there have been safeguarding concerns or special educational needs, the retention of pupil data will be reviewed at this point and decisions about ongoing retention will be made on an individual basis.
Who do we share pupil information with?
We routinely share pupil information with:
- educational institutions that pupils attend after leaving us
- the local authority (for admissions, exclusions etc.)
- the Department for Education (DfE)
- the NHS, including CAMHS (for referrals, vaccinations etc)
- the Police and Social Services (where there are safeguarding concerns)
- exam boards and other assessment bodies
We also share personal data with third party organisations which provide services to us. This data is only shared where it is essential for the service to be provided. We currently provide pupil level data for the following purposes:
- Through our School Information Management System (SIMS) and our assessment module (GO4Schools)
- to support learning through curriculum products, e.g. Kerboodle, Hegarty Maths, etc.
National Pupil Database
We are required to provide information about pupils to the Department for Education as part of statutory data collections such as the school census.
Some of this information is then stored in the National Pupil Database (NPD), which is owned and managed by the Department and provides evidence on school performance to inform research.
The database is held electronically so it can easily be turned into statistics. The information is securely collected from a range of sources including schools, local authorities and exam boards.
The Department for Education may share information from the NPD with other organisations which promote children’s education or wellbeing in England. Such organisations must agree to strict terms and conditions about how they will use the data.
For more information, see the Department’s webpage on how it collects and shares research data research data.
You can also contact the Department for Education with any further questions about the NPD.
Youth support services
Once our pupils reach the age of 13, we are legally required to pass on certain information about them to the local authority, as it has legal responsibilities regarding the education or training of 13-19 year-olds.
This information enables it to provide youth support services, post-16 education and training services, and careers advisers.
Parents/carers, or pupils once aged 16 or over, can contact our data protection officer to request that we only pass the individual’s name, address and date of birth.
Learner Record Service
Once our pupils reach the age of 14, we will pass on certain information used by the Skills Funding Agency, an executive agency of the Department for Education (DfE), to issue a Unique Learner Number (ULN), and to create a Personal Learning Record. For more information about how your information is processed and shared refer to the Extended Privacy Notice available on LRS - Privacy Notice.
Transferring data internationally
Where we transfer personal data to a country or territory outside the European Economic Area (EEA), we will do so in accordance with data protection law.
Your rights: How to access personal information we hold about you
You can find out if we hold any personal information about you, and how we use it, by making a ‘subject access request’, as long as we judge that you can properly understand your rights and what they mean.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.
If we do hold information about you, we will:
- Give you a description of it.
- Tell you why we are holding and using it, and how long we will keep it for.
- Explain where we got it from, if not from you or your parents.
- Tell you who it has been, or will be, shared with.
- Let you know if we are using your data to make any automated decisions (decisions being taken by a computer or machine, rather than by a person).
- Give you a copy of the information.
You may also ask us to send your personal information to another organisation electronically in certain circumstances.
If you want to make a request, please contact our data protection officer.
Your other rights over your data
You have other rights over how your personal data is used and kept safe, including the right to:
- Say that you don’t want it to be used if this would cause, or is causing, harm or distress.
- Stop it being used to send you marketing materials.
- Say that you don’t want it used to make automated decisions (decisions made by a computer or machine, rather than by a person).
- Have it corrected, deleted or destroyed if it is wrong, or restrict our use of it.
- Claim compensation if the data protection rules are broken and this harms you in some way.