Governors meeting focused around Premises and community matters
INTRODUCTION
In order to deliver our statutory functions as a school, it is necessary for us to collect and use (or ‘process’) personal data about individuals’ including our current, past and prospective pupils and their parents, carers, guardians (referred to in the notice as ‘parents’) and any emergency contacts.
Transparency is very important to us, and we aim to be open, honest, and upfront with individuals about how we use their personal data. We believe that if individuals are well informed and know from the outset what personal data we hold about them, how it will be used, for what purpose and who it may be shared with, individuals will be more confident that their personal data is being used in the right way and their privacy protected.
This privacy notice seeks to explain and provide information, at a high-level, relating to how the school generally processes personal data. Specifically, it provides information relating to;
- The ‘data controller’ of the personal data processed by the school
- How to contact us in relation to a data protection matter or concern
- The Data Protection Officer and how they can be contacted
- The categories of personal data we process
- The categories of individuals whose personal data we process
- Why we process the personal data
- Our lawful basis for processing the personal data
- Who and where we get the personal data from
- The categories of organisations we share the personal data with
- How long we retain the personal data
- Your data protection rights and your right to raise a complaint with the ICO
THE DATA CONTROLLER
The school is the data controller for the personal data we process, unless otherwise stated. This includes the personal data processed by the Governing Body, head teacher, individual governors, teachers, teaching assistants and support staff etc.
The school is registered with the ICO as a controller under registration number: Z5181084
THE DATA PROTECTION OFFICER
Cardiff Council provides a data protection support service to the school under a Service Level Agreement, including the provision of a Data Protection Officer (DPO).
The DPO can be contacted in relation to data protection matters. However, we encourage you to contact the school in the first instance. Should you have the need to contact the Data Protection Officer directly you can do so via email to the following email address; Dataprotectionschools@cardiff.gov.uk
We recommend, when contacting the DPO, that you send a copy of the correspondence to the school as the data controller.
THE CATEGORIES OF PERSONAL DATA WE PROCESS
Pupils
We typically process the following categories of personal data relating to every pupil;
- Personal identifiers such as name, unique pupil number, date of birth etc.
- Contact Information such as address, telephone number, email address etc.
- Characteristics such as ethnicity, language, nationality, place of birth, sexual orientation, free school meal eligibility, child looked after status
- Relevant health and medical information such as doctor’s information, child health, dental health, allergies, sight and hearing health, medication, dietary requirements etc.
- Attendance information such as sessions attended, number of absences, absence reasons, previous schools attended etc.
- Assessment and attainment information
- Information relating to home to school transport / collection arrangements
- Images (captured by CCTV)
- Photographs i.e newsletters, website
We may process the following categories of personal data depending on pupil needs and individual circumstance;
- Additional learning needs and disability information
- Safeguarding information such as – court orders, professional involvement.
- Information relating to behaviours and exclusions
- Information relating to accidents and incidents.
- Information relating to school-based complaints.
- Biometric information (e.g. fingerprint data for use in cashless catering systems – processed only where consent has been provided)
Parents & Emergency Contacts
We typically process the following categories of personal data relating to every parent and emergency contact;
- Personal identifiers and contact details such as – name, address, telephone number, place of work (if applicable), email address etc.
- Relationship to the child
- We may process the following categories of personal data relating to parents, depending on pupil needs and family circumstance;
- Information relating to whether a parent is a member of the armed forces
- Legal access to the child and any court orders indicating access right
- Relevant household/family information such as siblings, childcare arrangements etc.
- Relevant information relating to support service involvement e.g. social services, safeguarding, additional learning needs etc.
- Financial information e.g. relating to payments that are made or due to the school
- Relevant information relating to school-based complaints
- Images – captured by CCTV
WHY WE PROCESS THE PERSONAL DATA
We process the personal data to deliver our statutory functions as a school. This includes but is not limited to the following activities and functions;
- admissions
- pupil learning
- record, monitor, address and report on pupil progress, attainment, performance etc.
- record, monitor, address and report on pupil behaviour and exclusions
- record, monitor, address and report on pupil attendance
- refer, review, monitor and support in respect of Additional Learning Needs provision
- safeguard pupils
- provide appropriate pastoral care
- meet the statutory duties placed upon us for data collections
- statutory inspections
- general administration and finance
- school governance
- arrange and provide educational visits
- organise/co-ordinate home to school transport
- organise/co-ordinate school meal provision
- organise/co-ordinate breakfast club provision
- manage school-based complaints
- health and safety
- accident and incident recording and reporting
- recording appropriate information in respect of insurance claims
- document and keep a record of events or activities e.g sports day, award ceremonies
- engage with parents and keep in touch in relation to the pupil’s education provision and progress
- contact parents in the case of urgency
- review and assess the quality of our education provision
- resource planning
OUR LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
Under the UK General Data Protection Regulation (UK GDPR), our lawful basis for processing the personal data deliver our statutory functions as a school is;
Legal Obligation (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Public Task – Article 6 (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Substantial public interest – Article 9 (2) (g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
In limited circumstances (for example when recording school concerts) we will rely on;
Consent – Article 6(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Where consent is the lawful basis for processing it will be sought from pupils or parents (depending on pupil age) prior to the personal data being collected. Individuals have the right to withdraw this consent at any time (see ‘Your data protection rights’ section below for further information).
Less commonly (for example in a medical emergency situation) we may rely on;
Vital Interests – Article 6(d) and Article 9(c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
WHO OR WHERE WE GET THE PERSONAL DATA FROM
We may receive the personal data from the following categories of individuals or organisations;
- Pupils
- Parents
- Emergency Contacts
- School staff – head teacher, teachers, teaching assistant, support staff etc.
- Governing Body, Individual School Governors, Independent Panels
- Local Authority support services such as the Admissions Team, Catering Service, Transport Service, Local Education Authority Data Team, Attendance & Wellbeing Service, Access and Inclusion etc.
- Local Authority business support services such as Governors Support, Insurance Section, Legal Services etc.
- Safeguarding organisations, services and professionals that may be involved in assessing, supporting or providing services to a pupil and their family (e.g. Local Authority Children’s Services, Cardiff & Vale Regional Safeguarding Board, Health Boards, health professionals etc.).
- Private sector organisations and charities that may be involved in supporting or providing services to a pupil and their family (e.g. CAMHS).
- Public or visitor to the school
WHO WE SHARE YOUR PERSONAL DATA WITH
| Organisation | Reason | Lawful Basis |
| School/College/Day Centre that the pupil subsequently attend | Continuity of education | Compliance with a legal obligation (Art 6 UK GDPR) |
| Cardiff Council | To monitor education provision and research to inform policy and funding decisions | Compliance with a legal obligation (Art 6 UK GDPR) |
| To provide IT support | Processing necessary for performance of a contract (Art 6 UK GDPR) | |
| To Provide Health and Safety Support | Processing necessary for performance of a contract (Art 6 UK GDPR) | |
| Cardiff Council | To defend insurance claims | Processing necessary for legitimate interests (Art 6 UK GDPR) and legal proceedings (Art UK 9 GDPR) |
| To administer Special Educational Needs support | Compliance with a public task (Art 6 and 9 UK GDPR) | |
| For safeguarding purposes | Compliance with a legal obligation, vital interests, or public task (Art 6 and 9 UK GDPR) | |
| To provide school-based counselling services. | Compliance with a public task (Art 6 and 9 UKGDPR) | |
| To administer catering service (i.e. dinner cards and cashless catering biometric fingerprint data) | Compliance with a public task (Art 6 and 9 UK GDPR) | |
| Provision of statistics to monitor education | Compliance with a legal obligation (Art 6 UK GDPR) | |
| Welsh Government (further detail below) | Provision of statistics to monitor education | Compliance with a legal obligation (Art 6 UK GDPR |
| Education Achievement Service | To share school information, benchmarking, target setting with the organisation to help raise education standards. This is information also provided to Governors | Compliance with a legal obligation or public task (Art 6 UK GDPR) |
| Cardiff & Vale Health Board | To provide a school health service | Compliance with a public task (Art 6 UK GDPR); public health (Art 9 UK GDPR) |
| Safeguarding purposes | Compliance with a legal obligation, vital interests, or public task (Art 6 and 9 UK GDPR) | |
| Careers Wales | Information is shared in the following ways/circumstances: • Personal details/needs/ abilities to support college applications • Pupil names and contact details when parents request contact from a Careers Advisor Most often, Careers Wales already have the pupil/family contact details | Compliance with a public task (Art 6 UK GDPR) under the Education Act 1997 (S44). |
| Therapy Intervention Services | Staff from other services (including social workers and doctors) working with a child so that a multi professional approach can be adopted for trying to understand problem behaviours and for risk management purposes | Compliance with a public task (Art 6 GDPR); public health (Art 9 UK GDPR) |
Sharing information with Welsh Government
The Welsh Government receives information about pupils directly from schools through statutory data collections. These include:
- Post-16 data collection
- Pupil Level Annual School Census (PLASC)
- National Data Collection (NDC)
- Attendance collection
- Welsh National Tests (WNT) data collection
In addition, the Welsh Government and Local Authorities may also receive information about National Curriculum assessments, public examination results, and attendance data at an individual pupil level. This information is provided either directly by schools or by awarding bodies such as WJEC.
The Welsh Government uses this information for research and statistical purposes. All analysis is carried out in a way that ensures individual children and young people cannot be identified. The data is used to inform and improve education policy, as well as to monitor the performance of the education service as a whole.
Further details about how the Welsh Government uses personal data, including the most recent privacy notices, can be found on the Welsh Government statistics and research pages Statistics and research | GOV.WALES in the Welsh Government’s Privacy Policy Welsh Government privacy notice | GOV.WALES.
DATA PROCESSORS
A data processor is a company or organisation that processes personal data on behalf of a controller. The school uses a number of data processors that provide services to us. The categories of data processors we use are;
- IT system suppliers
- IT secure data transfer system suppliers
- Home to school communication system suppliers
- Risk assessment system supplier (relating to educational visits)
Our data processors act only upon our instruction. They cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal information with any organisation apart from us or use it for their own purposes. They will hold it securely and retain it for the period we instruct. Should you have a specific query relating to our data processors, please contact the Data Protection Lead.
REQUEST FOR INFORMATION
All recorded information held by the school may be subject to requests under the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Data Protection legislation (General Data Protection Regulations 2016 and Data Protection Act 2018).
If the information you provide is subject to such a request, where possible, the school will consult with you on its release. If you object to the release of your information, we will withhold your information if the relevant legislation allows.
HOW LONG WE WILL RETAIN YOUR INFORMATION
In keeping with the UK General Data Protection Regulation storage limitation principle, records are periodically reviewed. Only personal data that is relevant to the record is retained for the entire retention period (e.g. documents that contain assessments, decisions, outcomes etc.). Information that has no long term or evidential value is routinely destroyed in the normal course of business.
Records that are retained, are kept in line with the guidance set out in the Retention Schedule contained within the Information Records Management Society Toolkit for Schools. Following retention period expiry, information is destroyed securely and permanently.
Details of marketing
If you have consented to your contact details being used for marketing purposes You will have been provided with details of the marketing that the school would like to carry out, together with any options such as how you would like to be contacted. You are able to withdraw your consent to marketing at anytime by contacting the school.
YOUR RIGHTS
Your Rights Under the Data Protection Act 2018
You have several rights when it comes to your personal data:
Right to be informed – You have the right to know how your data is collected, used, stored, and protected.
Right of access – You can ask for a copy of the personal data held about you. Some information may be withheld for legal reasons.
Right to rectification – You can ask for incorrect or incomplete data to be corrected.
Right to erasure – You can ask for your data to be deleted in certain cases, unless it must be kept by law.
Right to restrict processing – You can limit how your data is used in specific situations.
Right to data portability – You can ask for your data in a format that can be easily shared with another organisation.
Right to object – You can object to your data being used, especially for marketing or profiling.
Rights related to automated decision-making – You can challenge decisions made without human involvement, like profiling.
Children and Young People
Children also have rights under data protection laws. From age 12 and up, they are usually considered mature enough to understand and use these rights.
A child can request their own data from an organisation (like a school). If a parent or carer wants to request data on behalf of a child, they must:
- Show proof of identity
- Provide evidence of parental responsibility
- Have permission from the child (usually in writing)
To enact your rights, please contact Cathays High School as detailed at the top of this document. A copy of any individual right request and your response will be kept for 3 years.
COMPLAINTS PROCEDURE
If you are unhappy with the way that the school has handled your request / information, you have the right of complaint. Please contact Cathays High School outlining your concerns in the first instance. The Data Protection Officer is contracted by the school to Cardiff Council. You can contact the school Data Protection Officer by email atdataprotectionschools@cardiff.gov.uk
You also have the right to ask the Information Commissioner, who enforces and oversees the Data Protection Act in the UK, to assess whether or not the processing of personal information is likely to comply with the provisions of our legislative responsibilities. Further information on your rights is available from: www.ico.org.uk.
SUMMARY PRIVACY NOTICE
How we will use your information
Cathays High School processes personal information about pupils and their families to support pupil learning and monitor attainment, to provide pastoral care, and to keep children safe. We also process personal information to meet the statutory duties placed upon us by Welsh Government, to administer optional school trips and activities, and to deliver the school catering service.
The school takes its responsibilities under data protection law very seriously, and will store and use all personal information securely, disposing of it when no longer required. Personal information may be shared securely for clear purposes with other organisations such as Cardiff Council, Welsh Government, or other external partners e.g. other Local Authorities, Health Boards, Careers Wales and Special Educational Needs Tribunal Wales that provide a service to pupils/families. You have a number of rights in relation to your personal information, including the right of access to information and the right of complaint.
For further information on how we process your information and your rights please navigate to our website: cathays.cardiff.sch.uk