Ffordd Pentraeth, Porthaethwy, Ynys Môn, LL59 5SS
Ffôn: 01248 712287 • E-bost: post@ysgoldavidhughes.org
<
>

Privacy Notice

(How we use pupil information)

In accordance with data protection legislation, this notice gives you information about the data we hold about you/your child, how we use it, your rights in relation to it and the safeguards that are in place to protect it.

The right to privacy is very important to us and we appreciate that you trust us to act in a responsible manner when you give us personal information. Personal data, or personal information, means any information about an individual from which that person can be identified.

The school is registered as a data controller with the Information Commissioner’s Office (ICO). Full details of the registration are available via the ICO register of data controllers.
The school as the data controller is responsible for the personal data of pupils.

We also have a ‘Privacy Notice- Schools- Children and Young People’ version that is designed specifically for children and young people to read.

The categories of pupil information that we process:

  • personal identifiers and contacts (such as name, date of birth, unique pupil number, contact details and address)
  • characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
  • safeguarding information (such as court orders and professional involvement)
  • special educational needs (including the needs and ranking)
  • medical and administration (such as doctors information, child health, dental health, allergies, medication, dietary requirements and Covid-19 test results and related information)
  • disability status
  • food allergies (for catering)
  • attendance (such as sessions attended, number of absences, absence reasons and any previous schools attended)
  • assessment and attainment- information on performance in internal and national assessments and examinations (such as post 16 courses enrolled for and any relevant results)
  • behavioural information (such as exclusions and any relevant alternative provision put in place)
  • information about attendance on school trips and activities (safety issues and risks for keeping a pupil safe, emergency contact details, next of kin)
  • personal information regarding pupil’s parents/guardians and/or other relatives (such as name, contact details and relation to the child)
  • photographic, visual and video images, audio recordings, on-line live streaming and recordings, and CCTV footage (for learning, assessment, safety and identity purposes

Why we collect and use pupil information

The personal data collected is essential in order for the school to fulfil our official functions and meet legal requirements.

We collect and use pupil information, for the following purposes:

  • to support pupil learning
  • to safeguard pupils
  • to monitor and report on pupil attainment and educational progress
  • to provide appropriate welfare and pastoral care
  • to assess the quality of our services
  • to assess special educational needs and transport requirements
  • to keep children safe (food allergies, or emergency contact details)
  • to meet the statutory duties placed upon us by the Welsh Government and Public Health Wales with regard to protecting public health
  • to monitor attendance and absence data
  • to communicate effectively and to provide support and guidance to pupils, parents and carers
  • to enable pupils to move from one educational setting to another seamlessly or where we have co-operation arrangements with other schools, for delivery of local curricular entitlements
  • to meet the statutory duties placed upon us by the Welsh Government with regard to data collection
  • to maintain our accounts and records
  • to organise educational events and trips
  • for planning and management of the school
  • to record monetary payments to and from pupils and parents/guardians
  • to comply with data protection legislation
  • to share data for statutory audit and monitoring purposes
  • for security monitoring and the prevention and detection of crime (CCTV)

The information will not be used for purposes that are not compatible with why it is gathered in the first instance, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please note that we may process personal data without your knowledge or consent, where this is required or permitted by law.

We collect and use personal information because we have one of the following legal bases for processing (Article 6 (GDPR)):

  • to comply with a legal obligation
  • to perform a public interest task
  • for the performance of a contract

Less commonly, we may also use personal information where:

  • you have given us consent to use it in a certain way (example- use of pupil photos on websites, social media)
  • we need to protect your vital interests (or someone else’s interests

Where you have provided us with consent to use personal data, you may withdraw this consent at any time.

We are required to share information under specific legislation and regulations.

Some of the reasons listed above for collecting and using personal information overlap, and there may be several grounds which justify the school’s use of your data.

If we process any special category data, in addition to one of the legal bases above, processing will be necessary because one of the conditions under Article 9 (GDPR) applies. We may collect and use the following special category information that reveals information regarding:

  • racial or ethnic origin
  • religious or philosophical beliefs
  • biometric data (where used for identification purposes)
  • physical or mental health
  • offences or alleged offences

We apply the following principles where we use personal information

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes ('purpose limitation')
  • adequate, relevant and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary
  • processed in a manner that ensures appropriate security of the personal data.

How we collect pupil information

We collect pupil information via admission forms, registration forms and consent forms usually completed at the start of each academic year, but we may also collect information at other times during the school year. In addition, when a pupil joins us from another school, we are sent a secure file containing relevant information.

We may also collect, store and share personal information including photographs, images and audio recordings via technologies that are used for on-line learning purposes and for communicating with pupils, parents and the wider community. This could be via technologies, apps and social media accounts (such as Microsoft Teams, Zoom, Facebook and Instagram).

We have CCTV systems in key locations for the purposes of safety and the prevention and detection of crime. Signs are prominently displayed notifying that CCTV is in operation and providing you with details of who to contact for further information about them. We will only disclose CCTV images to third parties for the purposes of public safety and the prevention and detection of crime.

Pupil data is essential for the schools’ operational use. Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us (and if so, what the possible consequences are of not complying), or whether you have a choice.

How we keep information accurate and up to date

We want to make sure that personal information is accurate and up to date. We ask that pupils, parents and carers take reasonable steps to ensure that the personal data that we hold about you and your child/those in your care, is accurate and that you update us of any changes. We will regularly confirm with you that the information held is correct, in particular addresses and contact details. We will update the information as soon as possible both in paper and in electronic records.

How we store pupil data

Personal data is stored in line with our Schools Data Protection Policy.

How long we keep the information before it is securely disposed of varies depending on the type of information, legal requirements and school need. We will process pupil data securely for the above purposes for no longer than necessary and in accordance to the set amount of time contained in our Schools Data Retention Schedule. This document can be obtained by contacting the Headteacher.

Who we share pupil information with

Where necessary and lawful, or when required by legal obligation, we may share relevant information with:

  • school staff and the Governing Body
  • family, carers and associates
  • other education and training bodies, including schools, when pupils are applying for courses, training, school transfer or seeking guidance on opportunities
  • our local authority, the Isle of Anglesey County Council, and other local authorities as required
  • Social services and other health and welfare organisations where there is a need to share information to protect and support individual pupils
  • Welsh Government
  • Education and training inspectorate (Estyn) and other regulatory bodies
  • GwE (School Effectiveness and Improvement Service for North Wales)
  • youth support services
  • education, training and examining bodies
  • NHS/school nurse/other healthcare professionals- either directly or via the local authority
  • Test, Trace and Protect Service (Public Health Wales) relating to Covid-19 matters
  • bodies doing research for the Welsh Government, local authority and schools, so long as steps are taken to keep the information secure
  • Police forces
  • courts
  • the press and media
  • agencies commissioned by us that provide services on our behalf.

We are also required by law to protect the public funds we administer and may share information provided to us with other bodies responsible for auditing or administering public funds in order to prevent and detect fraud and irregularity.

Why we routinely share pupil information

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.

Where appropriate, we will commit to develop and implement formal data sharing agreements based on the common set of principles and standards in accordance with the Wales Accord on the Sharing of Personal Information (WASPI).

Welsh Government & Local Authority
We are required to share information about our pupils with the Welsh Government either directly or via our local authority, the Isle of Anglesey County Council, for the purpose of data collections, under the Pupil Information (Wales) Regulations 2011.

The Welsh Government collects personal data throughout a pupil’s school life from educational settings and local authorities via various statutory data collections such as:

  • Pupil Level Annual School Census (PLASC)
  • Educated other than at school (EOTAS) pupil level collection
  • National data collection (NDC)
  • Attendance collection
  • Welsh National Tests (WNT) data collection
  • Post 16 data collection

In addition to the data collected as part of PLASC, the Welsh Government and local authorities also receive information regarding National Curriculum assessments, public examination results, and attendance data at individual pupil level, which comes from schools and/or awarding bodies (e.g. WJEC).

The local authority also uses the personal information collected via PLASC to do research. It uses the results of this research to make decisions on policy and the funding of schools to calculate the performance of schools and help them to set targets. The research is carried out in such a way that ensures individual pupils cannot be identified.

The pupil data that we lawfully share with the Welsh Government through data collections, is used for the below purposes:

  • statistical and research purposes which will help to inform, influence and improve education policy
  • monitor the performance and how well the education services are being provided so that they can be improved
  • help monitor and target funding effectively
  • publication purposes
  • production of school and local authority level analysis for schools, local authorities and consortia
  • inform wider education and social policies
  • research purposes wider than education (data is anonymised)

To find out more about the data collection requirements placed on us by the Welsh Government, including the data that we share with them, go to https://gov.wales/data-collection-and-information-management-for-schools

All data is transferred securely and held by the Welsh Government under a combination of software and hardware controls, including HWB (digital platform for learning and teaching in Wales).

Test, Trace and Protect Service (Public Health Wales)
We may be required to share your personal information with the Test, Trace and Protect Service, and in some cases with the Isle of Anglesey County Council, in order to protect pupils, school staff and the wider community against the spread of Covid-19.

To find our more about the Test, Trace and Protect Service, go to https://gov.wales/test-trace-protect

Youth support services
We also pass pupil information to our local authority and/or providers of youth support services, under the Learning and Skills Act 2000 and the Learning and Skills (Wales) Measure 2009, as they have responsibilities in relation to education or training from age 11 to 19.

This enables them to provide services as follows:

  • youth support services
  • careers advisers
  • post-16 education and training providers

The information shared is limited to the pupil’s name, address and date of birth. However where a parent or guardian provides their consent, other information relevant to the provision of youth support services will be shared. Under the Learning and Skills Act 2000, this right is transferred to the child/pupil once he/she reaches the age of 16.

Data is securely transferred to the youth service.

For more information about services for young people, please visit our local authority website.

How we look after your information

Under data protection legislation, we must protect any information that we collect from you. We have put in place appropriate security measures and applied security standards and controls to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Information which you have provided will be stored securely. In addition, we limit access to personal data to those employees, contractors and other third parties who need to have access to it. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your data protection rights

Under data protection law, you have rights including:

Your right to obtain confirmation that information about you is being used

Your right of access - you have the right to ask us for copies of your personal information (please see ‘requesting access to your personal data’ below for more details).
Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing - you have the the right to object to the processing of your personal data in certain circumstances. You have the right to object to processing of personal data that is likely to cause, or is causing, damage or distress.
Your right to data portability - you have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

In certain circumstances, you also have the following rights to:

  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • seek redress, either through the ICO, or through the courts.

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. This is commonly known as a “data subject access request”. This enables you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully.

To make a request for your personal information, or be given access to your child’s educational record, contact the school office directly.

You will be provided with copies of your personal data within the statutory period of one month (or if providing your personal data is a complex matter, this will be done as soon as is reasonable within 3 months).

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Your personal data will be provided to you free of charge, however, if your request is clearly unfounded, repetitive or excessive, a reasonable fee will be charged. Alternatively, we may refuse to comply with your request in these circumstances.

Contact

The following are details of the school as the data controller:

Name of School: Ysgol David Hughes

E-mail: post@ysgoldavidhughes.org

Telephone: 01248 712287

Address: Pentraeth Road, Menai Bridge, Anglesey, LL59 5SS

We have also appointed a Schools Data Protection Officer through the local authority. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the Schools Data Protection Officer using the details set out below:

E-mail: dpoysgolionmon@ynysmon.gov.uk

Telephone: 01248 751 833

Address: Learning Service, Isle of Anglesey County Council, Council Offices, Llangefni, Anglesey, LL77 7TW

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) who is the independent regulator for data protection. If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance, so that we can try to resolve any issues.

Information Commissioner’s Office (ICO):

E-mail: https://ico.org.uk/concerns/

Telephone: 0303 123 1113

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Advice and guidance is available via their website www.ico.org.uk

Changes to our Privacy Notice

We keep our Privacy Notice under regular review and will share any revisions.