This Privacy Notice has been written to inform parents and students of Caedmon College Whitby about what we do with your personal information. This Notice may be subject to change as the Data Protection Bill progresses.
Who are we?
Caedmon College Whitby is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.
The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:
What information do we collect?
The categories of information that we collect, hold and share include the following:
- personal information of students and their family members e.g. name, student number, DOB and address
- educational attainment
- free school meal eligibility
- attendance information
- assessment information
- behavioural information
- safeguarding information.
We will also process certain ‘special category’ data about our students including:
- relevant medical information – please note that where the student has a severe allergy or is thought to be at risk of needing emergency care for a medical issue then this will be shared with all the staff. We may do this in the form of photo identification in the staff room to ensure that all staff are aware of the issues should an emergency situation arise
- Special Educational Needs and Disabilities information
- race, ethnicity and religion
- biometric data e.g. thumbprints.
Why do we collect your personal data?
We use the information we collect:
- to support student learning
- to monitor and report on student progress
- to provide appropriate pastoral care
- to assess the quality of our services.
Any personal data that we process about our students and parents is done so in accordance with Article 6 and Article 9 of GDPR:
Our legal basis for processing your personal data, in line with Article 6(1)(c) include:
- Education Act 1944, 1996, 2002
- Education and Adoption Act 2016
- Education (Information About Individual Pupils)(England) Regulations 2013
- Education (Pupil Information) (England) Regulations 2005
- Education and Skills Act 2008
- Children Act 1989, 2004
- Children and Families Act 2014
- Equality Act 2010
- Education (Special Educational Needs) Regulations 2001.
We also process information in accordance with Article 6(e) and Article 9(2)(g) as part of the official authority vested in us as Data Controller and for reasons of substantial public interest. Such processing, which is not mandatory but is considered to be in our students’ interests, include:
- school trips
- extra-curricular activities.
Whilst the majority of student information you provide to us is mandatory, some of it is provided to us on a voluntary basis. When we do process this additional information we will ensure that we ask for your consent to process this.
Who do we obtain your information from?
Much of the information we process will be obtained directly from you (students and parents). We will also process information received from:
- Department for Education (DfE)
- Local Education Authority (NYCC)
- previous schools attended.
Who do we share your personal data with?
We routinely share student information with:
- schools that the students attend after leaving us
- our Local Education Authority (NYCC)
- the Department for Education (DfE)
- National Health Service bodies
- Educational applications and websites
For more information on information sharing with the DfE (including the National Pupil Database and Census) please go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-andsupporting-information
We will not share any information about you outside the school without your consent unless we have a lawful basis for doing so.
Once our students reach the age of 13, we also pass information to our Local Authority and/or provider of youth support services as stipulated under section 507B of the Education Act 1996. The information provided includes addresses, DOB of student/parents, and any other information necessary for the provision of the service including gender or ethnicity.
A parent or guardian can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child/student once he/she reaches the age 16.
For more information regarding services for young people please visit our Local Authority’s website: https://www.northyorks.gov.uk/welcome-our-children-and-young-peoples-service
How long do we keep your personal data for?
Caedmon College Whitby will keep your data in line with our Information Policy. Most of the information we process about you will be retained as determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is necessary to fulfil our organisational needs.
What rights do you have over your data?
Under GDPR parents and students have the following rights in relation to the processing of their personal data:
- to be informed about how we process your personal data. This notice fulfils this obligation
- to request access to your personal data that we hold, and be provided with a copy of it
- to request that your personal data is amended if inaccurate or incomplete
- to request that your personal data is erased where there is no compelling reason for its continued processing
- to request that the processing of your personal data is restricted
- to object to your personal data being processed.
If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.
If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:
First Contact Team
Information Commissioner’s Office
firstname.lastname@example.org // 03031 231113