School User Privacy Policy

Privacy Notice The School Workforce: those employed to teach, or otherwise engaged to work at, a school or a local authority The EU General Data Protection Regulation (GDPR) On the 25th May 2018 the General Data Protection Regulation (GDPR) will be applicable and the current Data Protection Act (DPA) will be updated by a new Act giving effect to its provisions. Before that time the DPA will continue to apply. Data Controller St Philip Howard Catholic High School complies with the GDPR and is registered as a ‘Data Controller’ with the Information Commissioner’s Office (Reg. No. ZA245247). The Data Protection Officer (DPO) for the School is Samantha McManus We ensure that your personal data is processed fairly and lawfully, is accurate, is kept secure and is retained for no longer than is necessary. The Legal Basis for Processing Personal Data The main reason that the school processes personal data is because it is necessary in order to comply with the schools legal obligations and to enable it to perform tasks carried out in the public interest, The school may also process personal data if at least one of the following applies:  in order to protect the vital interests of an individual  there is explicit consent.  to comply with the school’s legal obligations in the field of employment and social security and social protection law  for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity  for reasons of public interest in the area of public health  for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, based on law, or pursuant to contract with a health professional  for reasons of substantial public interest, based on law, which is proportionate in the circumstances and which has provides measures to safeguard the fundamental rights and the interests of the data subject; The categories of school workforce information that we collect, process, hold and share include:  personal information (such as name, employee or teacher number, national insurance number)  special categories of data including characteristics information such as gender, age, ethnic group  contract information (such as start dates, hours worked, post, roles and salary information)  work absence information (such as number of absences and reasons)  performance (such as capability and disciplinary matters)  qualifications and recruitment information (and, where relevant, subjects taught)  information relevant to the School Work Force Census and absence information. Why we collect and use staff information We process personal data relating to those we employ to work at, or otherwise engage to work at our School for:  employment purposes,  enable the development of a comprehensive picture of the workforce and how it is deployed  inform the development of recruitment and retention policies  to assist in the running of the School  to enable individuals to be paid. The collection of this information will benefit both national and local users by:  improving the management of workforce data across the sector  enabling development of a comprehensive picture of the workforce and how it is deployed  informing the development of recruitment and retention policies  allowing better financial modelling and planning  enabling ethnicity and disability monitoring; and  supporting the work of the School Teachers’ Review Body  protecting vulnerable individuals;  the prevention and detection of crime Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection legislation, we will inform you whether you are required to provide certain school workforce information to us or if you have a choice in this. Who we share this information with We will not give information about you to anyone outside the School without your consent unless the law allow us to. We routinely share this information with:  Bosco Academy Trust  Education and Skills Funding Agency  our local authority  the Department for Education (DfE)  Capita (payroll provider) Why we share school workforce information We do not share information about workforce members with anyone without consent unless the law and our policies allow us to do so. Local authority We are required to share information about our workforce members with our local authority (LA) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments. Department for Education (DfE) We share personal data with the Department for Education (DfE) on a statutory basis. This data sharing underpins workforce policy monitoring, evaluation, and links to school funding / expenditure and the assessment educational attainment. We are required to share information about our pupils with the (DfE) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments. Data collection requirements The DfE collects and processes personal data relating to those employed by schools (including Multi Academy Trusts) and local authorities that work in state funded schools (including all maintained schools, all academies and free schools and all special schools including Pupil Referral Units and Alternative Provision). All state funded schools are required to make a census submission because it is a statutory return under sections 113 and 114 of the Education Act 2005 To find out more about the data collection requirements placed on us by the Department for Education including the data that we share with them, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools. The department may share information about school employees with third parties who promote the education or well-being of children or the effective deployment of school staff in England by:  conducting research or analysis  producing statistics  providing information, advice or guidance The department has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether DfE releases personal data to third parties are subject to a strict approval process and based on a detailed assessment of:  who is requesting the data  the purpose for which it is required  the level and sensitivity of data requested; and  the arrangements in place to securely store and handle the data To be granted access to school workforce information, organisations must comply with its strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data. For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data To contact the department: https://www.gov.uk/contact-dfe Retention Periods Personal data will not be retained by the School for longer than necessary in relation to the purposes for which they were collected. Information will be held in accordance with the Information and Records Management Society Tool Kit for Schools. https://irms.site-ym.com/page/SchoolsToolkit CCTV. The school operates CCTV on the school site as it is considered necessary to protect pupils’ safety and/or the school’s property Biometrics The School operates biometric recognition systems for to purchase food from the school canteen. All data collected will be processed in accordance with the GDPR data protection principles and the Protection of Freedoms Act 2012 You written consent will be obtained before biometric data is taken and used. For more information about biometric data please refer to the ICO Guidance at the link below: https://www.gov.uk/government/publications/protection-of-biometric-information-of-children-in-schools Rights You have the right to: 1. be informed of data processing (which is covered by this Privacy Notice) 2. access information (also known as a Subject Access Request) 3. have inaccuracies corrected 4. have information erased 5. restrict processing 6. data portability (this is unlikely to be relevant to schools) 7. intervention in respect of automated decision making (automated decision making is rarely operated within schools) 8. Withdraw consent (see below) 9. Complain to the Information Commissioner’s Office (See below) To exercise any of these rights please contact the DPO Withdrawal of Consent The lawful basis upon which the School process personal data is that it is necessary in order to comply with the Schools legal obligations and to enable it to perform tasks carried out in the public interest. Where the School process personal date solely on the basis that you have consented to the processing, you will have the right to withdraw that consent. Complaints to ICO If you are unhappy with the way your request has been handled, you may wish to ask for a review of our decision by contacting the DPO. If you are not content with the outcome of the internal review, you may apply directly to the Information Commissioner for a decision. Generally, the ICO cannot make a decision unless you have exhausted our internal review procedure. The Information Commissioner can be contacted at: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.