Privacy Notice – Employees, Consultants and Volunteers
This privacy notice advises employees, workers, self-employed staff and/or consultants, governors and volunteers of the school’s data protection responsibilities on the collection and processing of their personal information.
We collect and process your personal data to assist in the running of the school and to manage the employment relationship of, or otherwise manage, those who are engaged to work or perform services for us.
We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
We are required to explain how and why we collect such data and what we do with that information. This notice will also provide information as to what you can do about your personal information that is held and processed with us.
We have appointed Lynne Harrison, Trust Business Manager as the person with responsibility for ensuring that individuals’ personal information is held and processed in the correct way. She can be contacted at GDPR@wallingfordschool.com. Questions about this policy, or requests for further information, should be directed to her.
What is personal information and what does processing mean?
Personal information is any information that relates to you that can be used directly or indirectly to identify you.
Personal information and processing are defined as follows:
- Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
- Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).
Data protection principles
We process personal data about pupils in accordance with the following data protection principles:
- We process personal data lawfully, fairly and in a transparent way.
- We collect personal data only for specified, explicit and legitimate purposes.
- We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
- We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- We keep personal data in a form which permits identification from personal data for no longer than is necessary for the purpose of the processing or, if for longer periods, for such reasons as permitted by the GDPR.
- We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.
Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.
Our legal basis (grounds) for using your personal data
There are several reasons why we hold, process and share individuals’ personal data. Under data protection laws, the lawful reasons for processing personal data include:
- For the performance of a contract.
- To comply with a legal obligation.
- To protect the vital interests of the pupil or another person.
- For a task carried out in the public interest.
- For a legitimate interest of the school or one of the organisations it shares data with (eg legal adviser) except where those rights are overridden by the interests or fundamental rights and freedoms of the data subject which require protection, particularly in the case of a child.
Sometimes the handling of pupils’ personal data falls within several of the above lawful grounds.
We may ask for your consent to use your information in certain ways, for example use of photographs on trust or school websites, occupational health referrals, reference requests or rental/mortgage application reference requests. If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid.
Performance of a contract
We need to process data to enter into an employment contract or other contract of engagement with you and to meet our obligations under such contract. For example, we need to process your data to provide you with a contract, to pay you in accordance with your contract and to administer benefit, pension and insurance entitlements.
Your personal data, where it is reasonable to do so, may also be shared with other professionals contracted by the school, such as legal and professional advisers or HR providers.
Other examples include:
- We operate and keep a record of absence and absence management procedures, to allow effective workforce management and to ensure that employees are receiving the pay or other benefits to which they are entitled.
- We obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled.
- We operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with contractual or legal duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
- Maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rights.
- Ensure effective general HR and business administration.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we must check an employee’s or worker’s entitlement to work in the UK, deduct tax, comply with health and safety laws and enable staff to take periods of leave to which they are entitled. Safer recruitment procedures in schools also require appropriate checks to be made on people who work with children.
Statutory reporting requirements are included within this section. As is disclosing information to third parties such as the courts or the police where we are legally obliged to do so.
Other examples include:
- We obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
- We operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with legal duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
This legal basis can be used where, for example, we need to disclose information about you to prevent you or someone else from being seriously harmed or killed. An example can include providing information to a medical professional about you in circumstances where you are unable to provide the information yourself. It may cover an emergency situation.
We have a legitimate interest in processing personal data before, during and after the end of the employment or contractual relationship/engagement. Processing employee data allows us to:
- Run recruitment and promotion processes.
- Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace.
- Operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes.
- Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled.
- Obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
- Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with contractual or legal duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled.
- Respond to and defend against legal claims or other investigatory processes.
Why do we collect and process individuals’ personal data?
We process data relating to those we employ to work at, or otherwise engage to work or support the school. The purpose of processing this data is to assist in the running of the school, including to:
- Enable individuals to be paid.
- Facilitate safe recruitment.
- Support the effective performance management of staff.
- Improve the management of workforce data across the sector.
- Inform our recruitment and retention policies.
- Allow better financial modelling and planning.
- Enable ethnicity and disability monitoring.
- Support the work of the School Teachers’ Review Body.
What data do we hold on you?
The personal data we hold regarding you can include, but is not limited to, information such as:
- Your name and address.
- Email address and telephone number.
- Date of birth.
- Marital status.
- Emergency contacts.
- Your nationality and entitlement to work in the UK.
- Bank details.
- National insurance number.
- Your employment contract(s).
- Salary and benefits.
- Pension details and insurance cover.
- Your hours and days of work.
- Details of periods of leave taken by you, such as holiday, sickness, maternity/paternity leave or other leave and the reasons.
- Qualifications and skills.
- Car registration details.
- Work experience and employment history.
- Information about your criminal record.
- Your disciplinary or grievance records.
- Appraisals and related correspondence.
- Details of medical or health conditions.
- Disability status.
- Records of any reasonable adjustments.
- Equal opportunities monitoring information.
Any staff member engaged by us wishing to see a copy of the information about them that we hold should contact Lynne Harrison, Trust Business Manager.
How do we obtain personal data?
We may collect this information in a variety of ways. For example, data might be collected through:
- Application forms, CVs or resumés.
- Your passport or other identity documents, such as your driving licence.
- From third parties such as the Disclosure and Barring Service (DBS) in carrying out safeguarding checks.
- Forms completed by you at the start of or during your employment or engagement with us (such as benefit nomination forms).
- Correspondence with you.
- Interviews, meetings or other assessments.
We will not share information about those engaged at the school with third parties unless the law or our policies allows us to. In circumstances where consent is the basis for processing, such as with references, we will not share your data with third parties unless we have your consent.
We are required, by law, to pass certain information about staff or those engaged by us to specified external bodies, such as our local authority (LA) and the Department for Education (DFE), so that they are able to meet their statutory obligations.
In some cases, the school may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
On some occasions, the school will process your personal data for the performance of a contract that it may hold with a third party. For example, a data security contract with a third-party IT services provider or as for facilitating access to the library or homework systems.
Who has access to your personal data?
Your personal data may be shared internally with other members of staff in order for them to perform their roles. This can include sharing personal data with the senior leadership team, governors, trustees, HR (including payroll), your line manager, managers and IT staff. We may also share your personal data with third parties. This can include when obtaining background checks as part of safer recruitment guidelines, pre-employment references and criminal records checks from the DBS. The school may also share your data with third parties in the context of a TUPE transfer.
We share your data with third parties that process data on our behalf, for example, in connection with payroll, the provision of benefits such as your pension and the provision of occupational health services. Throughout these processes we maintain strict confidentiality and only process and retain the personal data for as long as is necessary in accordance with our retention schedule and the processing purposes we state.
Sending information to other countries
With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions.
Our servers and storage systems are based in house and within the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your personal data.
Automated decision-making and profiling
We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).
Special categories of personal data
We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.
Some special categories of personal data, such as information about health or medical conditions, are processed to comply with employment law and health and safety obligations (such as those in relation to employees with disabilities).
The school also processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief. This is done for the purposes of equal opportunities monitoring and in accordance with its Public Sector Equality Duty in accordance with the Equality Act.
Some of the reasons we process such data on employees include:
- Legal claims. The processing is necessary for the establishment, exercise or defence of legal claims. This allows us to share information with our legal advisers and insurers.
- Medical purposes. This includes medical treatment and the management of healthcare services.
How do we protect individuals’ personal data?
We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices where possible, uses secure software data exchange applications, uses secure shared folders, uses passwords, virus protection and has appropriate firewalls.
How long do we keep your personal data?
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
We will keep certain information after you have left the school. A copy of our Retention Schedule is available from the school website or from the Data Protection Officer.
What rights do you have in relation to your information?
When the GDPR comes into force in May 2018 out of date, needs rewording, you will have the following rights in relation to your personal data. Some of these rights are new.
- The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
- The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
- The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
- The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes.
- The right to object. Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
- Direct marketing.
- Processing for scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling.
Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights .
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Officer. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s rights application form.
Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.