Page last reviewed: 22 March 2022
This page contains Aylesbury UTC privacy policies, related to how we protect your data, how we use your data, and your legal rights. For PDF copies of these policies, please click here. Please contact the Trust Business Manager, Lynne Harrison with questions about the policies or requests for further information. Email GDPR@wallingfordschool.com.
This privacy notice advises pupils of the school’s data protection responsibilities on the collection and processing of pupil’s personal information.
You are being provided with this notice because current guidelines state that pupils from the age of 13 are considered mature enough to make decisions about their own personal information.
This notice provides details about:
We have appointed Lynne Harrison, Trust Business Manager as the person with responsibility for ensuring that pupils’ personal information is held and processed in the correct way. She can be contacted at GDPR@wallingfordschool.com Questions about this policy, or requests for further information, should be directed to her.
Personal information is any information that relates to you that can be used directly or indirectly to identify you. This includes information such as your name, date of birth and address as well as information relating to your exam results, medical details and behaviour records. This may also include sensitive personal information, such as your religion or ethnic group, photos and video recordings.
Personal information and processing are defined as follows:
We process personal data about pupils in accordance with the following data protection principles:
In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.
Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.
Our legal basis (grounds) for using pupils’ personal data
There are several reasons why we hold, process and share pupils’ personal data. Under data protection laws, the lawful reasons for processing personal data include:
Sometimes the handling of pupils’ personal data falls within several of the above lawful grounds.
We may ask for your consent to use your information in certain ways. If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid. The use of photographs for the school website or other publicity would be an example of when we would do this.
This is where we need to use pupils’ personal data to comply with a legal obligation. Statutory reporting requirements to the Department for Education (DFE) are included within this section. As is disclosing information to third parties such as the courts or the police where we are legally obliged to do so.
This legal basis can be used where, for example, we need to disclose information about pupils to prevent them or someone else from being seriously harmed. An example can include providing information to a medical professional about a pupil in circumstances where they are unable to provide the information themselves. It is likely to cover an emergency medical situation.
We consider that we are acting in the public interest when providing education. Specifically, we have a public interest in:
We have many legitimate interests for which we hold, retain, process and share pupils’ personal data. The GDPR states that the exception to using this ground is where it is detrimental to a pupil’s rights.
We use pupils’ personal data to:
We obtain personal data in a variety of ways. Some of the information comes from the admissions forms and acceptance forms which have been supplied to us. We also receive information about pupils from other schools and agencies, such as healthcare professionals. Data is also obtained from your parents, carers or guardians, your teachers and other pupils.
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. We share pupils’ data with the DFE on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring. Pupils’ data, where it is reasonable to do so, may also be shared with other professionals contracted by the school, such as legal and professional advisers or insurers. In addition, a data security contract with a third-party IT services provider or as part of cloud-based storage may also process your personal data for the purpose of securely holding and protecting your data.
The NPD is owned and managed by the DFE. It contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the DFE. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities (LAs) and awarding bodies.
We are required by law to provide information about our pupils to the DFE as part of statutory data collections, such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to this link.
The DFE may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
The DFE has robust processes in place to ensure the confidentiality of our data is maintained. There are stringent controls in place regarding access to and use of the data. Decisions on whether the DFE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the DFE’s data sharing process, please visit this link.
For information about which organisations the DFE has provided pupil information to (and for which project), please visit this link.
Once our pupils reach the age of 13, we also pass pupil information to our LA and/or provider of youth support services, because they have responsibilities in relation to the education or training of 13–19 year olds under section 507B of the Education Act 1996.
This enables them to provide services such as:
A parent, carer or guardian can request that only your name, address and date of birth is passed to their LA or provider of youth support services by informing us. This right is transferred to you once you reach the age of 16.
Here are some further examples of why we collect, hold and share pupils’ personal data. If you would like more information about any of these, please contact our Data Protection Officer.
We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).
We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.
Some of the reasons we process such data on pupils include:
We take the security of pupils’ personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices where practical, uses passwords, virus protection and has appropriate firewalls.
With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions. Our servers and storage systems are based in the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect pupils’ personal data.
We keep pupils’ personal data for the time they are at our school. We will also keep certain information after pupils have left the school. A copy of our Retention Schedule is available from the school website or from the Data Protection Officer.
When the GDPR comes into force in May 2018, you will have the following rights in relation to your personal data. Some of these rights are new.
There are specific rights in relation to a child’s personal data. Further guidance and advice on the above rights can be obtained from the ICO’s website.
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Officer. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s rights application form.
Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.
This privacy notice advises employees, workers, self-employed staff and/or consultants, governors and volunteers of the school’s data protection responsibilities on the collection and processing of their personal information.
We collect and process your personal data to assist in the running of the school and to manage the employment relationship of, or otherwise manage, those who are engaged to work or perform services for us.
We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
We are required to explain how and why we collect such data and what we do with that information. This notice will also provide information as to what you can do about your personal information that is held and processed with us.
We have appointed Lynne Harrison, Trust Business Manager as the person with responsibility for ensuring that individuals’ personal information is held and processed in the correct way. She can be contacted at GDPR@wallingfordschool.com. Questions about this policy, or requests for further information, should be directed to her.
Personal information is any information that relates to you that can be used directly or indirectly to identify you.
Personal information and processing are defined as follows:
We process personal data about pupils in accordance with the following data protection principles:
In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.
Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.
There are several reasons why we hold, process and share individuals’ personal data. Under data protection laws, the lawful reasons for processing personal data include:
Sometimes the handling of pupils’ personal data falls within several of the above lawful grounds.
We may ask for your consent to use your information in certain ways, for example use of photographs on trust or school websites, occupational health referrals, reference requests or rental/mortgage application reference requests. If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid.
We need to process data to enter into an employment contract or other contract of engagement with you and to meet our obligations under such contract. For example, we need to process your data to provide you with a contract, to pay you in accordance with your contract and to administer benefit, pension and insurance entitlements.
Your personal data, where it is reasonable to do so, may also be shared with other professionals contracted by the school, such as legal and professional advisers or HR providers.
Other examples include:
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we must check an employee’s or worker’s entitlement to work in the UK, deduct tax, comply with health and safety laws and enable staff to take periods of leave to which they are entitled. Safer recruitment procedures in schools also require appropriate checks to be made on people who work with children.
Statutory reporting requirements are included within this section. As is disclosing information to third parties such as the courts or the police where we are legally obliged to do so.
Other examples include:
This legal basis can be used where, for example, we need to disclose information about you to prevent you or someone else from being seriously harmed or killed. An example can include providing information to a medical professional about you in circumstances where you are unable to provide the information yourself. It may cover an emergency situation.
We have a legitimate interest in processing personal data before, during and after the end of the employment or contractual relationship/engagement. Processing employee data allows us to:
We process data relating to those we employ to work at, or otherwise engage to work or support the school. The purpose of processing this data is to assist in the running of the school, including to:
The personal data we hold regarding you can include, but is not limited to, information such as:
Any staff member engaged by us wishing to see a copy of the information about them that we hold should contact Lynne Harrison, Trust Business Manager.
We may collect this information in a variety of ways. For example, data might be collected through:
We will not share information about those engaged at the school with third parties unless the law or our policies allows us to. In circumstances where consent is the basis for processing, such as with references, we will not share your data with third parties unless we have your consent.
We are required, by law, to pass certain information about staff or those engaged by us to specified external bodies, such as our local authority (LA) and the Department for Education (DFE), so that they are able to meet their statutory obligations.
In some cases, the school may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
On some occasions, the school will process your personal data for the performance of a contract that it may hold with a third party. For example, a data security contract with a third-party IT services provider or as for facilitating access to the library or homework systems.
Your personal data may be shared internally with other members of staff in order for them to perform their roles. This can include sharing personal data with the senior leadership team, governors, trustees, HR (including payroll), your line manager, managers and IT staff. We may also share your personal data with third parties. This can include when obtaining background checks as part of safer recruitment guidelines, pre-employment references and criminal records checks from the DBS. The school may also share your data with third parties in the context of a TUPE transfer.
We share your data with third parties that process data on our behalf, for example, in connection with payroll, the provision of benefits such as your pension and the provision of occupational health services. Throughout these processes we maintain strict confidentiality and only process and retain the personal data for as long as is necessary in accordance with our retention schedule and the processing purposes we state.
With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions.
Our servers and storage systems are based in house and within the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your personal data.
We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).
We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.
Some special categories of personal data, such as information about health or medical conditions, are processed to comply with employment law and health and safety obligations (such as those in relation to employees with disabilities).
The school also processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief. This is done for the purposes of equal opportunities monitoring and in accordance with its Public Sector Equality Duty in accordance with the Equality Act.
Some of the reasons we process such data on employees include:
We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices where possible, uses secure software data exchange applications, uses secure shared folders, uses passwords, virus protection and has appropriate firewalls.
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
We will keep certain information after you have left the school. A copy of our Retention Schedule is available from the school website or from the Data Protection Officer.
When the GDPR comes into force in May 2018 out of date, needs rewording, you will have the following rights in relation to your personal data. Some of these rights are new.
Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights .
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Officer. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s rights application form.
Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.
This privacy notice advises pupils of the school’s data protection responsibilities on the collection and processing of their personal information.
We collect and process your personal data as part of the recruitment process in relation to the role you are applying for. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
We are required to explain how and why we collect such data and what we do with that information. This notice will also provide information as to what you can do about your personal information that is held and processed with us.
We have appointed Lynne Harrison, Trust Business Manager as the person with responsibility for ensuring that pupils’ personal information is held and processed in the correct way. She can be contacted at GDPR@wallingfordschool.com Questions about this policy, or requests for further information, should be directed to her.
Personal information is any information that relates to you that can be used directly or indirectly to identify you. Personal information and processing are defined as follows:
We process personal data about pupils in accordance with the following data protection principles:
In our privacy notices, we tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.
Where we process special categories of personal data or criminal records data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.
The academy will obtain your consent to hold, process and share your personal data in relation to the recruitment process.
You are under no obligation to provide your consent to provide data to the school during the recruitment process. If you do not consent to the school holding, processing and sharing your personal data during the recruitment process, the school may not be able to process your application.
In some cases, the school will need to process data to ensure that it is complying with its legal obligations. For example, the school must check an applicant’s entitlement to work in the UK. Safer recruitment procedures in schools also require appropriate checks to be made on people who work with children.
The school processes data relating to applicants to assist in the recruitment process, including to:
The personal data we hold regarding you can include, but is not limited to, information such as:
Any applicant wishing to see a copy of the information about them that we hold should contact the Trust Business Manager.
We may collect this information in a variety of ways. For example, data might be collected through:
In accordance with the school’s safer recruitment obligations, the school will also collect personal information about you from third parties. This will include obtaining references from your previous employer and from third parties such as the Disclosure and Barring Service (DBS) to ensure the relevant safeguarding checks are completed.
We will not share information about you with third parties without your consent, unless the law or our policies allows us to.
In the event you are successful, we are required, by law, to pass certain information about those engaged by us to specified external bodies, such as our local authority (LA) and the Department for Education (DFE), so that they are able to meet their statutory obligations.
Your personal data may be shared internally with other members of staff involved in the recruitment process in order for them to perform their roles. This can include sharing personal data with the senior leadership team, governors, trustees and HR (including payroll). We may also share your personal data with third parties. This can include when obtaining background checks as part of safer recruitment guidelines, pre-employment references and criminal records checks from the DBS.
Throughout these processes we maintain strict confidentiality and only process and retain the personal data for as long as is necessary in accordance with our retention schedule and the processing purposes we state.
With cloud-based storage and some other services sometimes being supplied outside the UK, personal data can be sent to other jurisdictions.
Our servers and storage systems [are/are not] based in the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your personal data.
We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).
We must also comply with an additional condition where we process special categories of personal data. These special categories include: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric information, health information, and information about sex life or orientation.
Some special categories of personal data, such as information about health or medical conditions, are processed to comply with employment law and health and safety obligations (such as those in relation to employees with disabilities).
The school also processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief. This is done for the purposes of equal opportunities monitoring and in accordance with its Public Sector Equality Duty in accordance with the Equality Act.
Some of the reasons we process such data on applicants include:
We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the school uses encrypted devices where practical, uses passwords, virus protection and has appropriate firewalls.
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
If you are successful in being appointed to the role, all personal data collected by the school will be processed and transferred to your personnel file. We are not required to keep certain documents, such as a copy of your passport, for longer than is required to confirm your identity and to establish your right to work in the UK. Details of how long we retain certain documents is contained in our Retention Schedule. A copy of our Retention Schedule is available from the school website or from the Data Protection Officer.
Ongoing collection and processing of your personal data in relation to your employment with the school is explained in our privacy notice for employees, a copy of which will be provided to you during induction.
If you are unsuccessful in your application, the school will retain your personal information for a period of 6 MONTHS after the end of the recruitment process. With your consent, the school will keep your personal data on file for a further 6 months for consideration of future employment opportunities. Should you withdraw your consent within that time, or once that time period has expired, your data will be deleted or destroyed.
When the GDPR comes into force in May 2018, you will have the following rights in relation to your personal data. Some of these rights are new.
Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Data Protection Officer. If you would like to exercise any of the above rights please contact the Data Protection Officer who will send you our Data subject’s rights application form.
Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.
This guidance applies to the retention of all records within schools. Some of the guidance below relates to records within schools that will contain ‘personal data’. Personal data is defined under the General Data Protection Regulation (GDPR) as:
Under the new data protection laws, it is each organisation’s responsibility to ensure compliance with the GDPR which comes into force on 25 May 2018. Therefore, where records contain personal data, schools need to be aware of the additional obligations they need to meet.
In brief, the GDPR introduces several legal obligations in relation to records containing personal data. This includes obligations such as advising data subjects of the information you hold on them, the purpose for which you hold or process such information, how long you hold it for (the retention period), the legal basis for which you process the personal data and what the data subject’s rights are in relation to the data.
Overall, personal data should be kept for no longer than necessary. This means that schools need to be aware of how long each type of record needs to be retained in law, where it might be judicious to retain records for a longer period, and how to destroy records that are no longer needed. To assist schools in identifying records that may contain personal data, they are advised to complete a data protection audit. One is available on the CEFM website under the GDPR section.
Under the Freedom of Information Act 2000, schools are required to maintain a retention schedule listing the record series which the school creates in the course of its business. The retention schedule lays down the length of time for which the record needs to be maintained and the action which is taken when it is of no further administrative use (what is destroyed, when it was destroyed and by whom).
This policy is based upon the policy recommended by the Records Management Society for maintained schools in England and that produced by Buzzacott LLP for compliance with the Charity Commission’s requirements. Wallingford School recognises that the efficient management of its records is necessary to comply with its legal and regulatory obligations and to contribute to the effective overall management of the organisation. This document provides the policy framework through which this effective management can be achieved and audited.
This policy applies to all records created, received or maintained by staff of the school in the course of carrying out its functions. This policy also applies to all accounting records required for retention by the Charity Commission under the Charities Act 2011 and under the Companies Act 2006, as well as those records required by HMRC and others to be retained. Records are defined as all those documents which facilitate the business carried out by the school and which are thereafter retained (for a set period) to provide evidence of its transactions or activities. These records may be created, received or maintained in hard copy or electronically.
A small percentage of the school’s records will be selected for permanent preservation as part of the school’s archives and for historical research.
The school keeps records under a wide variety of headings:
The school has a corporate responsibility to maintain these records and record keeping systems in accordance with the regulatory environment.
The person with overall responsibility for this policy is Trust Business Manager who will give guidance for good records management practice and will promote compliance with this policy so that information will be retrieved easily, appropriately and in a timely fashion.
The storage and retention of digital information will be handled on a day-to-day basis by the IT Network Manager under guidance of the Head, ensuring that records are held securely, backed-up on suitable systems, archived when necessary and checked regularly for ease of retrieval when required. Guidance may also be required from the school’s nominated data protection officer to ensure compliance.
Individual staff and employees must ensure that records for which they are responsible, particularly any that are kept on personally owned devices, are accurate, kept securely, and are maintained and disposed of in accordance with the school’s records management guidelines. Loss and destruction of records that contain personal data can carry significant penalties from the Information Commissioner’s Office (ICO). It is important for schools to be aware of this and ensure personal data is not placed at risk and that there are appropriate safeguards in place. There may be further consequences for individuals who fail to comply with safe record keeping guidelines and policies.
The chief financial officer is responsible for the secure retention of all financial documents for the period required by the Companies Act and charity legislation. These documents may be requested by authorised external agencies at any time, for example the academy’s auditors or the EFA. The chief financial officer makes arrangements with the IT Network Manager for the secure retention of electronic accounting records.
The guidelines follow those set out in the Records Management Toolkit for schools version 5 (updated in February 2016), and can be found on the Information and Records Management Society’s website http://irms.org.uk/page/SchoolsToolkit.
There are a number of benefits from the use of a complete retention schedule:
Old accounting and personnel records, and some other records, will be archived until being disposed of. Archived records will:
Before deciding on whether records will be stored electronically the school will consider:
A record of all documents that have been archived electronically or on microfilm will be kept.
When the period of retention has expired, and there is no other reason to keep them, the records may be disposed of safely and securely. Particular regard must be paid when disposing of records containing personal data. The records will be completely destroyed by shredding paper, cutting up CDs and similar items and dismantling and destroying hard drives. Non-sensitive papers will be bundled and disposed of to a waste paper recycling merchant. A list is kept of records which have been destroyed. This list includes:
This policy has been drawn up within the context of the Freedom of information policy, the Data protection policy and with other legislation or regulations (including audit, equal opportunities and ethics) affecting the school and will be monitored to ensure that the retention guidelines updated by the Records Management Society periodically are adhered to. In addition Wallingford School, being an academy, recognises the specific requirements for the retention of accounting records and other corporate records by the Charity Commission, HMRC and under the Companies Act 2006 and will therefore monitor the guidelines as recommended by the Charity Commission in the document ‘Retention of accounting records and other corporate records’
The governing board is responsible for the maintenance of this policy and will review it annually in the light of recommendations and any changes made by the Information and Records Management Society and the Charity Commission.
Next school review date: May 2019
