The Crypt School Data Privacy Notice for Pupils and Parents
(How we use pupil and parent information)
The General Data Protection Regulation (GDPR) is a new set of rules designed to make sure people’s personal data is kept safe and not used inappropriately. "Personal data" means data that relates to a living individual who can be identified. It includes names, addresses and other contact details, photographs, identification numbers or online identifiers and location data.
This notice summarises why we collect personal data; how we use that data; and your rights in relation to the personal data the School holds about you. In this notice, we use the term ‘parent’ to mean any person having parental responsibility or care of a child.
Why do we collect and use information about you?
By law, we have to collect and use certain information about you. For example, we have to process your data to meet the requirements of:
- The Education Act 1996 (which requires schools to provide data to certain national databases on education)
- The School Admissions Code (which ensures that school places are allocated and offered fairly)
- Keeping Children Safe in Education (which sets out rules for schools in order to keep pupils safe and promote their welfare).
We also process your data to carry out our responsibilities as a school. We use your data:
- To support, monitor and report on pupil learning and progress, including taking external exams
- To provide wider care and support for students in our School – this is known as ‘pastoral care’
- To assess the quality of what we do as a school, so that we can continually learn and improve
- To meet the requirements of the law regarding data sharing.
The lawful basis on which we use this information
The Crypt School holds the legal right to collect and use personal data relating to pupils and their families; and we may also receive information regarding them from their previous school, local authorities and the Department for Education.
We collect and use personal data in order to fulfil legal obligations, or because the processing is necessary for us to carry out our responsibilities as a school. Where we process your personal data that has additional special protection under the data protection law, we do this to fulfil our legal obligations in relation to education and child protection.
Sometimes we need your consent to collect or use your data (for example, using pupils’ photographs on the School website, or using biometric data for the cashless payment system for catering). We will make it clear when we need your agreement to collect or use your data in a certain way. Our policy is to seek consent from parents in relation to data about pupils in the main School (Years 7-11); 6th form students may give consent themselves. Where you have given us consent, you have the right to withdraw it at any time.
The categories of pupil information that we collect, hold and share (with appropriate people when required) include:
- Personal Information (such as name, date of birth, siblings at the School, address and home contact details and unique pupil number)
characteristics, which we need for the annual national school census and to
ensure you receive financial support when needed. The census is an annual survey of all
students in the country undertaken by the Government. This survey includes data
- Ethnicity eg Asian, African, White, mixed race etc
- Country of birth
- Whether a pupil is eligible for financial support through ‘pupil premium’
- Attendance information (such as sessions attended, number of absences and absence reasons). We need to record this by law to ensure children are receiving their entitlement to an education
- Assessment information (such as Key Stage 2 results, on-going assessments throughout pupils’ time in school and GCSE/A Level results
- Information about your behaviour, including detentions, exclusions and Closed Circuit TV recordings, so that we can promote pupils’ welfare and help them achieve their best
- Special educational needs and disabilities information and medical information, to ensure pupils have the support they are entitled to and are kept safe and well
- Biometric data for the cashless catering payment system (we collect this data only with your consent)
- Driving licence and vehicle insurance/MOT information (for student drivers only)
- Daily events (for example, if you are sent home sick).
- Personal Information (such as name, address and home contact details – email, mobile telephone)
- Parents’ occupations, so that we may invite you to become involved in relevant School activities
- Bank account details (in relation to processing of payments or donations to the School). We obtain your consent to collect and hold this information. We do not share this information with anyone, but it may be inspected by accountants for auditing (checking) purposes.
The categories of parent information that we collect, hold and share (with appropriate people when required) include:
Storing personal data
We hold your data securely either on our school network, external servers (cloud storage) or in locked filing cabinets. Offices containing secure data have restricted access. We also make sure that people only have access to data that they need for their job and not necessarily everything we hold about you. Access to any sensitive personal data is strictly restricted to only those who need to see it.
We keep pupils’ school record information until after their 25th birthday; we are required to do this by law. After that, your record is archived in secure storage and may be accessed only with your agreement or for scientific or historical research or statistical purposes (in accordance with our data protection policy).
Other information is disposed of securely in accordance with our Records Retention Schedule. These set out the time period for which different categories of data are kept, and ensure that personal information is not kept for longer than necessary. We use a company with special authorisation to destroy paper records of personal data.
Who we share pupil information with
We routinely share pupil information with:
- schools that our pupils attend after leaving us
- our local authority, which is Gloucestershire County Council (GCC)
- the Department for Education (DfE)
- the NHS or school nurse (including to support national vaccination programmes)
- Counsellors or educational psychologists as and when appropriate
- Alps, which is a system that uses students’ assessment results to help us set appropriate targets for [GCSE and] A level study and evaluate our teaching
- Exam boards for external examinations
- Microsoft, Google, Apple and the Oxford University Press, for the provision of IT learning accounts
- Other companies providing educational apps (e.g. MyMaths)
- ParentPay, to enable parents to pay online for catering, school trips and receive school communications.
Occasionally we also share pupil information with the Police, in order to promote pupils’ safety. We also provide references to possible future places of education or employment at your request.
Why we share pupil information
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We are required to share information about our pupils with the DfE under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013. This data sharing is needed so that school funding can be allocated appropriately.
We are also required by law to share information about our pupils with the DfE to support national educational attainment policy and monitoring.
Some of the information we provide to the DfE is stored in the National Pupil Database, which is used to support research on how schools are performing (see Annex for more information).
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
Youth support services
We also pass certain information about pupils aged 13+ and 16+ to our local authority (Gloucestershire County Council) and the provider of youth support services (Prospects), as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996. You (or your parent, if you are under 16) can request that only limited personal information is passed on, by informing us. For more information about services for young people, please visit http://youthsupportteam.co.uk/.
Requesting access to your personal data
Under data protection law, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or for a parent to be given access to your child’s educational record, please make a request in writing on a Data Subject Access form, which is available from the School Office.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- withdraw your consent, where you have given us consent to use personal information;
- prevent processing for the purpose of direct marketing (The Crypt School does not provide data to any organisation or individual for marketing purposes)
- object to decisions being taken by automated means (The Crypt School does not take any decisions by automated means)
- in certain circumstances, have personal data corrected, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting the Compliance Officer (firstname.lastname@example.org). Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact the Compliance Officer (email@example.com), or the School’s Data Protection Officer (DPO) at:
Gloucestershire County Council, School’s Data Protection Team, Information Management Service, Shire Hall, Westgate Street, Gloucester (tel. 01452 583619, email firstname.lastname@example.org).
Annex: The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides important evidence on how schools are performing, which is used to inform independent and DfE-funded research. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We must, by law, provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe