The Pointer School takes our responsibilities as a data controller seriously and are committed to using the personal data we hold in accordance with the law.
This privacy notice provides detailed information about how we process personal data. Please read it carefully and, if you have questions regarding your personal data or its use, please contact the Data Protection Officer by emailing firstname.lastname@example.org, by telephone on 0208 2931331; or by post at The Pointer School, 19 Stratheden Rd, London, SE3 7TH.
2. TYPES OF PERSONAL DATA WE PROCESS
We process personal data about prospective, current and past:
- pupils and their parents;
- staff, suppliers and contractors;
- and other individuals connected to or visiting the school.
The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual. Examples include:
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- family details;
- admissions, academic, disciplinary and other education related records, information about special educational needs, safeguarding records, references, examination scripts and marks;
- education and employment data;
- images, audio and video recordings;
- financial information (eg for bursary assessment);
- courses, meetings or events attended.
As a school, we need to process special category personal data (eg concerning health, ethnicity, religion or biometric data) and criminal records information about some individuals (particularly staff). We do so in accordance with applicable law (including with respect to safeguarding or employment) or by explicit consent.
3. COLLECTING, HANDLING AND SHARING PERSONAL DATA
We collect most of the personal data we process directly from the individual concerned (or in the case of pupils, from their parents). In some cases, we collect data from third parties (for example, referees, previous schools, the Disclosure and Barring Service, or professionals or authorities working with the individual) or from publicly available resources.
Personal data held by us is processed by appropriate members of staff for the purposes for which the data was provided. We take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to school systems. We do not transfer personal data outside of the European Economic Area unless we are satisfied that the personal data will be afforded an equivalent level of protection.
In the course of school business, we share personal data (including special category personal data where appropriate) with relevant third parties (eg the Local Children Safeguarding Board, DBS, NCTL, UK Visas and Immigration, HM Revenue and Customs, Department for Education and Department for Work and Pensions). Some of our systems are provided or hosted by third parties, eg school website, school calendar, school emails and educational software. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with our specific directions. We do not otherwise share or sell personal data to other organisations for their own purposes.
4. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA
We process personal data to support the school’s operation as an educational institution, and in particular
- The selection and admission of pupils;
- The provision of education to pupils including the administration of the school curriculum and timetable, monitoring pupil progress and educational needs, reporting on the same internally and to parents, administration of pupils’ entries to secondary school admissions examinations;
- The provision of educational support and related services to pupils (and parents) including the maintenance of discipline, administration of sports fixtures and teams, extracurricular and wraparound care, school trips, provision of the school’s IT and communications system, all in accordance with our IT policies;
- The safeguarding of pupils’ welfare and provision of pastoral care, welfare, health care services by school staff;
- Compliance with legislation and regulation including the preparation of information for inspections by the Independent Schools Inspectorate, submission of annual census information to each of the Independent Schools Council and Department for Education;
- Operational management including the compilation of pupil records, the administration of invoices, fees and accounts, the management of the school’s property, the management of security and safety arrangements (including the use of CCTV in accordance with our CCTV Policies and monitoring of the school’s IT and communications systems in accordance with our Acceptable Use Policy), management planning and forecasting, research and statistical analysis, the administration and implementation of the school’s rules and policies for pupils and staff;
- Staff administration including the recruitment of staff/ engagement of contractors (including compliance with DBS procedures), administration of payroll, pensions and sick leave, review and appraisal of staff performance, conduct of any grievance, capability or disciplinary procedures, the maintenance of appropriate human resources records for current and former staff, providing references; and
- The promotion of the school through its own websites, the prospectus and other publications and communications;
The processing set out above is carried out to fulfil our legal obligations (including those under our parent contract and staff employment contracts). We also expect these purposes to form our legitimate interests. We may share Personal Data with third parties where doing so complies with the GDPR. For example, we may share Personal Data:
- With relevant statutory agencies or authorities (e.g. for safeguarding reasons or in order to comply with our reporting obligations);
- Where necessary in connection with learning and extracurricular activities undertaken by pupils; When a reference or other information about a pupil or ex-pupil is requested by another educational establishment or employer to whom they have applied;
- We may make enquiries of pupils' previous schools for confirmation that all sums due and owing to such schools have been paid;
- We may also inform other schools or educational establishments to which pupils are to be transferred if any of our fees are unpaid;
- To enable pupils to take part in assessments and to track their progress;
- To obtain professional advice and insurance for the School; and/or
- Where otherwise required by law or where reasonably necessary for the operation of the School.
5. HOW LONG WE KEEP PERSONAL DATA
We retain personal data only for a legitimate and lawful reason and only for so long as necessary or required by law. We have adopted Records Retention Guidelines as set out in the school’s Data Retention Schedule. This sets out the time period for which different categories of data are kept. If you have any specific queries about our record retention periods, or wish to request that your personal data is considered for erasure, please contact the Data Protection Officer.
6. YOUR RIGHTS
You have various rights under Data Protection Law to access and understand the personal data we hold about you, and in some cases to ask for it to be erased or amended or for us to stop processing it, but subject to certain exemptions and limitations.
You always have the right to withdraw consent, where given, or otherwise object to receiving generic communications. Please be aware however that the school may have another lawful reason to process the personal data in question even without your consent. That reason will usually have been asserted under this Privacy Notice, or may exist under some form of contract or agreement with the individual (e.g. an employment or parent contract, or because of a purchase of goods or services).
If you would like to access or amend your personal data, or would like it to be transferred to another person or organisation, or have some other objection to how your personal data is used, please make your request in writing to the Data Protection Officer.
We will to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. We will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, we may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal privilege. We are also not required to disclose any confidential reference given by the school for the purposes of the education, training or employment of any individual.
7. PUPIL DATA
The rights under Data Protection legislation belong to the individual to whom the data relates. However, we will usually rely on parental consent to process personal data relating to pupils (if consent is required) unless, given the nature of the processing in question, and the pupil's age and understanding, it is more appropriate to rely on the pupil's consent.
8. CHANGE OF DETAILS
We try to ensure that all personal data held in relation to an individual is as up-to-date and accurate as possible. Please notify email@example.com of any significant changes to important information, such as contact details.
9. THIS POLICY
Our privacy notice should be read in conjunction with our other policies and terms and conditions which make reference to personal data, including our Parent Contract (Terms and Conditions), our Safeguarding Policy, Health & Safety Policies, Acceptable Use Policies and IT Policies. We will update this Privacy Notice from time to time. Any substantial changes that affect how we process your personal data will be notified on our website and to you directly, as far as practicable. If you believe that we have not complied with this policy or have acted otherwise than in accordance with Data Protection Law, you should notify the Business Manager or the Data Protection Officer. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with us before involving them.