• Home
  • Privacy and Data Policy

Privacy and Data Policy

Privacy Notice and Annexes

The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to those whose data is held by an organisation (data subjects). These are more detailed and specific than in the DPA and place an emphasis on making privacy notices understandable and accessible. Data controllers are expected to take ‘appropriate measures’ to ensure that this is the case.

The school interprets this as using very clear language to outline each of the responsibilities for each of the data subject groups.

The GDPR say that the information provided to data subjects about how the school processes their personal data must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

These requirements are about ensuring that privacy information is clear and understandable for data subjects. This privacy notice deals with the overall privacy responsibilities of the school but includes, as annexes, the particular notices that apply to parents, pupils under the age of 13, staff, Governors and alumni. The appropriate annex should be read by the appropriate data subject along with the overarching notice.

Each annex deals with two sources of data, that obtained directly from the subject and, data not obtained directly from the subject. For both sources the identity and contact details of the data handler (and where applicable, the handler’s representative) and the data protection officer are provided.

Further information can be found in the school’s > Data Protection Policy.

ANNEX A

Privacy Notice Spring Grove School – parents (or guardians) of children at the school, or applying to join the school

This annex should be read in conjunction with the introductory paragraphs in the covering document.

This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly.

Data will be processed for the purposes of responding to requests for information about joining the school and the school will therefore have a “legitimate interest” for processing basic personal data and sensitive personal data. The data the school holds will be the minimum it requires to form and maintain the contract between you and the school.

The school will share your data with a number of organisations who have contracts with the school, including:

  • IT/Educational service providers
  • Accountancy providers
  • Local multi-agency forums which provide SEND advice, support and guidance (such as Local Inclusion Forum Team (LIFT))
  • Kent County Council
  • Schools in our local collaboration, to enable the moderation of pupil attainment
  • Schools that the children attend after leaving Spring Grove School
  • The ISI

We ensure that the companies we share data with equal the school’s precautions and systems for dealing with data.

It is not necessary for data to be shared with other countries. The exceptions to this will be:

  • International trips that the school organises: should this be required, you will be contacted for your consent. The consent will be limited in time and content.
  • Google for education (> Google for Education Privacy Notice)

The retention period for pupil data will be until the pupil reaches the age of 25, and/or be modified by any other legal obligation the school finds itself under.

You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.

You can complain at any time about how the school has handled your data. The Information Commissioner is available as follows: ICO helpline : 0303 123 1113. A template letter, should you need it, is appended to this notice.

We will obtain the data the school requires from you. Should we need data from other sources we will contact you within a month.

We see the provision of personal data as necessary to properly admit your child to the school and to administer, and for the school to fulfil its obligations under, the contract once your child is a pupil here.

There is no automated decision making or profiling involved in this data stream into and through the school. Spring Grove School’s > Cookies Policy.

ANNEX B

Privacy Notice Spring Grove School – Governors of the school

This annex should be read in conjunction with the introductory paragraphs in the covering document.

This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly.

Data will be processed for the purposes of responding to requests for information about joining the Board of the school and the school will therefore have a “legitimate interest” for processing basic personal data and, if necessary, sensitive personal data. The data the school holds will be the minimum it requires.

The school will share your data with organisations we have contracts with, or where there is a legal obligation to do so, including:

  • Charity Commission
  • Companies House
  • Accountancy Services
  • ISI
  • AGBIS
  • IT/Educational service providers
  • Safer recruitment service providers (eg DBS)

It is not necessary for data to be shared with other countries. The exception to this will be Google (> Google for Education Privacy Notice)

The retention period for data on Governors to be held will be 25 years.

You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.

You can complain at any time about how the school has handled your data. The Information Commissioner is available as follows: ICO helpline : 0303 123 1113. A template letter, should you need it, is appended to this notice.

We will obtain the data the school requires from you. Should we need data from other sources we will contact you first.

We see the provision of personal data as necessary to safeguard you and the school as it will allow the necessary checks to be made.

There is no automated decision making or profiling involved in this data stream into and through the school.

Annex C

Privacy Notice Spring Grove School – Alumni

This annex should be read in conjunction with the introductory paragraphs in the covering document.

Routine contact with alumni will be by post. Email will only be used as a method for alumni administration; if individual consent has been granted for further contact via email then the individual alumni may also be contacted in this way.

This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly.

Should you give consent data will be processed for the purposes of maintaining an accurate record of those who were educated at Spring Grove school. The school will process only the minimum personal data to achieve this purpose.

The school will not share your data with any companies associated with the school.

It is not necessary for data to be shared with other countries. The exception to this will be Google (> Google for Education Privacy Notice)

The retention period for alumni data will be unlimited as long as the school believes it has a relationship to serve with the alum.

You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.

You can complain at any time about how the school has handled your data. The Information Commissioner is available as follows: ICO helpline : 0303 123 1113. A template letter, should you need it, is at the appended to this notice.

We will obtain the data the school requires from you. Should we need data from other sources we will contact you first.

Annex D

Privacy Notice Spring Grove School – employees of the school, or applying to join the school

This annex should be read in conjunction with the introductory paragraphs in the covering document.

This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly.

Data will be processed for the purposes of responding to requests for information about joining the school and the school will therefore have a “legitimate interest” for processing basic personal data and sensitive personal data. The data the school holds will be the minimum it requires to form and maintain the contract between you and the school.

The school will share your data with some organisations who have contracts with the school. These are:

  • Accountancy service providers
  • HMRC
  • IT/Educational service providers
  • Pension providers
  • Safer recruitment service providers (eg DBS)

We ensure that the companies we share data with equal the school’s precautions and systems for dealing with data.

It is not necessary for data to be shared with other countries. The exceptions to this will be:

  • International trips that the school organises: should this be required, you will be contacted for your consent. The consent will be limited in time and content.
  • Google for Education (> Google for Education Privacy Notice)
  • IT service providers

All details in regard to retention periods for employee data can be found within our Record Keeping Policy, and/or be modified by any other legal obligation the school finds itself under.

You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.

You can complain at any time about how the school has handled your data. The Information Commissioner is available as follows: ICO helpline : 0303 123 1113. A template letter, should you need it, is at the appended to this notice.

We will obtain the data the school requires from you. Should we need data from other sources, we will contact you within a month.

We see the provision of personal data as necessary to properly employ you at the school and to administer, and for the school to fulfil its obligations under the contract once you are an employee here.

There is no automated decision making or profiling involved in this data stream into and through the school.

For more information, please refer to the detailed > Staff Privacy Notice.

DATA PROTECTION POLICY

Background

Data protection is an important legal compliance issue for Spring Grove School. During the course of the School’s activities it collects, stores and processes personal data (sometimes sensitive in nature) about staff, pupils, their parents, suppliers and other third parties (in a manner more fully detailed in the School’s > Privacy Notice. It is therefore an area where all staff have a part to play in ensuring we comply with and are mindful of our legal obligations, whether that personal data is sensitive or routine.

The current law (the Data Protection Act 1998) changed on 25 May 2018 with the implementation of the General Data Protection Regulation (GDPR). This is an EU Regulation that is directly effective in the UK and throughout the rest of Europe. A new Data Protection Act 2018 has also been passed to deal with certain issues left for national law: this includes specific provisions of relevance to independent schools. In particular, in the context of our safeguarding obligations, the School has a heightened duty to ensure that the personal data of pupils is at all times handled responsibly and securely.

While this new law does set out useful legal grounds in this area, in most ways this new law is strengthening the rights of individuals and placing tougher compliance obligations on organisations including schools that handle personal information. The Information Commissioner’s Office (ICO) is responsible for enforcing data protection law and has powers to take action for breaches of the law.

Those who are involved in the processing of personal data are obliged to comply with this policy when doing so. Accidental breaches will happen and may not be a disciplinary issue, but any breach of this policy may result in disciplinary action. This policy may be amended at any time, but any significant changes will be communicated by the School.

This policy sets out the School’s expectations and procedures with respect to processing any personal data we collect from data subjects (e.g. including parents, pupils, employees).

Key data protection terms used in this data protection policy are:

  • Data controller – an organisation that determines the purpose and means of the processing of personal data. For example, the School is the controller of pupils’ personal information. As a data controller, we are responsible for safeguarding the use of personal data.
  • Data processor – an organisation that processes personal data on behalf of a data controller, for example a payroll provider or other supplier of services.
  • Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Personal information (or personal data): any information relating to a living individual (a data subject), including name, identification number, location or online identifier such as an email address. Note that personal information created in the ordinary course of work duties (such as in emails, notes of calls, and minutes of meetings) is still personal data and regulated by data protection laws, including the GDPR. Note also that it includes expressions of opinion about the individual or any indication of someone’s intentions towards that individual.
  • Processing – virtually anything done with personal information, including obtaining or collecting it, structuring it, analysing it, storing it, sharing it internally or with third parties (including making it available to be viewed electronically or otherwise), altering it or deleting it.
  • Special categories of personal data – data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and medical conditions, sex life or sexual orientation, genetic or biometric data used to identify an individual. There are also separate rules for the processing of personal data relating to criminal convictions and offences.

1. Data Protection Officer

The School has appointed Graham Wethered as the Data Protection Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the principles of the GDPR. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO (dpo@springgroveschool.co.uk).

2. The Principles

The GDPR sets out six principles relating to the processing of personal data which must be adhered to by data controllers (and data processors). These require that personal data must be:

  1. Processed lawfully, fairly and in a transparent manner;
  2. Collected for specific and explicit purposes and only for the purposes it was collected for;
  3. Relevant and limited to what is necessary for the purposes it is processed;
  4. Accurate and kept up to date;
  5. Kept for no longer than is necessary for the purposes for which it is processed; and
  6. Processed in a manner that ensures appropriate security of the personal data.

The GDPR’s ‘accountability’ principle also requires that the School not only processes personal data in a fair and legal manner but that we are also able to demonstrate that our processing is lawful. This involves, among other things:

  • keeping records of our data processing activities, including by way of logs and policies;
  • documenting significant decisions and assessments about how we use personal data, via a > privacy impact assessment; and
  • generally having an ‘audit trail’ vis-à-vis data protection and privacy matters, including for example when and how our Privacy Notice(s) were updated, how and when data protection consents were collected from individuals, how breaches were dealt with, etc.

3. Lawful grounds for data processing

Under the GDPR there are several different lawful grounds for processing personal data. One of these is consent. However, because the definition of what constitutes consent has been tightened under GDPR (and the fact that it can be withdrawn by the data subject) it is generally considered preferable to rely on another lawful ground where possible.

One of these alternative grounds is ‘legitimate interests’, which is the most flexible basis for processing. However, it does require transparency and a balancing assessment between the rights of the individual and the interests of the Controller. It can be challenged by data subjects and also means the Controller is taking on extra responsibility for considering and protecting people’s rights and interests. The School’s legitimate interests are set out in its > Privacy Notice, as GDPR requires.

Other lawful grounds include:

  • compliance with a legal obligation, including in connection with employment and diversity;
  • contractual necessity, e.g. to perform a contract with staff or parents;
  • a narrower set of grounds for processing special categories of personal data (such as health information), which includes explicit consent, emergencies, and specific public interest grounds.

4. Headline responsibilities of all staff

Record-keeping

It is important that personal data held by the School is accurate, fair and adequate. You are required to inform the School if you believe that your personal data is inaccurate or untrue or if you are dissatisfied with the information in any way. Similarly, it is vital that the way you record the personal data of others – in particular colleagues, pupils and their parents – is accurate, professional and appropriate.

Staff should be aware of the rights set out below, whereby any individuals about whom they record information in emails and notes on School business may have the right to see that information. This absolutely must not discourage staff from recording necessary and sometimes difficult records of incidents or conversations involving colleagues or pupils, in accordance with the School’s other policies, and grounds may sometimes exist to withhold these from such requests. However, the starting position is to record every document or email in such a way that you would be able to stand by it if the person about whom it was recorded were to see it.

Data handling

All staff have a responsibility to handle the personal data which they come into contact with fairly, lawfully, responsibly and securely and in accordance with the > Staff Handbook and all relevant School policies and procedures. In particular, there are data protection implications across a number of areas of the School’s wider responsibilities such as safeguarding and IT security, so all staff should read and comply with the following policies:

  • CCTV Policy
  • Child Protection Policy
  • ICT Code of Safe Practice
  • Taking, Storing & Using Images of Children Policy

Responsible processing also extends to the creation and generation of new personal data / records, as above, which should always be done fairly, lawfully, responsibly and securely.

Avoiding, mitigating and reporting data breaches

One of the key new obligations contained in the GDPR is on reporting personal data breaches. Data controllers must report certain types of personal data breach (those which risk an impact to individuals) to the ICO within 72 hours.

In addition, data controllers must notify individuals affected if the breach is likely to result in a “high risk” to their rights and freedoms. In any event, the School must keep a record of any personal data breaches, regardless of whether we need to notify the ICO. If you become aware of a personal data breach you must notify the DPO (dpo@springgroveschool.co.uk). If staff are in any doubt as to whether or not you should report something, it is always best to do so. A personal data breach may be serious, or it may be minor, and it may involve fault or not, but the School always needs to know about them to make a decision.

As stated above, the School may not need to treat the incident itself as a disciplinary matter – but a failure to report could result in significant exposure for the School, and for those affected, and could be a serious disciplinary matter whether under this Policy or the staff member’s contract.

Care and data security

More generally, we require all School staff to remain conscious of the data protection principles (see section 3 above), to attend any training we require them to, and to use their best efforts to comply with those principles whenever they process personal information. Data security is not simply an online or digital issue but one that affects daily processes: filing and sending correspondence, notably hard copy documents. Staff should always consider what the most assured and secure means of delivery is, and what the consequences would be of loss or unauthorised access.

We expect all those with management / leadership responsibilities to be particular champions of these principles and to oversee the swift reporting of any concerns about how personal information is used by the School to the DPO (dpo@springgroveschool.co.uk), and to identity the need for (and implement) regular staff training.

5. Rights of Individuals

In addition to the School’s responsibilities when processing personal data, individuals have certain specific rights, perhaps most significantly that of access to their personal data held by a data controller (i.e. the School). This is known as the ‘subject access right’ (or the right to make ‘subject access requests’). Such a request must be dealt with promptly and does not need any formality, nor to refer to the correct legislation. If you become aware of a subject access request (or indeed any communication from an individual about their personal data), you must tell the DPO (dpo@springgroveschool.co.uk) as soon as possible.

Individuals also have legal rights to:

  • require us to correct the personal data we hold about them if it is inaccurate;
  • request that we erase their personal data (in certain circumstances);
  • request that we restrict our data processing activities (in certain circumstances);
  • receive from us the personal data we hold about them for the purpose of transmitting it in a commonly used format to another data controller;
  • object, on grounds relating to their particular situation, to any of our particular processing activities where the individual feels this has a disproportionate impact on them; and
  • object to automated individual decision-making, including profiling (where a significant decision is made about the individual without human intervention), and to direct marketing, or to withdraw their consent where we are relying on it for processing their personal data.

Except for the final bullet point, none of these rights for individuals are unqualified and exceptions may well apply. In any event, however, if you receive a request from an individual who is purporting to exercise one or more of their data protection rights, you must tell the DPO (dpo@springgroveschool.co.uk) as soon as possible.

6. Data Security: online and digital

The School must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. As such, no member of staff is permitted to remove personal data from School premises, whether in paper or electronic form and wherever stored, without prior consent of the Headmaster or Bursar. Use of personal email accounts for official School business is not permitted.

Summary

It is in everyone’s interests to get data protection right and to think carefully about data protection issues: this means handling all personal information with which you come into contact fairly, lawfully, securely and responsibly.

A good rule of thumb here is to ask yourself questions such as:

  • Would I be happy if my own personal information were being used (for example, shared with a third party) in the way I am proposing? Would I expect it?
  • Would I wish to stand by how I have recorded this information in an email or official record if the person concerned was able to see it?
  • What would be the consequences of my losing or misdirecting this personal data?

Data protection law is therefore best seen not as oppressive red tape, or a reason not to do something necessary or important, but a code of useful and sensible checks and balances to improve how to handle and record personal information and manage our relationships with people. This is an important part of the School’s culture and all its staff and representatives need to be mindful of it.