Privacy Notice - General Data Protection Regulation (GDPR)
This Privacy Notice has been written to inform parents and students of Northallerton School & Sixth Form College about what we do with your personal information. This Notice may be subject to change as the Data Protection Bill progresses.
Who are we?
Northallerton School & Sixth Form College is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.
The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:
What information do we collect?
The categories of information that we collect, hold and share include the following:
- Personal information of pupils and their family members e.g. name, pupil number, DOB and address
- Educational attainment
- Free school meal eligibility
- Attendance information
- Assessment information
- Behavioural information
- Safeguarding information
We will also process certain ‘special category’ data about our pupils including
- Relevant medical information- please note that where the pupil has a severe allergy or is thought to be at risk of needing emergency care for a medical issue then this will be shared with all the staff. We may do this in the form of photo identification in the staff room to ensure that all staff are aware of the issues should an emergency situation arise
- Special Educational Needs and Disabilities information
- Race, ethnicity and religion
- Biometric data e.g. thumbprints
Why do we collect your personal data?
We use the information we collect:
to support pupil learning
- to monitor and report on pupil progress
- to provide appropriate pastoral care
- to assess the quality of our services
Any personal data that we process about our pupils and parents is done so in accordance with Article 6 and Article 9 of GDPR:
Our legal basis for processing your personal data, in line with Article 6(1)(c) include:
- Education Act 1944,1996, 2002
- Education and Adoption Act 2016
- Education (Information About Individual Pupils)(England) Regulations 2013
- Education (Pupil Information) (England) Regulations 2005
- Education and Skills Act 2008
- Children Act 1989, 2004
- Children and Families Act 2014
- Equality Act 2010
- Education (Special Educational Needs) Regulations 2001
We also process information in accordance with Article 6(e) and Article 9(2) (g) as part of the official authority vested in us as Data Controller and for reasons of substantial public interest. Such processing, which is not mandatory but is considered to be in our pupils’ interests, include:
- School trips
- Extra-curricular activities
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. When we do process this additional information we will ensure that we ask for your consent to process this.
Who do we obtain your information from?
Much of the information we process will be obtained directly from you (pupils and parents). We will also process information received from:
- Department for Education (DfE)
- Local Education Authority (North Yorkshire County Council)
- Previous schools attended
Who do we share your personal data with?
We routinely share pupil information with:
- schools that the pupils attend after leaving us
- our Local Education Authority (North Yorkshire County Council)
the Department for Education (DfE)
National Health Service bodies
For more information on information sharing with the DfE (including the National Pupil Database and Census) please go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information
We will not share any information about you outside the school without your consent unless we have a lawful basis for doing so.
Once our pupils reach the age of 13, we also pass information to our Local Authority and/or provider of youth support services as stipulated under section 507B of the Education Act 1996. The information provided includes addresses, DOB of pupil/parents, and any other information necessary for the provision of the service including gender or ethnicity.
A parent or guardian can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child/pupil once he/she reaches the age 16.
For more information regarding services for young people please visit our Local Authority‘s website, www.northyorks.gov.uk
How long do we keep your personal data for?
Northallerton School & Sixth Form College will keep your data in line with our Information Policy. Most of the information we process about you will be retained as determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is necessary to fulfil our organisational needs.
What rights do you have over your data?
Under GDPR parents and pupils have the following rights in relation to the processing of their personal data:
- to be informed about how we process your personal data. This notice fulfils this obligation
- to request access to your personal data that we hold, and be provided with a copy of it
- to request that your personal data is amended if inaccurate or incomplete
- to request that your personal data is erased where there is no compelling reason for its continued processing
- to request that the processing of your personal data is restricted
- to object to your personal data being processed
If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.
If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting: