2. PRIVACY NOTICE FOR PUPILS

How we use pupil information;

We, Norbury Hall Primary School, are a data controller for the purpose of the General Data Protection Regulation. We collect information from you and may receive information about you from your previous school, local authority and/or the Department for Education.

We collect your information to;

• to support pupil learning and the delivery of education
• to monitor and report on pupil progress
• to provide appropriate pastoral care
• to assess the quality of our services
• to comply with the law regarding data sharing
• to comply with our statutory obligations

The categories of pupil information that we collect, hold and share include;

• Personal information such as;
• Name, date of birth, gender, image, class details, admission data, unique pupil number, address, family contact details, GP contact details, dietary requirements, school history, attendance, behaviour log
• Special categories of information such as;
• Ethnicity, nationality, religion, country of birth, free school meal eligibility, medical needs, assessment, data, Special Educational Needs and Disability status

We share pupil data with a number of services in order to provide appropriate support for our pupils. This will include Local Authority educational services including specialist inclusion, support and access services as well as health services like School Nursing.

The lawful basis on which we use this information;

Legal obligation;

We are required to use pupil data when undertaking our legal obligations and to comply with our statutory functions.

The following information is processed as a result of the schools legal obligation;

• Pupil Name, Date of Birth, Gender, Image, Class details, Admission Date, ULN, UPN, Address, Family Members, Family Contact Details, GP Contact Details, Dietary Requirements, Ethnicity, Nationality, Religion, FSM, School History, Attendance, Medical Needs, Assessment Data, Behaviour Log, SEN Status.

Consent;

The consent of parents may be relied upon to process some forms of pupil data.

We will request consent in the following circumstances;

• To allow us to process the personal and sensitive information for school visits (Name, DOB, Contact Telephone Number, Medical Requirements)
• When taking photographs of pupils to be used on the school website / used within the school environment
• When taking photographs by the school photographer .
• To share information with the Team Around the School (TAS)
• To share information with the Team Around the Child (TAC)

Where the legal reason for processing your personal information is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of our processing prior to your withdrawal. Please contact Norbury Hall  Primary School should you wish to withdraw your consent for any of the above activities.

Collecting pupil information;

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.

Storing pupil data;

We hold all pupil data in line with the agreed retention schedule.

Who we share pupil information with;

We routinely share pupil information with:

• schools that the pupil’s attend after leaving us
• our local authority, Stockport Metropolitan Borough Council
• the Department for Education (DfE)
• School Nurses

We will not give information about you to anyone outside this establishment without your consent unless the law permits it. We are required by law to pass some of your information to the Local Authority for monitoring, tracking and provision of appropriate services, and to the Department for Education.

These organisations are then required to share some of this information with trusted partners including NHS Trusts and other Local Authorities in the case of admissions. Appropriate data will be used by certain Local Authority services to provide the best support possibly to children and young people.

Why we share pupil information;

We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Data collection requirements;

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools. 

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.

The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

• conducting research or analysis
• producing statistics
• providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

• who is requesting the data
• the purpose for which it is required
• the level and sensitivity of data requested: and
• the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received

To contact DfE: https://www.gov.uk/contact-dfe

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, please contact school by emailing office@norburyhall.stockport.sch.uk to make a request or alternatively you can view our Data Subject Rights Policy via our website.

You also have the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Contact

If you would like to discuss anything in this privacy notice, please contact:

Admin at Norbury Hall Primary School, Shepley Drive, Hazel Grove, Stockport SK7 6LE

3. How we use looked after children’s and safeguarding information

 

We collect your information to

 

• Support these children and monitor their progress
• Provide them with pastoral care
• Assess the quality of our services
• Evaluate and improve our policies on children’s social care
• Monitor welfare and progress of LAC pupils
• To safeguard our students

The categories of this information that we collect, process, hold and share include

 

• Personal information such as;

• Data of birth, address, contact information

• Special categories of information such as;

• Notes of concern, attendance data, information relating to a child in need (such as referral information, assessment information, Section 47 information, Initial Child Protection information and Child Protection Plan information, outcomes for looked after children (such as whether health and dental assessments are up to date, strengths and difficulties questionnaire scores and offending), adoptions (such as dates of key court orders and decisions), care leavers (such as their activity and what type of accommodation they have), Education Health Care Plans.

 

The lawful basis on which we use this information

Legal obligation

We are required to process pupil data when undertaking our legal obligations and to comply with our statutory functions. We are either legally required to have this information or alternatively we process the information via our legal obligation as there is a high risk to our pupils.

We follow statutory guidance on;

• Keeping children safe in education 2018 https://www.gov.uk/government/publications/keeping-children-safe-in-education–2
• Working together to safeguard children 2015 https://www.gov.uk/government/publications/working-together-to-safeguard-children–2

Collecting this information

Whilst the majority of looked after children and safeguarding information we process is mandatory, some of it may be provided to us on a voluntary basis. In order to comply with the data protection legislation, we will inform you whether you are required to provide certain information to us or if you have a choice in this.

This information is obtained by the school from both the admissions forms, the relevant local authorities and safeguarding leads and relevant notes of concern.

The information will be handled internally by the safeguarding leads, office staff and the Headteacher.

Storing this information

We hold data securely for the set amount of time shown in our data retention schedule. 

 

Who we share this information with

We routinely share this information with:

• the Department for Education (DfE)
• the local authority (Stockport Metropolitan Borough Council)
• other local authorities where necessary

• other schools or education settings

• Health specialists including the school nurse, safeguarding and Looked After Children nurse

 

Why we share this information

We share children in need and looked after children data with the Stockport Metropolitan Borough Council and other placing Authorities. This is for the purpose of the children accessing the correct services and support, for example, Children’s Social Care, Special Educational Needs support services and School Health. This information is shared in line with our statutory duties.

 

We do not share information about our children in need or looked after children with anyone without consent unless the law and our policies allow us to do so.

Department for Education (DfE) – We share children in need and looked after children data with the Department on a statutory basis, under Section 83 of 1989 Children’s Act, Section 7 of the Young People’s Act 2008 and also under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.

This data sharing helps to develop national policies, manage local authority performance, administer and allocate funding and identify and encourage good practice.

All data is transferred securely and held by DfE under a combination of software and hardware controls which meet the current government security policy framework.

 

For more information, please see ‘How Government uses your data’ section.

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about children in England. It provides invaluable information on the background and circumstances on a child’s journey and evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our children to the DfE as part of statutory data collections. Some of this information is then stored in the national pupil database (NPD). The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.

To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.

The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

• conducting research or analysis
• producing statistics
• providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

• who is requesting the data
• the purpose for which it is required
• the level and sensitivity of data requested: and
• the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received

To contact DfE: https://www.gov.uk/contact-dfe

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, please contact office@norburyhall.stockport.sch.uk to make a request or alternatively you can view our Data Subject Rights Policy via our website.

You also have the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Contact

If you would like to discuss anything in this privacy notice, please contact:

Admin at Norbury Hall Primary School, Shepley Drive, Hazel Grove, Stockport.SK7 6LE

4. How we use workforce information

We collect your information to;

• Enable individuals to be paid
• Enable the development of a comprehensive picture of the workforce and how it is deployed
• Inform the development of recruitment and retention policies
• Safeguard individuals
• Performance management
• Produce the single central record

 

The categories of school information that we process include

• Personal information such as;
• Name, data of birth, address, employee and teacher number, national insurance number, contract information, hours worked, post, role, salary, qualifications, subjects taught, when and where, photograph, pension details, bank details, marital status, HMRC declarations, employee benefits, performance management, absence data
• Special categories of information such as;
• Ethnicity, nationality, health data, occupational health referrals, DBS details, correspondence relating to sickness absence

 

Why we collect and use workforce information

Under the General Data Protection Regulation (GDPR), the legal basis for processing personal information for general purposes are:

 

 

Necessary for the performance of a contract – Name, data of birth, address, National Insurance, HMRC declarations, subjects taught references photograph bank details employee benefits performance management, absence data and correspondence relating to sickness absence

Necessary to comply with our legal obligation – Teacher number NI, HMRC declarations, references employee benefits DBS details, health data, pension details, marital status

 

Consent – The consent of employees may be relied upon to process some forms of data.

We will request consent in the following circumstances:

 

• Occupational health referral
• Ethnicity/Nationality

• Health data

Collecting workforce information

 

We collect personal information via the individual staff members/Governors, Local Authority, HR services, previous employers, and DBS department.

Workforce data is essential for the school’s / local authority’s operational use. Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with GDPR, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this.

Storing workforce information

We hold data securely for the set amount of time shown in our data retention schedule, in this circumstance the information will be held for the duration of the employment and for six years after the employment termination date.

For more information on our data retention schedule and how we keep your data safe, please visit

 

All personal data is held on SIMS, within the staffing folder on the secure admin network, in a locked filing cabinet with the school office in the school archive and within the school Single Central Record document, access to which is password protected. 

 

Who we share workforce information with

We routinely share this information with:

• our local authority (Stockport Metropolitan Borough Council – SMBC)
• the Department for Education (DfE)

 

Why we share school workforce information

We do not share information about our workforce members with anyone without consent unless the law and our policies allow us to do so.

 

Local authority

We are required to share information about our workforce members with our local authority (SMBC) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments.

The Council commit to only using the data for the purposes which correspond with their statutory duties and will not pass this information onto any third parties without specific agreement.

Data will be transferred electronically by an agreed appropriate secure data transfer mechanism, complying with data security under the General Data Protection Regulation, such as encrypted files via the internet, SIMS or the DfE COLLECT system, where appropriate. Information is primarily shared with the Local Authority via secure email, uploaded onto Office Online or via Royal Mail.

Department for Education

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our children and young people with the Department for Education (DfE) for the purpose of those data collections.

 

We are required to share information about our school employees with the Department for Education (DfE) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments.

All data is transferred securely and held by DfE under a combination of software and hardware controls which meet the current government security policy framework.

 

Information is securely shared via the DFE Secure access website, Office on Line, (Stockport Local Authority Secure access Website) and Stockport Authority Occupation Health Secure Portal

 

 

How Government uses your data

 

The workforce data that we lawfully share with the DfE through data collections:

• informs departmental policy on pay and the monitoring of the effectiveness and diversity of the school workforce
• links to school funding and expenditure
• supports ‘longer term’ research and monitoring of educational policy

Data collection requirements

Sharing by the Department

The Department may share information about school employees with third parties who promote the education or well-being of children or the effective deployment of school staff in England by:

• conducting research or analysis
• producing statistics
• providing information, advice or guidance

The Department has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether DfE releases personal data to third parties are subject to a strict approval process and based on a detailed assessment of:

• who is requesting the data
• the purpose for which it is required
• the level and sensitivity of data requested; and
• the arrangements in place to securely store and handle the data

To be granted access to school workforce information, organisations must comply with its strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

To contact the department: https://www.gov.uk/contact-dfe

Requesting access to your personal data

 

Under data protection legislation, you have the right to request access to information about you that we hold.To make a request for your personal information please contact office@norburyhall.stockport.sch.uk  to make a request or alternatively you can view our Data Subject Rights Policy via our website.

You also have the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Contact

If you would like to discuss anything in this privacy notice, please contact:

Admin at Norbury Hall, Shepley Drive, Hazel Grove, Stockport.SK7 6LE

5. Privacy Notice for visitors

How we use visitors data;

We, Norbury Hall Primary School are a data controller for the purpose of the General Data Protection Regulation. We do not receive any visitor data from third parties, all information is received from the individuals upon their arrival at the school.

If you are visiting the school, you will be required to sign in at reception and show some ID to reception staff if you are not known to them.

We collect your information to;

• safeguard all children and staff both during and outside of school hours when they are on our site
• ensure that all children and staff learn and work in an environment where they are safe and free from harm
• issue visitor passes
• keep a log of visitors in the building

The categories of visitor data we collect include;

• Personal information such as;
• Name, organisation, vehicle registration, DBS information, purpose for visit

The lawful basis on which we use this information;

Public Task;

We are required to process visitor data in order to comply with our public task, namely to ensure that the security of our pupils, staff, visitors, buildings and their contents are maintained at all times.

The following information is processed as a result of the schools public task;

• Name, organisation, image, vehicle registration, DBS information

Storing visitor data;

We hold all personal data in line with the agreed retention schedule.

Who we share visitor data with;

We do not routinely share this information with any external organisations or third parties.

There may be circumstances in which we may lawfully share your data with third parties where, for example, we are required to do so by law, by court order, or to prevent fraud or other crimes. Where we share data, however, we shall do so in accordance with applicable data protection laws.

We will not give information about you to anyone outside this establishment without your consent unless the law permits it.

Requesting access to your personal data

Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information, please contact the school office to make a request or alternatively you can view our Data Subject Rights Policy via our website.

You also have the right to:

• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Contact

If you would like to discuss anything in this privacy notice, please contact:

Admin at Norbury Hall Primary School. Shepley Drive, Hazel Grove, Stockport.SK7 6LE

6. Consent-Policy

CHANGE HISTORY:
Author / Editor: Becky Swan    |   Details of Change: New Document
Date: 25.06.2018    |    Version: 0.1

How to obtain and record consent

Contents

1.   Overview of consent

Definition Key themes

2.When should consent be obtained?

3. Best practice when obtaining consent

How to obtain consent Practical examples

4. How to record consent

Recording consent Managing consent

5. Obtaining consent for the use of images General

Staff images

Children’s images

6. Consent from children

7. Lacking capacity to consent

8. Importance of gaining consent

9. Consent – Flow chart

1. Overview of consent

Definition of consent – “any freely given, specific, informed and unambiguous indication of the datasubjects wishes by which he or she, by statement or by clear affirmative action, signifies agreement to theprocessing of personal data relating to him or her”

Key themes

• Consent is offering individuals genuine choice and control
• It must be demonstrable
• Presented in a way which is clearly distinguishable from other information
• Easily accessible and understandable
• Written or explained in clear and plain language
• Clearly explain to the data subject who the data controller will be
• Name any third parties who will rely on the consent
• Clearly explain the purpose for processing the personal data
• Freely given by the data subject
• Must be as easy to withdraw consent as it was to give
• Must not rely on inactivity, silence or pre-ticked boxes
• Consent cannot be relied upon where there is a clear imbalance between the data subject and datacontroller
• Keep evidence of consent, who, when, how and what individuals were told

2. When should consent be obtained?

Understanding when to obtain consent can be complicated. Many people mistakenly believe schools mustalways obtain consent prior to processing personal data.

This is not true, consent is only one of the GDPR’s six conditions for processing, and it is recommended thatconsent is used where none of the other conditions apply.   A lack of consent would not constitute a breachproviding another condition can be met. As a reminder below is a list of alternative GDPR conditions underArticle 6;

• Necessary for contract
• Necessary for a legal obligation
• Vital interests
• Necessary for official authority / task carried out in the public interest
• Necessary for legitimate interest

Consent is not the easy option under GDPR, you may wish to rely on another legal condition if possible.

If the processing of personal data is “needed” consent should not be relied upon, as it would not beconsidered to be freely given. Where the subject has no genuine choice, consent would not be consideredvalid.

If consent is requested and then declined, another condition cannot then be used. Please ensure there is nota more suitable option from the above list before pursuing the consent route.

It must be clarified that informing individuals how their personal data will be handled via a privacy noticedoes not constitute asking for their permission.

Schools can rely on consent where there is no imbalance of power and the parent, pupil or staff member hasa genuine choice to consent to the processing of their personal data. In order to build trust and engagement,consent would be considered appropriate here.

It may be worth looking back retrospectively at where consent has been sought and ensure this wasgathered in line with the more recent GDPR provisions.

3. Best practice when obtaining consent

Unambiguous – we must ensure that the parents, pupils and staff members can easily understand whatthey are signing up for. When collecting the information there should be no doubt about the intentions.Schools must aim to use simplistic language and avoid using double negatives.   For example, “I would like toreceive emails from…”, or “please sign me up for email communications”.

Statement or clear affirmative action – it is possible for parents, pupils and staff to show theirconsent with an action, as well as make a statement when giving their consent. There must be an active optin as opposed to a pre-ticked box or consent by default and the options given to the service users must begiven equal importance.

Freely given – there must not be an imbalance between the data subject and data controller, forexample in an employee/employer situation. Parents, pupils and employees must have a genuine freechoice to consent.   They must not be misled, intimidated or negatively impacted by withholding theirconsent. For example, “if you do not give your consent to the use of images your child cannot take part in the School production” – this would not be complaint consent.

Specific – you must ensure that the information given, when requesting consent, covers all processingactivities. It can be hard where there are multiple processing activities taking place. One “catch all” styleconsent document will not be specific enough.

Informed – a lack of clarity is a lack of valid consent. Parents, pupils and staff must be informed of theidentity of the data controller and how/why their data will be processed. They should also be informedimmediately how to withdraw consent. It should be as easy to withdraw as it were to give consent ideally via the same method. For example if consent were given online to receive marketing information, a sentenceunderneath advising “if you wish to stop receiving communications please follow this link”.

To ensure parents, pupils and staff are thoroughly informed any information relating to consent must not behidden within pages of terms and conditions, they must be separated and presented in a way which is clearlydistinguishable.

Granular – when requesting parents, pupils and staff consent to a number of different processing activities,you will need to ensure you offer them to option to consent to each activity individually. Service users maywish to consent to some areas and not to others.

Examples of lawful consent

The following list give practical examples of how service areas may seek to gain valid consent from parents, pupils and staff;

• Signing a consent statement in paper form
• Clicking an opt in button or link online
• Selecting from equally prominent yes/no options
• Responding to an email requesting consent
• Answering yes to a clear oral consent request
• Volunteering information for a specific purpose

However, there are some activities laid out by the ICO which should be avoided when gathering consent suchas;

• Avoid using opt out boxes
• If you are seeking consent for a number of processing activities avoid using a catch all consentoption – each type of processing should have its own individual opt in box
• Adopt a user-friendly method of obtaining If for example a service user does not use theinternet they must have an alternative option to consent/withdraw
• Do not force parents, pupils and staff to create online accounts and log in, in order to give theirconsent / withdraw consent

The ICO will consider that the quality of consent is not sufficient if it has in any way been retrieved due toinaction, via a pre-ticked box, opt out box or any other method which is deemed to have taken advantage.

4. How to record consent

Recording consent

When ensuring consent is valid under GDPR the evidence needs to be recorded to demonstrate it wasappropriately obtained. This includes making a note of the following criteria;

• Details of the parent, pupil or staff member who has consented
• When they consented
• How they consented
• The school details
• Any third parties who will rely on the consent
• Exact details of the information you provided to the individual at the time
• How to withdraw consent
• If it was passed on, when and how
• The records must be specific enough to demonstrate exactly what information the consent related to,to avoid any confusion and ensure accurate audit

Managing consent

Once we are satisfied we have recorded the correct information we then need to continue to monitor theinformation in the following way;

• Regularly review to check the processing and purpose have not changed – it may be possible thatover time the purpose of your activity evolves and the original purpose for which consent wassought is no longer In which case you would be acting outside of the data subjectsconsent and this would constitute a breach of the GDPR.
• Set reminders to refresh consent at appropriate intervals
• Act on withdrawals of consent as soon as If for example the consent relates to marketingcommunications, we must ensure the personal data is removed from both the mailing list andremoved from the list of recorded consent to prevent any future issues occurring.
• Build regular consent reviews into business processes 13

5. Obtaining consent for the use of images

Consent must be sought if you are using images of people, as images still constitute personal data.However, a person must be clearly recognisable within the image –consent may not be needed where anindividual is out of focus or has their back to the camera. This would need considering on a case by casebasis.

Names should not accompany images for promotional literature. There are certain circumstances where namesor other identifiable information can accompany images for example where there has been a competitionwinner.

Staff members consent would not be needed to store their photos for security reasons, for example to controlbuilding access, but if the school wished to use those images for any additional purposes they would needexplicit consent.

Where images of children are being used, particular attention must be paid to the safety and consent of thosechildren and parents. Schools must allow additional time when gathering consent for the use of children’simages, as this process must be thoroughly explained and understood.

As with other forms of consent, good practice would be to keep images and consent forms together todemonstrate this has been obtained. It must be clear on the consent forms exactly what the images are beingused for, and agree not to use them for any further activities. Extreme care must be taken to re gain consentprior to using images for alternative projects.

6. Consent from children

Consent for children is expected to be clear and age appropriate.  If services are

offered directly to children all information relating to consent or privacy notices must be written in a clear,plain way to ensure understanding.

If you offer online services (information society services) to children there are specific rules which must befollowed. Children under 13 cannot consent themselves, and so a person holding parental responsibility mustconsent on the child’s behalf.

You therefore must consider having functions on internal systems to log and verify parental consent onbehalf of a minor.

A child can consent to the use of online services after the age of 13 but as a general rule a child must have sufficient understanding and maturity to exercise their consent. A common sense approach will be adopted in the event a child or young person consents to the processing of their own data via the consent method.

Children can be less aware of risks to their safety and consequences of sharing their personal data and soservice areas must take extreme precautions when processing this type of data.

7. Lacking capacity to consent

Consent will be valid unless you have been made aware, or have reason to believe the individual who consentedlacks the capacity to do so. This must be judged on the capacity of the individual and on an individual basis.

8. Why is gaining consent so important?

Gaining the appropriate levels of consent can in turn improve the parents, pupils and staff members trust andengagement and will enhance the school’s reputation. In turn inappropriately using personal data or relyingon invalid consent can seriously harm our reputation, trust from parents, pupils and staff and result in fines orenforcement action from the ICO.

9. Practical list to follow in order to obtainconsent lawfully

(this may be used as an easy guide for staff to reference when determining whether to useconsent as a lawful condition, and how to obtain and manage that process)

1.    Is consent the most appropriate of the 6 legal conditions?

 If the answer is yes move on to no.2

• Necessary for contract
• Necessary for a legal obligation
• Vital interests
• Necessary for official authority / task carried out in the public interest
• Necessary for legitimate interest

2.  Are you able to obtain consent in compliance with the GDPR?

If the answer is yes move on to no.3

 Offering individuals genuine choice and control

• It must be demonstrable
• Presented in a way which is clearly distinguishable from other information
• Easily accessible and understandable
• Written or explained in clear and plain language
• Clearly explain to the data subject who the data controller will be
• Name any third parties who will rely on the consent
• Clearly explain the purpose for processing the personal data
• Freely given by the data subject
• Must be as easy to withdraw consent as it was to give
• Must not rely on inactivity, silence or pre- ticked boxes
• Consent cannot be relied upon where there is a clear imbalance between the data subject and data controller
• Keep evidence of consent, who, when, how and what individuals were told

3.  Can consent be accurately recorded?

If the answer is yes move on to no.4

• Who consented?
• How did they consent?
• Via which method?
• When did they consent?
• A record of the information presented to them at the time
• Any third parties involved?
• How to withdraw

4.  Can you remain compliant with data subject rights?

• Right to withdraw consent
• Right to have data removed after the agreed period of time
• Right to be forgotten
• Right to data portability
• Ability to restrict data processing
• Right to rectification

7. Data Subject Rights Policy

HOW TO EXERCISE YOUR DATA SUBJECT RIGHTS

Contents
1. Introduction to data subject rights
2. A summary of your rights- what these are and how they apply;

2.1 Right to be informed
2.2 Subject Access Requests
2.3 Right to rectification
2.4 Right to object to processing
2.5 Restriction on use/access
2.6 Right to erasure
2.7 Data portability
2.8 Automated Decisions

3. How you can exercise these rights;

3.1 How do I make a request?
3.2 Can someone else make a request for me?
3.3 What if a data subject “lacks mental capacity”?
3.4 What about requests involving children?
3.5 How do I evidence parental responsibility?
3.6 When can I expect your response?
3.7 Will I have to pay a charge?
3.8 Will I get all of the information I am requesting?
3.9 Can I choose the format in which the information is supplied?
3.10 Can you refuse my request?
3.11 What if I am not satisfied with your response or it is taking too long?

4. The meaning of the terms we have used (Appendix 1

1. Introduction

From 25^th May 2018, the General Data Protection Regulation (GDPR) as supplemented by the UK Data Protection Act 2018 will have legal effect.

This replacement data protection framework places new obligations on organisations and strengthens the rights that individuals have over the processing of their personal information.

Norbury Hall Primary School has produced this Guide to explain your enhanced rights and how we will deal with any requests we may receive from you.

In brief, you have the following rights.

• the right to be informed;
• to ask us for access to copies of the personal information we hold about you;
• to ask us to rectify your personal information if it is inaccurate or incomplete;
• to ask us to stop processing your personal information (this is known as the ‘right to object’);
• to ask us to erase personal information we hold about you (this is also known as the ‘right to be forgotten’);
• to ask us to ‘restrict’ the processing of your personal information (e.g. restrict our access and use pending our consideration, for example, of any objection or erasure request you have submitted);
• to ask us ensure that a decision which legally affects you is reviewed by a person if the decision has been made solely using an automated computerised process;
• to ask us to put the personal information you have given us into a portable electronic machine readable format so it is capable of being transmitted to someone else.

Please be aware that these rights are not absolute and are subject to conditions and exemptions. In some cases the rights described above only apply if the processing activity is undertaken on specific legal grounds and/or in defined circumstances. Therefore all of these rights are unlikely to be engaged in all cases.

You can also obtain full information about your rights from the Information Commissioner’s Office (the ICO). The ICO is the UK’s independent regulator responsible for upholding and enforcing the rights of individuals under data protection law.

2. Summary of your Rights

 2.1 Right to be informed

 Every time we seek to collect information from you, we must inform you why we need to process your personal information, including how we propose to use it, who we intend to share it with and the safeguards we have put in place. If we receive information about you from someone else, we will usually tell you before we use or share your personal information unless we are aware you already have this information or, where the law says this is not necessary.

We meet these obligations in various ways depending on how you come into contact with us, including directing you to our privacy notices viewable on our web site.

 

2.2 Access to your personal information (Subject Access Request)

 You are entitled to ask us for copies of the personal information that we hold about you.

At the time of fulfilling your access request, we will provide the following information:

(a) the reasons why it is necessary to process your personal information;

(b) the types of personal information we process;

(c) the recipients or categories of recipient to whom your personal information have been or will be disclosed, including any recipients in third countries or international organisations and if relevant, the safeguards applicable to the transfer;

(d) where possible, the envisaged period for which your personal information will be stored, or, if not possible, the criteria used to determine that period;

(e) the right to request rectification, erasure of personal information or to object or seek to restrict such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) the source(s) of any personal information we hold that has not been collected directly from you;

(h) whether or not decisions are made about you solely using automated means,  including profiling, without human intervention  and, if so, provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

 

We will also explain if we have redacted any information that identifies third parties.

If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reason why one or more exemptions apply.

There are a number of reasons why information may be exempt. For example, it may be exempt if providing it to you would compromise the prevention or detection of crime or the prosecution of offenders. In certain cases we may also withhold some information relating to education, health and social work.

In certain circumstances we may refuse to respond your request if we consider that it is unfounded, excessive or repetitive in nature.

Once we have received your Subject Access Request, we have one calendar month to provide you with your information.

Prior to the one month beginning and your request becoming valid we must have received your proof of identify and any information we reasonably require to locate your personal data. (Further information on valid requests and proof of identify may be found below – 3.6)

You should also provide us with as much detail as you can about the information you want to access so we can locate it quickly. If we need to contact you for further information to help us find the personal data you requested you may have to wait longer for a response.

Once we have located your personal data we will provide copies to you in the same format you first contacted us, unless specified otherwise.

Arranging for someone else to request access to information on your behalf;

You can ask anyone to act on your behalf. For example a friend, relative, solicitor or employee of a consumer organisation such as a Citizens Advice Bureau.

Before we discuss or provide your personal data to anyone acting on your behalf you must confirm to us in writing that they have your authority to do so. This will require your signed authority, coupled with two forms of identification.

  

2.3 Rectification

You are entitled to ask us to:

• correct inaccurate information about you;
• update the information we hold if it is incomplete

If we agree that the personal information you have identified is factually inaccurate, we will correct it.

We will:

• endeavour to inform anyone with whom we may have shared your personal information of any correction(s) we have made so they can rectify the information they hold about you;

• tell you who the recipients of your information are if you ask us to do this so you can check they if have updated the personal information they hold about you.

If we disagree with your view that the information we hold about you is factually wrong, then in our response we will explain the basis for our decision and give you details about your right to complain to the Information Commissioner if you are not satisfied.

If you consider that personal information we hold about you is incomplete and we do not agree with this, we may offer you the option of adding a supplementary statement explaining why you consider the information we hold is incomplete.    

 

2.4 Objections to processing

 You have the right to object to us using your personal information where it is being processed for:

• direct marketing;
• profiling whether linked to direct marketing or for other purposes
• performing our statutory functions, tasks carried out in the public interest or when exercising official authority;
• our legitimate interest or those of a third party;
• scientific/historical research/statistics where:
  • this is likely to cause substantial damage or substantial or distress; or
  • involves decision-making about an individual

If you object to us using your personal information for direct marketing (or profiling linked to direct marketing) we will cease processing for this purpose(s).

If you object to the use of your personal data for scientific/historical research or statistical purposes on one or both of the above grounds, we will carefully consider your request and let you know the outcome. It may not always be possible to meet your objection if for example, the processing is carried out for the purpose of measures or decisions with respect to particular individuals where this is in accordance the law and is necessary for specified bodies to carry out approved medical research.

 

Where you object to us processing your personal information for any of the other reasons above, we will:

• consider if we have compelling legitimate grounds for continued processing; and
• whether or not these grounds are sufficiently compelling to justify overriding your privacy rights.

Where the law requires us to process your information to meet our statutory functions and public tasks, including our law enforcement functions, it is very likely that we will not be able to comply with your request.

 

For example, you will not be able to use this right to prevent us from:

• collecting and administering council tax or assessing benefit entitlements;
• taking measures to protect the health and safety of our staff;
• establishing, exercising or defending our legal rights;
• pursuing criminal investigations or proceedings;

If we do not uphold your objection, we will explain our reasons in our response and give you details about your right to complain to the Information Commissioner if you are not satisfied.

Upon receipt of your request we have one calendar month to provide you with a response.

 

2.5 Restriction on use of /access to your data

This right may be exercised in circumstances where:

 

• we need time to consider your representations where you are:
  • contesting the accuracy of the personal information we hold about you; or
  • objecting to our processing of your information
• it has already been determined the processing is ‘unlawful’ and you ask us to retain and ‘restrict’ its use;
• we no longer need to retain your personal information but you ask us to retain it for the establishment, exercise or defence of own legal claims.

 

If you make a request we will let you know if we agree to restrict access to your information for one or more of the above reasons.

If we decide a restriction is appropriate, we will endeavour to notify any recipients of your personal information of the restriction and let you know who they are if you ask us to do so.

Where processing is restricted, as well as storing your personal information, we will only process it during the period of restriction:

• with your consent; or

• if it is necessary for the establishment, exercise or defence of legal claims;

• if it is necessary for the protection of the rights of another person; or

• if it is necessary for reasons of important public interest, including for example, communicating with the Information Commissioner.

Where a restriction is applied pending a determination of ‘accuracy’ or any ‘objection’ you may have submitted, we will let you know the outcome of your representations and will notify you prior to lifting the restriction.

Where the reason for the restriction is for one of the other reasons above, the erasure of the personal information will not take place until we have resolved evidential issues with you.

We will also tell you about your right to complain to the Information Commissioner if you are not satisfied.

 

2.6 Erasure (also referred to as the right to be “forgotten”)

You have the right to request that we erase your personal information in defined circumstances.

These defined circumstances are:

• if we are storing your personal information for longer than is necessary or in breach of a legal obligation that requires its erasure;
• you decide to withdraw your consent and you ask us to erase your personal information where there is no other legal ground for processing; (c) we have accepted an objection made by you to our processing of your personal information and you have further requested that we erase the personal information in question;
• we are processing or publishing your personal information without a legal basis for doing so;

We will carefully consider a request for erasure. Our response will outline whether or not we consider retention of your personal information is unwarranted.

There are circumstances where it may not always be possible to agree to your erasure request and we have listed a number of grounds below where it may be necessary for us to retain your information:

• in the interests of freedom of expression (special journalistic

purposes)

• in order to comply with a legal obligation;
• for archiving in public interest;
• for public health functions in public interest
• for exercising legal rights or defending legal claims

If we agree to erase your personal information, we will endeavour to notify any recipients and let you know who they are if you ask us to do so.

If we refuse your request for erasure we will explain our reasons in our response and your right to complain to the Information Commissioner if you are not satisfied.

  

2.7 Data Portability

In certain circumstances, you have the right to request that the personal information you have supplied to an organisation be converted into a structured, commonly used and machine-readable format so that it can be transmitted to another organisation. This right is primarily intended to stimulate competition in the commercial sector by making it easier for consumers to switch from one supplier to another.

As most of the processing activities undertaken by us are governed by statute or as a result of legal obligations imposed on us, this right will only be engaged where:

• we process your personal information on an automated basis, and the legal basis for our processing:

• is based on your consent; or
• is for entering into or the performance of a contract with you

If you make a request for the personal information you have supplied to us to be converted into a portable format where our legal basis for processing falls within one of the grounds above, we will let you know our decision and if you are not satisfied with our response of your right to complain to the Information Commissioner.

 

2.8 Automated Decision Making

In general, decisions which effect you legally or have similarly significant effects are not permitted using solely automated processing, especially if this involves the use of personal information which because of its nature, is termed ‘Special’ or ‘Sensitive’. This is because decisions made using automated electronic programmes or software do not involve human beings.

But there are some exceptions where automated decision-making is permitted. This is where the processing:

• is based on your explicit consent;
• is necessary for entering into or the performance of a contract with you;
• it is required or authorised by law

Where an automated decision is made about you based on one of the reasons above, you are entitled to be:

• informed that our processing activity involves automated decision making and to be informed about the logic involved and the likely consequences of the processing for you;
• told what measures and safeguards we have implemented to protect your privacy;

Within 1 month of your receipt of the above notification, you have the right to:

• contest the automated decision;
• to ask that the automated decision be reconsidered by an appropriate person with the authority/seniority to reach a fresh decision that is not based solely on automated processing.

If you contest an automated decision and ask for it to be reconsidered, we will respond within the allowed time period and let you know whether or not this fresh decision has led to the same or a different outcome.

We will also explain your right to complain to the Information Commissioner if you are not satisfied.

3. How to exercise your rights

 3.1 How do I make a request?

Where possible please use the Subject Access Request form which can be found here via the website

Alternatively you can make a Subject Access Request by writing to the Headteacher,
Norbury Hall Primary School, Shepley Drive, Hazel Grove, SK7 6LE

You can also email us at office@norburyhall.stockport.sch.uk.

For all requests, we will need documentary proof that you are who you say you are (this is for security reasons to ensure we are dealing with you and that none of your personal information is accessed or interfered with by anyone else falsely claiming to be you);

Please ensure you provide at least two forms of identification. Preferably a copy of a passport, driving licence, utility bill, council tax bill or bank statement bearing your full name and current postal address.

On receipt of your request, we will send you a written acknowledgement. In some circumstances we may also ask for additional information if necessary.

3.2 Can someone else make a request for me?

A friend, relative, advocate or solicitor may act on your behalf. However, this person must supply written authority from you to confirm that they are acting for you and we will still require identification for you.

3.3 What if a data subject ‘lacks mental capacity’?

A person with a lasting power of attorney appointed directly by the data subject or a Deputy appointed by the Court of Protection may exercise rights on behalf of the data subject.

This person must be registered with the Office of the Public Guardian and be able to provide evidence to this effect.

3.4 What about requests involving children?

Unlike Scotland, there is no set age in England which recognises when children are automatically able to exercise data protection rights.

A child aged 13 or over is able to create an on line social media account without the consent of a person with parental responsibility.

As a general rule a child must have sufficient understanding and maturity to exercise their own rights and a common sense approach will be adopted in the event a child or young person submits a request.

For children aged under 13, it will generally be expected that a request is made by a person with parental responsibility. A ‘best interest’ consideration will be taken into account.     

 

3.5 How do I evidence parental responsibility?

The following evidences would be accepted as proof of parental responsibility;

• Birth Certificate
• Court Order
• Adoption Record
• Special Guardianship Order

 

3.6 When can I expect your response?

We aim to respond to your request without undue delay and no later than one calendar month counted from the first working day after we are in receipt of your request, and:

• proof of your identity, and
• any further information (where we have requested this from you) we need to process your request and/or locate and retrieve your personal information.

Where it is not possible to respond sooner and the last day before expiry of one calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.

If your request is complex, we may need to extend the length of time required to respond.

If this applies, we will let you know before the latest due date on which you would be expecting to hear back from us.

The General Data Protection Regulation says we can extend the length of time to respond by a maximum of a further two calendar months.

Where it is not possible to respond sooner and the last day before expiry of the second calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.

We will always endeavour to respond as quickly as we can.

3.7 Will I have to pay a charge?

Ordinarily we will not charge a fee for fulfilling a request from you.

The only exception is where you make repeat requests for the same or similar information. In these cases, we reserve the right to charge a reasonable fee based on the administrative costs of supplying further copies if we consider a reasonable time period has not intervened since fulfilling a previous request.

3.8 Will I get all of the information I am requesting?

This is likely to be the case.

But it is important to note that the right of access to your own information does not extend to information about other people who may be identified in the information that also refers to you.

We may therefore redact personal information about other persons (Third Parties) where we are satisfied it is reasonable in the circumstances to do so.

In some cases information may be so interlinked that it is not possible to fulfil your request without breaching another person’s privacy rights.

The names of professional staff (whether directly employed by us or not) involved in decision-making about your care and education will often be disclosable and their identities will not be automatically redacted, unless this is warranted in a particular case.

The law recognises that there are occasions when it may be appropriate to withhold certain information and provide exemptions in specified circumstances.

If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reasons why one or more are necessary.

 

3.9 Can I choose the format in which my information is supplied?

Where you have submitted your request electronically or asked us to respond in a particular format, we will try to do so wherever this is reasonably practicable.

3.10 Can you refuse my request?

In certain circumstances we may refuse to act on your request if we consider that your request is unfounded, excessive or repetitive in nature.

We will give our reasons if we refuse to comply with your request on any of these grounds.

3.11 What if I am not satisfied with your response or it is taking too long?

If you do not hear from us by the latest due date or are not satisfied with the response you have been given, you have the right to complain to the Information Commissioner.

The Information Commissioner is the UK’s independent regulator responsible for upholding and enforcing the rights of individuals under data protection law.

You can email the Information Commissioner’s office

accessicoinformation@ico.org.uk or write to:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

 Full information about your rights is also available on the ICO’s website:

https://ico.org.uk/

Appendix 1 – Meaning of terms

“Personal information” means any information relating to an identified or identifiable living person. An identifiable person is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.

“Special or Sensitive Personal information”  is information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal information relating to criminal offences and convictions.

“Processing” means any activity that involves the use of personal information. It includes obtaining, recording or holding the information, or carrying out any operation or set of operations on the information including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal information to other Recipients.

“Data Subject” a living, identified or identifiable individual about whom we as the Controller hold personal information.

“Controller” means the person or organisation (in this case us) that determines when, why and how to process personal information.

“Privacy Notices” are notices setting out the information given to you at the time we collect information from you or within a reasonable time period after we obtain information about you from someone else. These notices may take the form of an overarching privacy statement (as available on our web site) or apply to a specific group of individuals (for example, service specific or employee privacy notices) or they may be stand-alone, one time privacy statements covering processing related to a specific purpose.

 

“Consent” must be freely given, specific, informed and unambiguous indication of an individuals’ wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Explicit Consent” requires a very clear and specific statement, leaving no room for misinterpretation.

“Third Party” is a living individual other than the person who is the data subject

“Recipient” means a person or organisation who receives your personal information from us. This may be a company with whom we have entered into a contract to provide services on our behalf or another Controller with whom we are either required or permitted to share personal information.

 

“Latest due date”  means one calendar month counted from the first working day after proof of ID and any requested information is received by us, except where this falls on a weekend or a bank holiday in which case the “latest due date” is treated as the first working day after the weekend or bank holiday.  The same method is applied to calculating the “latest due date” for complex requests where an extension of time is permitted and claimed.

 

 “Automated Processing” means any processing of personal information that is automated through the use of computers and computer software.  

“Automated Decision-Making (ADM)” means a decision which is based solely on Automated Processing (including Profiling) which produces legal effects or significantly affects an individual. The GDPR generally prohibits Automated Decision-Making except in defined circumstances, subject to certain conditions and safeguards being met.

 

“Profiling” means the recording and analysis of a person’s psychological and behavioural characteristics, so as to assess or predict their capabilities in a certain sphere or to assist in identifying categories of people.

 

“General Information Protection Regulation (GDPR)” means the General Information Protection Regulation ((EU) 2016/679).

 

“Data Protection Act 2018” means UK legislation that repeals the 1998 Act; implements discretions delegated to EU Member States under the GDPR; provides for the role, responsibilities and enforcement powers of the Information Commissioner and sets data protection standards for processing activities that do not fall within the purview of the GDPR.