Information sharing policy - Privacy Notice
Greig City Academy collects, holds and shares personal information about students and their families that you provide to us in accordance with the rules as laid down in statute, including the General Data Protection Regulations (GDPR) 2018, the Education Act 1996, the Education and Skills Act 2008 and the Apprenticeship, Skills, Children and Learning Act 2009.
We collect data to:
- support students’ learning
- monitor and report on their progress
- provide appropriate pastoral care
- assess how well the school as a whole is doing
- to comply with the law regarding data sharing
- safeguard students
The data we collect, use and may share with other organisations include:
- Personal information (such as name, unique pupil number and address)
- Characteristics (such as ethnicity, language, nationality, country of birth, special educational needs)
- Free school meals eligibility
- Relevant medical information
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Assessment information, exclusions / behavioural information, post 16 learning information
Collecting student data
Most of the student information you provide us is mandatory, that is, we are allowed by law to collect it. Some information will be provided to us voluntarily. We will tell you whether you are required to provide certain information or if you have a choice in this. If we need your consent, the Academy will give you clear information as to why we are collecting the data and how it will be used. You have the right to withdraw your consent at any time.
The lawful basis on which we collect, hold and share personal information
Under the Education Act 1996, the Academy is required to submit school census returns, including a set of named pupil records, to the DfE. This statutory basis ensures we comply with Article 6 and Article 9 of the GDPR which set the lawful bases for processing data.
Storing student data
We are required by law to store all files containing information on students until the date of the student’s 25th birthday. After that we shred the file. The exception is that when students transfer to a different school, all his/her files are transferred to that school.
The Academy is a ‘data controller’ for the purposes of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) 2018. A data controller is an organisation that is responsible for the use made of someone's personal information.
We will not give information about our students to anyone without your consent unless the law and our policies allow us to do so. We are required, by law to pass some information about our students to: the DfE; Haringey Council; and agencies such as the Qualifications and Curriculum Authority (QCA), Ofsted, the Education and Skills Funding Agency (ESFA), the Department of Health (DH), Primary Care Trusts (PCT). We also share information with schools that our students attend after leaving us. All these are data controllers in respect of the data they receive, and must obey the same legal conditions in how they deal with the data.
The right to access personal data
Parents and students have certain rights under the GDPR, including a right to be given access to personal data held about them by any data controller. It is presumed that, by the age of 13, children have sufficient maturity to understand their rights and to make an access request themselves if they wish. A parent would normally be expected to make a request on a child’s behalf if the child is younger. A parent may make a request for a child aged 13 and over with the express, written permission of the child.
You and/or your child also have the right to:
- request that your personal data be erased where there is no compelling reason for its continued processing
- in certain circumstances, have inaccurate personal data rectified, blocked, or destroyed
- request that the processing of your data is restricted object to processing personal data that are likely to cause, or are causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- claim compensation for damages caused by a breach of the data protection regulationsâ
Students aged 13+ and 16+
Once our students reach the age of 13, we also pass student information to Haringey Council as they have responsibilities in relation to the education or training of 13 to 19 year olds under the Education Act 1996. A parent or Guardian may request that only their child’s name, address and date of birth are passed to the local authority. This right is transferred to the student once he/she reaches the age of 16.
If you would like more information on the purposes for which data are collected and the agencies to which we are required to pass on data
Or if you would like to receive a copy of the information about your son/daughter that we hold
Or if you have a concern about the way we are collecting or using your or your child’s personal data
please contact firstname.lastname@example.org or call 020 8609 0100 and ask to speak to the Data Protection Officer, Paul Letford, Assistant Principal. You can also email him directly at email@example.com.
If you feel we have not addressed any concerns you may have, you have the right to contact the Information Commissioner’s Office at https://ico.org.uk/concerns/.