Privacy Notice for Students
Newfriars College collects a lot of data and information about our students so that we can run effectively as a college. This privacy notice explains how and why we collect students’ data, what we do with it and what rights parents and students have.
Newfriars College is an academy within the Shaw Education Trust (“the Trust”), a multi academy trust with over 10 academies. The Trust is a charitable company limited by guarantee (registration number 09067175) whose registered office is Shaw Education Trust Head Office, Kidsgrove Secondary School, Gloucester Road, Kidsgrove, ST7 4DL. The Trust is the Data Controller for all the academies within the Trust.
The Data Protection Officer for the Trust is Natalie Kennedy, firstname.lastname@example.org.
Why do we collect and use student information?
We collect and use student information under the following lawful bases:
a. where we have the consent of the data subject (Article 6 (a));
b. where it is necessary for compliance with a legal obligation (Article 6 (c));
c. where processing is necessary to protect the vital interests of the data subject or another person (Article 6(d));
d. where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (e)).
Where the personal data we collect about students is sensitive personal data, we will only process it where:
a. we have explicit consent;
b. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; and / or
c. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Please see our Data Protection Policy for a definition of sensitive personal data.
We use the student data to support our statutory functions of running a college, in particular:
a. to decide who to admit to the college;
b. to maintain a waiting list;
c. to support student learning;
d. to monitor and report on student progress;
e. to provide appropriate pastoral care;
f. to assess the quality of our services;
g. to comply with the law regarding data sharing;
h. for the protection and welfare of students and others in the college;
i. for the safe and orderly running of the college;
j. to promote the college;
k. to communicate with parents/carers;
a. in order to respond to investigations from our regulators or to respond to complaints raised by our stakeholders;
l. in connection with any legal proceedings threatened or commenced against the college
The categories of student information that we collect, hold and share include:
a. Personal information (such as name, unique student number and address);
b. Characteristics (such as ethnicity, language, medical conditions, nationality, country of birth and free college meal eligibility);
c. Attendance information (such as sessions attended, number of absences and absence reasons)
d. Behaviour records, including exclusions (if relevant) records about attainment, assessment information, information about special needs (if relevant);
From time to time and in certain circumstances, we might also process personal data about students, some of which might be sensitive personal data, including information about criminal proceedings/convictions, information about sex life and sexual orientation, child protection/safeguarding. This information is not routinely collected about students and is only likely to be processed by the college in specific circumstances relating to particular students, for example, if a child protection issue arises or if a student is involved in a criminal matter. Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and/or the Police. Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.
We collect information about students when they join the college and update it during their time on the roll as and when new information is acquired.
Collecting student information
Whilst the majority of student information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain student information to us or if you have a choice in this. Where appropriate, we will ask parents/students for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to use photos or images of students on our website or on social media to promote college activities, or if we want to ask your permission to use your information for marketing purposes. Parents/students may withdraw consent at any time.
When students are deemed to be old enough to make their own decisions in relation to their personal data, we will also ask the student for their consent in these circumstances. This will usually be at the age of 13. Although parental consent is unlikely to be needed, we wish to take a collaborative approach so we will keep parents informed when we are approaching students for consent. Students with the maturity to make their own decisions about their personal data may withdraw consent if consent has previously been given.
In addition, the College also uses CCTV cameras around the college site for security purposes and for the protection of staff and students. CCTV footage may be referred to during the course of disciplinary procedures (for staff or students) or to investigate other issues. CCTV footage involving students will only be processed to the extent that it is lawful to do so. Please see our CCTV policy for more details.
Storing student data
For the length of time that we store student information, please refer to our data retention policy.
A significant amount of personal data is stored electronically, for example, on our database, SIMS/Bromcom/Other. Some information may also be stored in hard copy format.
Data stored electronically may be saved on a [cloud] based system which may be hosted in a different country.
Personal data may be transferred to other countries if, for example, we are arranging a college trip to a different country. Appropriate steps will be taken to keep the data secure.
Who do we share student information with?
We routinely share student information with:
- Parents/carers (as defined in the Education Act 1996);
- colleges that students attend after leaving us;
- our local authority;
- a student’s home local authority (if different);
- the Department for Education (DfE);
- college academy councillors / trustees;
- the central team at the Trust;
- exam boards.
From time to time, we may also share student information other third parties including the following:
- the Police and law enforcement agencies;
- NHS health professionals including the college nurse, educational psychologists,
- Education Welfare Officers;
- Courts, if ordered to do so;
- the National College for Teaching and Learning;
- the Joint Council for Qualifications;
- Prevent teams in accordance with the Prevent Duty on colleges;
- other colleges, for example, if we are negotiating a managed move and we have your consent to share information in these circumstances;
- our HR providers, for example, if we are seeking HR advice and a student is involved in an issue;
- our legal advisors;
- our insurance providers/the Risk Protection Arrangement;
Some of the above organisations may also be Data Controllers in their own right in which case we will be jointly controllers of your personal data and may be jointly liable in the event of any data breaches.
In the event that we share personal data about students with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.
Why we share student information
We do not share information about our students with anyone without consent unless the law allows us to do so.
We share students’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins college funding and educational attainment policy and monitoring.
We are required to share information about our students with the (DfE) under regulation 5 of The Education (Information About Individual Students) (England) Regulations 2013.
Data collection requirements:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
Youth support services
What is different about students aged 13+?
Once our students reach the age of 13, we also pass student information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
- youth support services
- careers advisers
A Parent / Carer can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child / student once he/she reaches the age 16.
Our students aged 16+
We will also share certain information about students aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
- post-16 education and training providers;
- youth support services;
- careers advisers.
For more information about services for young people, please visit your local authority website.
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about students in colleges in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including colleges, local authorities and awarding bodies.
We are required by law, to provide information about our students to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Students) (England) Regulations 2013.
To find out more about the student information we share with the department, for the purpose of data collections, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our students from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data;
- the purpose for which it is required;
- the level and sensitivity of data requested; and
- the arrangements in place to store and handle the data.
To be granted access to student information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit:
For information about which organisations the department has provided student information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-pupil-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data
Under data protection legislation, students, and in some circumstances, parents, have the right to request access to information about them that we hold (“Subject Access Request”). From the age of 13, we generally regard students as having the capacity to exercise their own rights in relation to their personal data. This means that where we consider a student to have sufficient maturity to understand their own rights, we will require a Subject Access Request to be made by the student and not their parent(s) on their behalf. This does not affect any separate statutory right parents might have to access information about their child.
Subject to the section below, the legal timescales for the College to respond to a Subject Access Request is one calendar month. As the College has limited staff resources outside of term time, we encourage parents / students to submit Subject Access Requests during term time and to avoid sending a request during periods when the College is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible. [For further information about how we handle Subject Access Requests, please see our Data Protection Policy.
Parents of students who attend academies have a separate statutory right to receive an annual written report setting out their child’s attainment for the main subject areas which are taught. This is an independent legal right of parents rather than a pupil’s own legal right which falls outside of the GDPR, therefore a student’s consent is not required even if a student is able to make their own decisions in relation to their personal data, unless a court order is in place which states otherwise.
The term “parent” is widely defined in education law to include the natural or adoptive parents (regardless of whether parents are or were married, whether a father is named on a birth certificate or has parental responsibility for the student, with whom the student lives or whether the student has contact with that parent), and also includes non-parents who have parental responsibility for the student, or with whom the student lives. It is therefore possible for a student to have several “parents” for the purposes of education law.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress;
- prevent processing for the purpose of direct marketing;
- object to decisions being taken by automated means;
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the our data protection responsibilities.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact:
Natalie Kennedy, DPO, via Natalie.email@example.com