What is this?
King Edward VI College needs to collect and process personal data to meet certain legal obligations, provide services to students and parents, and to manage its operations.
The purpose of this privacy notice is to explain how we collect and use your personal data.
For the purposes of this notice, King Edward VI College (“we”, “us”, “our”) is the data controller for any personal data we process about you. We are registered as a data controller with the Information Commissioner’s Office and this registration can be found HERE.
The most up to date version of this privacy notice will always be available on the college website.
Are you allowed to collect this information?
Yes. On 25th May 2018 the Data Protection Act 1998 was replaced by the General Data Protection Regulation (GDPR) which set rules for what we can collect. We are allowed to collect this information under Article 6 1c which states;
- Processing shall be lawful only if and to the extent that at least one of the following applies: (c) Processing is necessary for compliance with a legal obligation to which the controller is subject
What do we collect?
- personal identifiers and contact information (such as your name, unique student numbers, addresses and phone numbers)
- personal characteristics (such as ethnicity, gender, bursary and free meal eligibility)
- safeguarding information (such as court orders, prosecutions and ongoing legal proceedings)
- special educational needs (including learning difficulties, disabilities, and medical conditions)
- attendance (such as classes attended, number of absences and absence reasons)
- assessment and attainment (such as GCSE or A Level results, internal assessment outcomes, external assessments such as BMAT)
- behavioral information (such as praise comments, attitude to study, academic warnings and exclusions)
- payment information (such as payments for trips via ParentMailPay or directly to the Finance Office)
- trips and activities information (such as next of kin contact information)
We also collect your image on our CCTV system, which we use to ensure your safety and the security of all students, staff and visitors. These images are only stored for 4 weeks and are automatically over-written or deleted. No audio is recorded, and the images are only available to selected staff but may be shared with the Police to assist where a criminal activity has taken place.
Some of this information is very sensitive!
GDPR regulations identify that some information is more sensitive than others, for example; your race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.
GDPR Article 9 paragraph 1 states that:
- Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
However, paragraph 2 identifies ten exceptions to this rule, and we are exempt from this rule under section 2j;
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
We collect your sensitive personal data (racial/ethnicity data and medical information) in accordance with the exemption in paragraph j. The relevant legislation that require us to collect such information is detailed below:
The Education (Information About Individual Pupils) (England) Regulations 2013 section 5 state that:
Within fourteen days of receiving a request from the Secretary of State, the proprietor of a non-maintained special school or an Academy;
(16) shall provide to the Secretary of State such of the information referred to in Schedule 1 and (where the request stipulates) in respect of such categories of pupils, or former pupils, as is so requested.
The Children and Families Act 2014 places a duty of care on appropriate authorities to support students with medical conditions:
100 (1) The appropriate authority for a school to which this section applies must make arrangements for supporting pupils at the school with medical conditions.
Why do we collect this information?
We collect and use student information, for the following purposes;
- to support student learning
- to monitor and report on student attainment & progress
- to provide appropriate pastoral care
- to assess the quality of our services
- to safeguard children and young people
- to meet the statutory duties placed upon us for DfE and ESFA data collections
- to meet our duties regarding the prevention and detection of crime
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing student information are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
A full list of the purposes for which we process personal data and the legal basis for such processing is available via the college website.
How do we collect this information?
Most of the student information that you provide to us will be collected when you apply to the College. We update this information with you and collect any additional information during your interviews, and again when you enrol. The large majority of this information is mandatory, but where consent is needed we will inform you that you have a choice and right to refuse or to withdraw your consent at a later date.
We also collect data (such as your previous achievements or Unique Learner Number) via the Learner Records Service.
We may collect information from the Local Authority or your former school.
We collect results information from awarding bodies via Electronic Data Interchange (EDI) file. Information is also provided to the college by the DfE via the tables checking website for the purpose of checking results against those received from the awarding bodies.
How long do we store this information?
We have a legal obligation to keep information for a set period. This information can be found in our data retention schedule. Most of your information is retained for a period of seven years from the end of the academic year in which you leave the College.
Who do you share this information with?
We only share your information where it is absolutely necessary, or we are under a legal obligation. We would never share your information with any direct marketing companies and we never store your data outside of the EU, which means it is always kept in accordance with the GDPR regulations. We share your information with;
- your parents/guardians
- your previous school(s)
- the local authority
- the Department for Education (DfE) and Education & Skills Funding Agency (ESFA)
- NHS / college nurse
- third party organisations that process data on our behalf (for example ALPs)
- third party professional services (for example Social Services)
- third parties permitted by law
How can I access my personal data?
Under data protection legislation, you have the right to request access to information that we hold. To make a request for your personal information please contact our Data Protection Officer at DPO@kedst.ac.uk.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to seek redress, either through the ICO, or through the courts
If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/