Data Protection - GDPR
Your Data Protection Rights
The General Data Protection Regulations provide you with legal rights over the personal data our school holds about you and your child. This guide will explain your rights and help you to use them.
You do not need to know details about which right applies in which case in order to make a request; it’s our responsibility to understand how to handle a request you make.
Your personal rights are:
We are committed to helping you to exercise your rights through:
- Keeping our guidance simple
- Making it readily available
- Responding to a request from you:
- In writing: by means of your choice wherever practical. If you email us, we’ll respond by email unless you ask us to do something different
- Verbally: if you wish, providing we have proof of ID
- Promptly: and no longer than a month after receiving it. If your request is particularly large and complicated, we are allowed to extend the deadline by up to 2 months. If we need to do this we’ll let you know within a month and explain why.
- In plain English: avoiding legal terms where possible, but explaining them where we need to use them
How will you know that a request about me has come from me?
We won’t change, delete or share any of your information without being satisfied that it is you who has asked for this (unless the law allows us to). Where we have doubts about a requestor’s identity, we will ask for proof of ID and won’t go ahead unless we’ve received this and are satisfied that you are identified.
Are you allowed to charge me for a request, or refuse it?
You should not have to pay us when you’re exercising your rights; however, the law does allow us to charge you a reasonable fee if your request is unreasonable or is a repeat of something we’ve already done for you. In these cases we may be allowed to refuse your request rather than charge. If we plan to charge or to refuse your request, we will let you know and explain why we believe the law lets us do this.
There are other reasons in the law which may mean we cannot do what you ask us to do with your personal data. We have explained these under each of your ‘Rights’ in this guide.
What if I’m not happy with your response to my request?
We’ll always do our best to do what you ask with the personal data we hold about you or your child, however, the law places a responsibility on the school to balance your rights against the rights of other people who may be affected and against the legal powers of other organisations. It may not always be the case that your rights are strongest in every situation. We’ll always explain our reasons and will gladly take another look at our decision if you want challenge it.
If you still feel that we haven’t done what we should then you have the right to complain to the Information Commissioner (ICO). Please see the ICO’s contact details at the end of this guide.
Limiting your Rights
The law allows for the UK Government to make certain decisions which could result in Data Protection rights being reduced to some extent. However, the law requires that any restrictions of this kind must still be in line with your basic human rights and must be what is expected of rules applying to a democratic country.
The Government may decide to limit the rights for reasons such as national security, preventing crime, investigating certain professional conduct cases etc. We have to take these decisions into account when considering requests from you to exercise your rights.
1.Your Right to be Informed
It is important that you know what happens to your personal data whilst we hold it. The law requires us to be honest and open with you about these details and we do this through publishing a number of Privacy Notices on our website; one covering each of the main uses we make of your data.
These Notices are available for you to read and understand so that you know what to expect us to do with your data; either before you share it with us, or where it is given to the school from another organisation that holds it.
We have taken care to explain the details on the Notices in simple language but we would be grateful for any feedback on this to help us with our commitment to review and improve the guidance we give you.
Here are the main things we need to tell you about what we do with your personal data:
- Who we are: School name, the name of our Data Protection Officer and their contact details.
- A description of the type of data we collect about you/ your child
- The reasons why we need this data
- An explanation of how the law allows us to hold and use your data
- Who we might share the data with (either because they provide a service on our behalf or they need it for their own purposes and the law allows this)
- Whether your data may be sent to or stored in a country that is outside the European Economic Area (EEA)
- When will we no longer need your data and how soon after this we’ll delete it
- Which of your rights you are able to use, including the right to withdraw your consent (if this is what allows us to hold your data)
- How to complain to the Information Commissioner’s Office (ICO)
- Where we got your data from (if you didn’t give it to us yourself)
- Whether we use your data to make automated-decisions or to do profiling
We will make sure the right Privacy Notice is available to you:
- At the time you share your data with us
- When it has been shared with us by another organisation:
- No later than a month
- The first time we contact you, or sooner
- Before or when we share it with someone else
See our Website for a list of published Privacy Notices
Click here for more information (ICO Website)
2.Your Right to Access your Information
The personal data we hold about you and your child is still yours. You have the right to ask us for access to the data to satisfy you that our use of your data is lawful. Unless the law prevents us from doing so, we must give you:
- Confirmation that we hold your data
- An explanation of what that data is
- Access to your information
- Confirmation of which Privacy Notice(s) explain why we have your data and what we do with it
When dealing with your request we will:
- Let you know what additional information we may need to identify you
- If a request has been made by someone on your behalf, ensure that they have your permission
- Confirm how you would like to receive your information
- Help you to make your wishes clearer if your request is not clear about the information you want.
- The information you receive is information you are entitled to under the law – having considered your rights against the rights of others whose information may be included within documents relating to you, and any other legal reason which may prevent us from sharing data.
- Let you know within a month at the latest about any expected delay, for example if your request is complex, about any fee that the law allows us to charge, or explain any reason we may have to refuse your request.
Click here for more information (ICO Website)
Please note: There is an additional “right of access” to your Child’s ‘Pupil Record’ – as defined in the Education (Pupil Information) (England) Regulations 2005. The timescale for responding to such requests is fifteen days from receipt of the request (excluding the summer holiday). This right is not affected by GDPR.
3.Your Right to have your Data ‘Rectified’
The school has a legal responsibility to make sure the data we hold about you and your child is accurate and complete. Where we are made aware that we may hold inaccurate or misleading data about you we must ‘rectify’ it (change it).
Where you may have moved to a new address, changed contact details or even changed a surname; these are simple changes to make. However, there may be more complex cases where you disagree with an opinion we have recorded about your child’s progress for example, and you may decide to ask us to change this. In some cases the law allows us to refuse to make changes to the personal data we hold and the professional opinion of a qualified teacher is an example where we may decline to fulfil a change request.
Any request to change your personal data will be fairly considered and if where having reviewed a contentious record we feel it is inaccurate then we will make changes.
If we do refuse to make changes we will always:
- Explain to you in writing the reasons why we are refusing your request
- Consider adding a statement of your opinion to the record to reflect that there has been a challenge to our professional judgement.
Click here for more information (ICO Website)
4.Your Right to be Forgotten
Right to erasure (‘right to be forgotten’)
The right to Erasure, known as the right to be forgotten, is where you can ask us to consider deleting information that we hold about you or your child.
We will already have explained to you through our Privacy Notices how long we intend to hold your personal data before we delete it, however you still have the right to challenge us to delete your data at any time.
You can expect your request for deleting your personal data to be successful if:
- It is no longer ‘necessary’ for us to keep the data for the purpose stated on the relevant Privacy Notice
- We’re holding and using the data based only on your consent, and you have decided to withdraw this consent
- We’re holding and using the data for our ‘legitimate interests’. You may decide to object to this, and we can’t give a reason for keeping it that outweighs your decision.
- We’re holding and using the data to allow us to market goods and services to you and you ask us to stop.
- We have been holding and using your data unlawfully
- Deleting is required by law
- We’re using data about your child to support a chargeable online service
The law has a number of reasons why we are allowed to refuse erasure requests, those that are most likely to apply to schools are where we’re holding or using your data:
- To comply with a legal requirement
- Where we are doing something in the public interest or acting within our role as a school
- To keep a historical record of the school’s activity for future generations
- Where we need it because it supports a legal case
When we agree to delete information about you, we will have procedures in place to let other organisations who we’ve shared your data with know, for example if we have contractors working on our behalf. Our decision to delete your data means that they should delete it also.
When we agree to delete information following your request, or routinely as part of our records management procedures, we will make sure that the data in whatever format is destroyed securely and cannot be reused, or it will be permanently changed so that it can no longer identify you or your child.
Click here for more information (ICO Website)
5.Your Right to Restrict the Processing of your Data
Should you have concerns about an aspect of what we do with your personal data, such as who we share it with or how we manage it, you have the right to ask us to stop doing it; so that we are still allowed to hold it, but we are ‘restricted’ in the ways we can use your data.
Aside from storing your data, we can only continue to use it when it is under a restriction if:
- We have your consent
- It is to be used for a legal claim or case
- It is needed to support someone else’s rights
- We believe the use is in the public interest.
When use of data is restricted, this may mean we consider doing the following:
- Removing your data from one database or system and storing it in another in order to separate it from data which is still in use
- ‘Lock’ or ‘Protect’ a record containing your data to prevent staff from accessing and using it.
- Taking published data down from a website.
- Labelling the data to ensure that users are aware of the restriction
You can expect your request for restricting the use of your personal data to be successful if:
- You want our use of your data to stop whilst its accuracy is being reviewed
- The data had been used unlawfully and you opt for a restriction rather than request us to delete (erase) your data
- We don’t believe it is necessary for us to keep your data any longer, but you wish us to keep it for a potential legal case
- You have raised an ‘objection’ and we need time to consider whether your rights outweigh our potential claim that we have a legitimate need to keep using your data
As with other rights, the law allows us to refuse a request in certain circumstances. In this case we can refuse (or charge a reasonable fee) if we believe the request is unfounded or excessive. In such cases we will contact you and explain our decision, and let you know how to complain.
When we decide to lift any restriction on the use of your data, we must let you know about this in advance. We must let you know how this affects any related requests under your rights to ‘rectify’ and to ‘object’, and also let you know how to complain.
Click here for more information (ICO Website)
6.Your Right to Data Portability
The right to Data Portability gives you the means of asking an organisation to give your personal data to another organisation on your behalf, or back to you for you to give to another organisation – making your data ‘portable’, i.e. easily usable by another supplier of services to you.
The law allows this right to apply in a very narrow set of circumstances which make it highly unlikely that it would apply to any data held by the school, but in brief the right applies when data you have provided:
- Is being held and used by us under your consent or supporting a contract, AND
- The use of the data is being carried by an automated process (i.e. staff are not involved in physically doing something with the data).
If this right did apply to your data, we would need to provide it in a format that was commonly in use, allowing the majority of software products to read and use the data in an automated way.
Click here for more information (ICO Website)
7.Your Right to Object to Data Processing
The law provides you with the right to ‘object’ to us holding and using your personal data but only in certain circumstances. Our Privacy Notices will let you know the ‘legal condition’ we are relying on to hold and use your data and they will also explain when you have the right to ‘object’. If we are relying on one of the following, then the right is available to you:
- Legitimate interests, or
- Performance of a task in the public interest/ exercising our official authority (including profiling), or
- Scientific or Historical research and statistics
In order to exercise your right you must have an objection which is specific to your particular situation. You can’t therefore object to our general practices, you must be able to argue that there is something we are doing with your personal data that impacts you specifically.
If this does apply, then we must stop doing what is causing you concern unless we can do one of the following:
- Show you that there are legitimate grounds for our actions and that these outweigh your rights
- Show that our actions with your personal data are necessary to support evidence for a legal case or claim
If we hold your data for direct marketing purposes then we must stop doing so when we receive your objection. We would have no grounds to challenge your decision.
Click here for more information (ICO Website)
8.Rights over Automated decision-making & Profiling
What do these terms mean?
This is making decisions about you or your child using your personal data through an automated process, i.e. a computer calculation with no human involvement.
Using personal data to make decisions about categorising you or your child based on any number of characteristics
Where we do this we have to let you know about it on our Privacy Notices. These will explain the process we go through and what the potential consequences are of the decisions made
The law only allows us to do this kind of activity where decisions are made completely without the need of human help and the outcome of the decision can have a significant impact on an individual in the following circumstances:
- If we were evaluating you or your child as part of entering into a contract (i.e. to see whether someone meets the criteria to be eligible for a contractual service)
- If the law specifically allows it
- You have given us your recorded consent
And we can only use sensitive personal data if:
- We have your recorded consent, or
- We can claim that what we’re doing is important in the public interest
If what we’re doing isn’t completely automated and the decisions are not significant, then we don’t need to rely on these reasons, but we still need to let you know what we’re doing and explain how the law allows us to do it.
The law says that this type of activity has the potential for error that may have consequences, or has concerns that decisions are made in ways that aren’t transparent and are potentially unfair. You therefore have the right to:
- Challenge us over decisions we make in this way
- Demand that a member of staff undertakes the process rather than a computer
- Make us aware of your opinions to support decision making
We must make sure that the systems we use to make such decisions are working as they should in order to avoid errors and to ensure we are fair, and we must take reasonable steps to keep your data secure within this process.
Any system we use to carry out this type of process will have been risk assessed and will have been approved by our Data Protection Officer as complying with the law.
Click here for more information (ICO Website)
Privacy Notice Statement
Jesse Gray Primary School [JGPS] respects you and your child’s privacy when you use the Organisation’s services and is committed complying with privacy legislation.
The information below is what is referred to as a ‘Privacy Notice’ which explain how the Organisation uses and protects your personal information.
Before we start, if you look to the bottom of this webpage you see a range of privacy notices covering the work of the school- click on each document to find more detailed information about how we use and protect your personal information.
Jesse Gray Primary has appointed an external, independent, Data Protection Officer to monitor our practice. Our Data Protection Officer is Catherine Cox, Equals Trust.
A Data Protection Officer whose role it is to ensure that any personal information processed by the Organisation is processed fairly and lawfully (respecting your rights and ensuring we follow the law). If you have any concerns or questions regarding how we look after your personal information, please contact the Data Protection Officer at email@example.com or by calling 0115 9143211.
Why we use personal information
We may need to use some information about you to:
- deliver services and support to you;
- manage those services;
- train and manage the employment of our workers who deliver those services;
- help investigate any worries or complaints you have about your services;
- keep track of spending on services;
- check the quality of services; and
- to help with research and planning of new services.
What are our legal reasons for processing personal information?
There are a number of legal reasons why we need to collect and use personal data. Each privacy notice from the menu on the left explains for each service which legal reason is being used. Generally we collect and use personal information in the following circumstances:
- Where you, or your legal representative, have given consent
- Where you have entered into a contract with us
- Where it is necessary to perform our statutory duties
- Where it is necessary to protect someone in an emergency
- Where it is required by law
- Where it is necessary for employment purposes
- Where you have made your data publicly available
- Where it is necessary to establish, exercise or defend a legal claim
- Where it is in the substantial public interest
- Where it is necessary to protect public health
- Where it is necessary for archiving public interest material, research, or statistical purposes
Where we are using your consent to process your personal data, you have the right to withdraw that consent at any time. If you wish to withdraw your consent, please contact firstname.lastname@example.org so that your request can be dealt with.
What is Personal Information?
Personal information is often records that can identify and relate to a living person. This can also include information that when put together with other information can then identify a person.
What are Special Categories of Information?
This is personal information that needs more protection due to its sensitivity. This information is likely to include:
- sexuality and sexual health
- religious or philosophical beliefs
- physical or mental health
- trade union membership
- political opinion
- genetic/biometric data
How we limit the use of personal information
Where necessary JGPS processes personal data to deliver our services effectively; but wherever possible, the data that we process will be anonymised, pseudonymised or de-personalised. This means the information can no longer identify a person.
When using personal data for research purposes, the data will be anonymised/pseudonymised to avoid the identification of a person, unless you have agreed that your personal information can be used for the research project.
We do not sell personal data to any other organisation for the purposes of selling products.
Your privacy rights
The law provides you with a number of rights to control the processing of your personal information:
Accessing the information we hold about you
You have the right to ask for all the information we have about you. When we receive a request from you in writing, we must normally give you access to everything we have recorded about you. However, we will not let you see any parts of your record which contain:
- Confidential information about other people; or
- Data an information professional thinks will cause serious harm to your or someone else’s physical or mental wellbeing; or
- If we think that the prevention or detection of crime may be adversely affected by disclosing data to you.
This applies to paper and electronic records. If you ask us, we will also let others see your record (except if one of the points above applies). If you cannot ask for your records in writing, we will make sure there are other ways you can apply. If you have any queries regarding access to your information please contact SBM@ga.jesssegray.notts.sch.uk or 0115 9748002
Changing information you believe to be inaccurate
You should let us know if you disagree with something written on your file. We may not always be able to change or remove the information; however, we will correct factual inaccuracies and may include your comments in the records. Please use the contact details above to report inaccurate information.
Asking for your information to be deleted (right to be forgotten)
In some circumstances you can request the erasure of the personal information used by the Organisation, for example:
- Where the personal information is no longer needed for the purpose for which it was collected
- Where you have withdrawn your consent to the use of your information (where there is no other legal basis for the processing)
- Where there is no legal basis for the use of your information
- Where erasure is a legal obligation
Where personal information has been shared with others, the Organisation shall make every reasonable effort to ensure those using your personal information comply with your request for erasure.
Please note that the right to erasure does not extend to using your personal information where:
- Is required by law
- It is used for exercising the right of freedom of expression
- It is in the public interest in the area of public health
- It is for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where it would seriously affect the achievement of the objectives of the processing
- It is necessary for the establishment, defense or exercise of legal claims.
Restricting what your information is used for
You have the right to ask us to restrict what we use your personal data for where one of the following applies:
- You have identified inaccurate information, and have notified us of this
- Where using your information is unlawful, and you wish us to restrict rather than erase the information
- Where you have objected to us using the information, and the legal reason for us using your information has not yet been provided to you
When information is restricted it cannot be used other than to securely store the data, and with your consent, to handle legal claims, protect others, or where it is for important public interests of the UK.
Where restriction of use has been granted, we will inform you before the use of your personal information is resumed.
You have the right to request that the Organisation stop using your personal information for some services. However, if this request is approved this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with your request, but we may need to hold or use information in connection with one or more of the Organisation’s legal functions.
Computer based decisions about you and if you are ‘profiled’
You have the right to object about decisions being made about you by automated means (by a computer and not a human being), unless it is required for any contract you have entered into, required by law, or you have consented to it. You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information. If and when the Organisation uses your personal information to profile you, you will be informed.
If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who will be able to advise you about how your information is being used.
Who will we share your personal information with?
We use a range of companies and partners to either store personal information or to manage it for us. Where we have these arrangements there is always a contract, memorandum of understanding or information sharing protocol in place to ensure that the organisation complies with data protection law. We complete privacy impact assessments before we share personal information to ensure their compliance with the law.
Sometimes we have a legal duty to provide information about people to other organisations, e.g. Child Protection concerns or Court Orders.
We may also share your personal information when we feel there is a good reason that is more important than protecting your confidentiality. This does not happen often, but we may share your information:
- For the find and stop crime or fraud; or
- if there are serious risks to the public, our staff or to other professionals; or
- to protect a child.
The law does not allow us to share your information without your permission, unless there is proof that someone is at risk or it is required by law.
This risk must be serious before we can go against your right to confidentiality. When we are worried about physical safety or we feel that we need to take action to protect someone from being harmed in other ways, we will discuss this with you and, if possible, get your permission to tell others about your situation.
We may still share your information if we believe the risk to others is serious enough to do so.
There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why as soon as or if we think it is safe to do so.
How do we protect your information?
We will do what we can to make sure we hold personal records (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. Our security includes:
- Encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.
- Pseudonymisation allows us to hide parts of your personal information from view so only we can see it. This means that someone outside of ECC could work on your information for us without ever knowing it was yours.
- Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong.
- Ways for us to access your information should something go wrong and our systems not work, including how we manage your information in event of an emergency or disaster.
- Regular testing of our technology and processes including keeping up to date on the latest security updates (commonly called patches).
View our policy on information security - see link at bottom of page
If your information leaves the country
Sometimes, for example where we receive a request to transfer Organisation records to a new Organisation, it is necessary to send that information outside of the UK. In such circumstances additional protection will be applied to that data during its transfer, and where the receiving country does not have an adequacy decision from the European Commission, advice will be sought from the Information Commissioners Office prior to the data being sent.
How long do we keep your personal information?
For each reason why we use your personal information there is often a legal reason for why we need to keep it for a period of time. We try to capture all of these and detail them in what’s called a ‘retention schedule’. This schedule lists for each service how long your information may be kept for.
View our retention schedule - see link at bottom of page
Where can I get advice?
You can contact Catherine Cox, our Data Protection Officer at email@example.com or by calling 0115 9143211
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner's Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Alternatively, visit ico.org.uk or email firstname.lastname@example.org.
Cookies & how you use this website
To make this website easier to use, we sometimes place small text files on your device (for example your iPad or laptop). These are known as ‘cookies’. Most big websites do this too.
They improve things by:
- remembering the things you’ve chosen, so you don’t have to keep re-entering them whenever you visit a new page
- remembering data you’ve given (for example, your address) so you don’t need to keep entering it
- measuring how you use the website so we can make sure it meets your needs.
By using our website, you agree that we can place these types of cookies on your device.
Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. Indeed, you can manage and/or delete these files as you wish.
To learn more about cookies and how to manage them, visit AboutCookies.org or watch a video about cookies.
Other people’s cookies
We use videos from YouTube and feeds from other websites such as Facebook and Twitter. These websites place cookies on your device when watching or viewing these pages.
Below are links to their cookie policies:
Turning off cookies
You can stop cookies being downloaded on to your computer or other device by selecting the appropriate settings on your browser. If you do this, however, you may not be able to use the full functionality of this website.
There is more information about how to delete or stop using cookies on AboutCookies.org. If you wish, you can also opt out of being tracked by Google Analytics.
Further guidance on the use of personal information can be found at ico.org.uk