Privacy Notice

    Sidcot School Privacy Notice:

    Who we are

    This Privacy Notice covers all current staff, students, parents, alumni and visitors to the school and our website

    Sidcot School (“the School”): A company limited by guarantee in England under number 2093340

    Registered Charity Number: 296491, VAT number: 567627892

    Registered Office: Sidcot School, Winscombe, North Somerset, BS25 1PD

    Data Protection Lead: James Russell, IT Development Director, dpl@sidcot.org.uk, 01934 845 241

    Policy Intent

    This notice explains how we use any personal information the School collects about you when you communicate with us, use our services or use this website.

    This information is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used. Staff, parents and students are all encouraged to read this Privacy Notice and understand the School’s obligations to its entire community.

    This Privacy Notice applies in addition to any other information the School may provide about a particular use of personal data, for example when collecting data via an online or paper form.

    This Privacy Notice also applies in addition to the School's other relevant terms and conditions and policies, including:

    • any contract between the School and its staff or the parents of students;
    • the School's policy on taking, storing and using images of children;
    • the School’s CCTV policy contained in the Digital Safety Policy (12.1);
    • the School's safeguarding policy and procedures,
    • the School's IT policies, including its Acceptable Use policy, Digital Safety Policy (12.1) & Digital Security Policy (12.2)
    • the School's Fundraising Policy 3.15

    Anyone who works for, or acts on behalf of, the School (including staff, volunteers, governors and service providers) should also be aware of, and comply with this Privacy Notice and the School's data protection policy for staff, which also provides further information about how personal data about those individuals will be used.

    Why the School needs to process personal data

    The School needs to process personal data about its current, prospective and former students and their parents or guardians, its current, prospective and former staff, its suppliers and contractors, and other individuals connected to the School, as part of its everyday operations. The School will process such personal data in accordance with the Data Protection Act 1998 (“the DPA”) and the General Data Protection Regulations (“GDPR”). The School is committed to compliance with the DPA and GDPR and takes seriously the responsibility of handling personal information. The School will need to carry out the great majority of its data processing activity as part of its legitimate business interests, specifically to fulfil its legal rights, duties or obligations as an educational institution, and as part of the contract that we have with parents, but where this is not the case, we will tell you and ask for your specific consent.

    Personal data processed by the School

    Personal data processed by the School can take different forms – it may be factual information (such as names, ages and home addresses), expressions of opinion about an individual, images of or including individuals or other recorded information which identifies or relates to a living individual, including images of students (and occasionally other individuals) engaging in School activities, and images captured by the School's CCTV system (in accordance with the School's policy on taking, storing and using images of children).

    Personal data processed by the School includes an individual's contact details and for staff and contractors additional information required for their employment or appointment including car and bank details, images, audio and video recordings and biometric data; (for students) admissions, academic, disciplinary and other education related records, information about special educational needs, references, examination scripts and marks, images, audio and video recordings and biometric data; (for parents and/ or guardians) employment details, family circumstances, and financial information.

    Sensitive personal data about an individual processed by the School includes data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.  Information concerning criminal convictions is also subject to some additional safeguards.

    Purposes for which personal data may be processed

    Personal data, including sensitive personal data where appropriate, is processed by the School for the following purposes, all of which are necessary by reason of its “legitimate interests”:

    • The provision of education, physical and extra-curricular activities; hiring of facilities and associated services, the registration of prospective students and administration of the admissions process; administration of the School curriculum and timetable; administration of students’ entries to public examinations, reporting upon and publishing the results; providing references for students (including after a student has left); and preparation of information for inspections by the Independent Schools' Inspectorate.
    • The provision of educational support and ancillary services including the provision of pastoral care, welfare (including safeguarding), healthcare services and maintenance of discipline; provision of careers and library services; administration of sports fixtures and teams and School trips; boarding house administration.
    • The general administration of the School including the compilation of student records; the administration of invoices, fees and accounts; the management of the School’s property; the management of security and safety arrangements (including the use of CCTV); the administration and implementation of the School’s rules and policies for students and staff; and other reasonable purposes relating to the School’s operations.
    • The protection and promotion of the School’s legitimate interests and objectives including the publication of its own website, its internal communication system and virtual learning environment, the prospectus, newsletters and other publications; fund-raising for the School’s charitable purposes; the maintenance of a historic archive; and communicating with the body of future, current and former students and/or their parents or guardians.
    • The administration of its staff, agents and suppliers including the recruitment of staff/ engagement of contractors (including compliance with DBS procedures); administration of payroll, pensions and sick leave; review and appraisal of staff performance; conduct of any grievance, capability or disciplinary procedures; implementation of the School’s Digital and Acceptable Use Policies relating to the School’s IT Systems and the maintenance of appropriate human resources records for current and former staff, including providing references.
    • The administration of donations.
    • The fulfilment of the School’s contractual and other legal obligations.

    How do we collect data?

    Generally, the School receives personal data from the individual directly (including, in the case of students, from their parents). This may be via a form, or simply in the ordinary course of interaction or communication (such as email or written assessments).

    However in some cases personal data may be supplied by third parties (for example another School, or other professionals or authorities working with that individual); or collected from publicly available resources.

    To see a list of areas where we collect data and our legal basis for processing please click here (Appendix A). We will always do our best to ensure all current databases are included but occasionally some may not appear immediately.

    Where is my data stored?

    Please click here (Appendix B) to see a list of places where we store your data

    Third parties with whom the School may need to share personal data

    The School will only process personal data for the purposes for which it was acquired and will not process it for any other reason without an individual’s consent, unless permitted to do so by the DPA or GDPR.

    From time to time the School may pass personal data (including sensitive personal data where appropriate) to third parties, including local authorities, other public bodies (eg the DBS, NCTL, UK Border Agency, HM Revenue and Customs, Department for Education and Department for Work and Pensions), independent school bodies such as the Independent Schools' Inspectorate and the Independent Schools Council, school doctors and other health professionals, contractors appointed to process data on behalf of the School, transport companies and the School’s professional advisers. The School will usually do this because it is required to by law or in pursuance of its legitimate interests, but if your specific consent is required, we will tell you and ask for it.

    Please note that once our students reach the age of 13, the law requires us to pass on certain information about them to our local authority, North Somerset Council, who have responsibilities in relation to the education or training of 13-19 year olds. We provide them with these students’ names and addresses, dates of birth, name(s)/address(es) of their parent(s)/guardian(s) and any other information relevant to their role. We may also share certain personal data relating to children aged 16 and over with post-16 education and training providers in order to secure appropriate services for them.

    A parent/guardian can ask that no information apart from their child’s name, address and date of birth be passed to North Somerset Council by informing the Data Protection Lead. This right is transferred to the child once he/she reaches the age 16. For more information about services for young people, please go to our local authority website https://www.n-somerset.gov.uk/Pages/default.aspx

    If you need more information about how our local authority and/or DfE collect and use your information, please visit:

    Consent

    Where the School is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to relevant age considerations). Please be aware however that the School may have another lawful reason to process the personal data in question even without your consent, in which case we will tell you.

    Rights of access to personal data

    Individuals have a general right to be given access to personal data held about them by the School. The rights of access to personal data under data protection law belong to the individual to whom the data relates. However, the School will often rely on parental consent to process personal data relating to students (if consent is required) unless, given the nature of the processing in question, and the student's age and understanding, it is more appropriate to rely on the student's consent. This will be particularly relevant to consultations at the Health Centre and medical treatment given.

    Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.

    In general, the School will assume that students’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student's activities, progress and behaviour, and in the interests of the student's welfare, unless, in the School's opinion, there is a good reason to do otherwise.

    Public examination results are however the property of the student, and the School may only disclose those results to the student concerned.

    Nevertheless, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the School may be under an obligation to maintain confidentiality unless, in the School's opinion, there is a good reason to do otherwise; for example where the School believes disclosure will be in the best interests of the student or other students, or if required by law. The School may be required to follow its child protection and safeguarding procedures and make referrals without notifying parents in appropriate cases. Students are required to respect the personal data and privacy of others, and to comply with the School's Digital Safety Policy (12.1) and Digital Security Policy (12.2) and the School rules. Staff have similar obligations under the same policies.

    Subject to the foregoing, individuals have a right to request that data is amended or in certain circumstances erased, together with various rights under data protection laws to access and understand personal data about them held by the School, and to request that the School stop processing data, in all cases subject to certain exemptions and limitations.

    If individuals wish to access their personal data held by the School or, in the case of parents, if they wish to access personal data held about their child or a student for whom they have parental responsibility, then a request should be submitted to the Data Protection Lead in writing, contact details:

    • James Russell, Data Protection Lead. 01934 845241, dpl@sidcot.org.uk Address: FAO: Data Protection Lead, Sidcot School, Oakridge Lane, Winscombe, North Somerset, BS25 1PD

    The School will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. The School will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, the School may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.

    You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege. The School is also not required to disclose any student examination scripts (although examiners' comments may fall to be disclosed), nor any confidential reference given by the School for the purposes of the education, training or employment of any individual.

    Keeping in touch and supporting the School

    The School and/or any relevant other organisation will use the contact details of parents, alumni and other members of the School community to keep them updated about the activities of the School, or alumni and parent events of interest, including by sending updates and newsletters, by email and by post.

    You may opt out of receiving such communications at any time. (communications@sidcot.org.uk)

    Security

    The School has taken appropriate technical and organisational steps to ensure the security of personal data about individuals, its access only by authorised personnel for the purposes for which it is held, and it has policies around use of technology and devices, and access to School systems. All staff and governors are aware of these policies and their and the School’s duties under Data Protection Law and receive relevant training.

    All personal data is either hosted on site in School or within the EEA – European Economic Area. We will not transfer your data outside the EEA unless you either request us to do so and give consent or we have to enable a student’s transfer to another educational establishment. The School has agreements with all external hosts to ensure that personal data is kept secure and not passed to any third party.

    Data accuracy

    The School will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the SIMS Administration Team (sims@sidcot.org.uk) of any significant changes to important information, such as contact details, held about them.

    An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law) and should contact the Data Protection Lead.

    Queries and Complaints

    Any comments or queries on this policy should be directed to the Data Protection Lead using the contact details above

    If an individual believes that the School has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise the School’s complaints procedure and should also notify the Data Protection Lead. The School can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that initial steps are taken to resolve the matter with the School.