GDPR - Student Privacy Notice
What is this?
King Edward VI College needs to collect and process personal data to meet certain legal obligations, provide services to students and parents, and to manage its operations.
The purpose of this privacy notice is to explain how we collect and use your personal data.
For the purposes of this notice, King Edward VI College (“we”, “us”, “our”) is the data controller for any personal data we process about you. We are registered as a data controller with the Information Commissioner’s Office and this registration can be found HERE.
The most up to date version of this privacy notice will always be available on the college website.
Are you allowed to collect this information?
Yes. On 25th May 2018 the Data Protection Act 1998 was replaced by the General Data Protection Regulation (GDPR) which set rules for what we can collect. We are allowed to collect this information under Article 6 1c which states;
What do we collect?
We also collect your image on our CCTV system, which we use to ensure your safety and the security of all students, staff and visitors. These images are only stored for 4 weeks and are automatically over-written or deleted. No audio is recorded, and the images are only available to selected staff but may be shared with the Police to assist where a criminal activity has taken place.
Some of this information is very sensitive!
GDPR regulations identify that some information is more sensitive than others, for example; your race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.
GDPR Article 9 paragraph 1 states that:
However, paragraph 2 identifies ten exceptions to this rule, and we are exempt from this rule under section 2j;
We collect your sensitive personal data (racial/ethnicity data and medical information) in accordance with the exemption in paragraph j. The relevant legislation that require us to collect such information is detailed below:
The Education (Information About Individual Pupils) (England) Regulations 2013 section 5 state that:
Within fourteen days of receiving a request from the Secretary of State, the proprietor of a non-maintained special school or an Academy;
(16) shall provide to the Secretary of State such of the information referred to in Schedule 1 and (where the request stipulates) in respect of such categories of pupils, or former pupils, as is so requested.
The Children and Families Act 2014 places a duty of care on appropriate authorities to support students with medical conditions:
100 (1) The appropriate authority for a school to which this section applies must make arrangements for supporting pupils at the school with medical conditions.
Why do we collect this information?
We collect and use student information, for the following purposes;
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing student information are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
A full list of the purposes for which we process personal data and the legal basis for such processing is available via the college website.
How do we collect this information?
Most of the student information that you provide to us will be collected when you apply to the College. We update this information with you and collect any additional information during your interviews, and again when you enrol. The large majority of this information is mandatory, but where consent is needed we will inform you that you have a choice and right to refuse or to withdraw your consent at a later date.
We also collect data (such as your previous achievements or Unique Learner Number) via the Learner Records Service.
We may collect information from the Local Authority or your former school.
We collect results information from awarding bodies via Electronic Data Interchange (EDI) file. Information is also provided to the college by the DfE via the tables checking website for the purpose of checking results against those received from the awarding bodies.
How long do we store this information?
We have a legal obligation to keep information for a set period. This information can be found in our data retention schedule. Most of your information is retained for a period of seven years from the end of the academic year in which you leave the College.
Who do you share this information with?
We only share your information where it is absolutely necessary, or we are under a legal obligation. We would never share your information with any direct marketing companies and we never store your data outside of the EU, which means it is always kept in accordance with the GDPR regulations. We share your information with;
How can I access my personal data?
Under data protection legislation, you have the right to request access to information that we hold. To make a request for your personal information please contact our Data Protection Officer at DPO@kedst.ac.uk.
You also have the right to:
If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Last updated 01/10/2018