Privacy Notice / GDPR

Why does the Trust collect and use parent information? 

We are required by law to provide education. The main pieces of legislation that govern this are: 

• The Education Act (various years) 

• The Education (Pupil Registration) (England) Regulations 

• The School Standards and Framework Act 1998 

• The School Admissions Regulations 2012 

• Children and Families Act 2014 

• The Special Educational Needs and Disability Regulations 2014 

While providing education, we are tasked with the welfare of the children within our care. Part of this is ensuring that we have appropriate contact information for the adults with responsibility for those children. 

What do we need this data for?  

We use parent information to let you know if there is anything that you need to be aware of in relation to your child’s education. 

We also use your information to contact you about parent evenings or other events held by the school where your child’s education may be discussed with you. 

Your contact details are also kept on record in case we need to speak to you in an emergency situation. 

What type of data do we collect and use?  

Generally, we will collect personal data such as your name, address, telephone numbers and whether you have parental responsibility. 

We may also ask whether you are in receipt of certain benefits so that you can apply for pupil premium funding for your child or for free school meals. 

How do we ensure that we are using this information legally?  

We collect and use parents’ information under the UK General Data Protection Regulations (GDPR) article 6 under the following legal bases; 

• We have a legal obligation to do so. 

• The information is necessary in the performance of our public task. 

• The processing is necessary to protect the vital interest of the child. 

• For some categories, we will ask for your consent. 

• For some categories, outside of our core obligations of providing education, we process data on the basis that we have a legitimate interest to do so. 

Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you when we require your consent for the information for which we are asking. 

How long do we keep your data for? 

Generally speaking, we will retain parental information for the length of time that your child is enrolled at our school unless we are required by law to retain it for longer. 

Who do we share your information with? 

Parent information is rarely shared but, in certain circumstances, we may share your data with; 

• Insurers, in relation to insurance claims. 

• HSE or external organisations where accident reporting or investigation is required. 

• Other third parties in event of a safeguarding incident. 

• The police. 

• Any governmental or judicial body (or similar) with whom, by law, we are required to share data with. 

Why do we share your information? 

We only share your information without your consent where the law or our policies allow us to do so. 

Your rights under GDPR 

Under data protection legislation, parents have the right to request access to information about them that we hold.  

To make a request for your personal information contact: enquiries@thlt.academy  

• You also have the right: 

• to have your personal data rectified, if it is inaccurate or incomplete. 

• to request the deletion or removal of personal data where there is no compelling reason for its continued processing. 

• to restrict our processing of your personal data (i.e. permitting its storage but no further processing). 

• to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics. 

• not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you. 

How to complain 

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by making reference to the Trust’s Complaints Policy and by contacting: enquiries@thlt.academy 

You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/ 

Contact us 

If you would like to discuss anything in this privacy notice, please contact: enquiries@thlt.academy  

 

Why does the Trust collect and use pupil information?  

The Trust is required by law to provide education. The primary pieces of legislation that govern this are: 

• The Education Act (various years) 

• The Education (Pupil Registration) (England) Regulations 

• The School Standards and Framework Act 1998 

• The School Admissions Regulations 2012 

• Children and Families Act 2014 

• The Special Educational Needs and Disability Regulations 2014 

What do we need this data for? 

We use the pupil data: 

• To support pupil learning 

• To monitor and report on pupil progress 

• To provide appropriate pastoral care 

• To assess the quality of our services 

• To comply with the law regarding data sharing 

• To share data for statutory inspections and audit purposes 

• To keep children safe (food allergies, or emergency contact details) 

• To meet the statutory duties placed upon us for the Department for Education (DfE) data collections 

What type of data do we collect and use? 

The categories of pupil information that we collect, hold and share include: 

• Personal identifiers and contacts (such as name, unique pupil number, contact details and address) 

• Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility) 

• Safeguarding information (such as court orders and professional involvement) 

• Special educational needs (including the needs and ranking) 

• Medical and administration (such as doctors’ information, child health, dental health, allergies, medication and dietary requirements) 

• Attendance (such as sessions attended, number of absences, absence reasons and any previous schools attended) 

• Assessment and attainment (such as key stage 1 and phonics results) 

• Behavioural information (such as exclusions and any relevant alternative provision put in place) 

• Personal information about a pupil’s parents and/or other relatives (such as name, contact details, relationship to child) 

How do we collect data and ensure that we are using this information legally? 

We collect and use general pupil information in line with the UK General Data Protection Regulations (GDP)R under the following legal bases; 

• We have a legal obligation to do so 

• The information is necessary in the performance of our public task 

• The processing is necessary to protect the vital interest of the child 

• For some categories, we will ask for parental consent 

• For some categories, outside of our core obligations of providing education, we process data on the basis that we have a legitimate interest to do so 

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the UK General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. 

We collect this information via ATF and CTF file transfers, via secure file transfer from previous schools, and directly from registration forms provided by parents/carers. 

How long do we keep data for? 

We hold pupil data for varying lengths of time depending on what the information is. This length of time is specified in the Trust’s Data Protection policy and all data is transferred or securely destroyed in line with this policy. 

Who do we share pupil information with? 

 

We routinely share pupil information with: 

• schools that pupils attend after leaving us 

• our local authority partners 

• the Department for Education (DfE) 

• Other schools and departments within the Trust 

• School Nurses 

• Speech & Language Therapists 

• Agencies & 3rd parties we commission to deliver services on our behalf such as  school meals providers 

• School Photographers 

• Educational software providers 

Why do we share pupil information? 

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. 

We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring. 

We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013. 

Where data is processed on our behalf by another provider (a data processor), we comply with the UK GDPR by ensuring that they have sufficient measures in place to provide appropriate protection for your data. 

Data collection requirements: 

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) you can visit https://www.gov.uk/education/data-collection-and-censuses-for-schools. 

The National Pupil Database (NPD) 

Much of the data about pupils in England goes on to be held in the National Pupil Database (NPD). 

The NPD is owned and managed by the Department for Education (DfE) and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department for Education (DfE). 

It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies. To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information 

Sharing by the Department for Education (DfE) 

The law allows the Department for Education (DfE) to share pupils’ personal data with certain third parties, including: 

• schools and local authorities 

• researchers 

• organisations connected with promoting the education or wellbeing of children in England 

• other government departments and agencies 

• organisations fighting or identifying crime 

For more information about the Department for Education’s (DfE) NPD data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data 

Organisations fighting or identifying crime may use their legal powers to contact the Department for Education (DfE) to request access to individual level information relevant to detecting that crime. 

For information about which organisations the Department for Education (DfE) has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with 

Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares 

How to find out what personal information the Department for Education (DfE) holds about you 

Under the terms of the Data Protection Act 2018, you are entitled to ask the Department for Education (DfE): 

• if they are processing your personal data 

• for a description of the data they hold about you 

• the reasons they’re holding it and any recipient it may be disclosed to 

• for a copy of your personal data and any details of its source 

If you want to see the personal data held about you by the Department for Education (DfE), you should make a ‘subject access request’. Further information on how to do this can be found within the Department for Education’s (DfE) personal information charter that is published at the address below: https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter To contact the Department for Education (DfE): https://www.gov.uk/contact-dfe 

Your rights under GDPR 

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information contact Peter Spruce, THLT Chief Operating Officer, via fd@thlt.academy.

You also have the right: 

to have your personal data rectified, if it is inaccurate or incomplete 

to request the deletion or removal of personal data where there is no compelling reason for its continued processing 

to restrict our processing of your personal data (i.e. permitting its storage but no further processing) 

to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics 

not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you 

How to complain 

If you have a concern about the way we are collecting or using personal data, you should raise your concern with us in the first instance by making reference to the Trust’s Complaints Policy and by contacting: enquiries@thlt.academy 

You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/ 

Contact us 

If you would like to discuss anything in this privacy notice, please contact: enquiries@thlt.academy  

 

Why does the Trust collect and use staff information?  

As an employer, we are required to collect and process certain information relating to the people that work for us. 

Some of this is collected in line with our obligations under employment law, some is collected in order to comply with safeguarding legislation and some is provided to allow us to ensure that your salary and any relevant pension matters are effectively processed. 

What do we need this data for?  

We use school workforce data to: 

• enable the development of a comprehensive picture of the workforce and how it is deployed. 

• inform the development of recruitment and retention policies. 

• enable individuals to be paid. 

• administer wellbeing benefits to our employees. 

• Fulfil our obligations with regard to safeguarding of the children in our care. 

• Fulfil our obligations with regard to the wellbeing and welfare of our employees including the need for contacts in case of emergency. 

What type of data do we collect and use?  

The categories of school workforce information that we collect, process, hold and share include:  

• personal information (such as name, employee or teacher number, national insurance number) 

• special categories of data including characteristics information such as gender, age, ethnic group 

• contract information (such as start dates, hours worked, post, roles and salary information) 

• work absence information (such as number of absences and reasons) 

• qualifications (and, where relevant, subjects taught) 

• DBS data 

• Performance management data 

• Interview details for all applicants, whether successful or not 

How do we ensure that we are using this information legally?  

We process this information under the UK General Data Protection Regulations (GDPR) on the grounds that ‘processing is necessary for the performance of a contract to which the data subject is party’ 

We collect personal information from forms provided by staff at the start of their employment and from other relevant agencies (such as DBS providers). 

Workforce data is essential for the school’s/Trust’s operational use. Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with UK GDPR, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this. 

How long do we keep your data for?  

We keep records in line with the provisions set out in our Data Protection policy and the legal requirements of employment law and the Limitation Act. 

Who do we share your information with?  

We routinely share this information with: 

• our local authority 

• the Department for Education (DfE) 

• our payroll and HR provider 

• pension providers 

• The Office for National Statistics (although this data is generally anonymised) 

• Our employee benefits platform and employee assistance program operators 

• Our agreed tuition provider (with regard to apprentices) 

Why do we share your information?  

We do not share information about workforce members with anyone without consent unless the law and our policies allow us to do so. 

Local authority  

We are required to share information about our workforce members with our local authority (LA) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments. 

Department for Education (DfE) 

We share personal data with the Department for Education (DfE) on a statutory basis. This data sharing underpins workforce policy monitoring, evaluation, and links to school funding / expenditure and the assessment educational attainment. 

Our Payroll and HR Provider 

We share information with our payroll and HR provider in order to administer contracts between ourselves and our employees and to enable our employees to be correctly remunerated. 

Pension Providers 

We share information with support staff pension service and teachers’ pension service providers in order for them to administer the pension schemes set up for our employees. 

Employee Benefits and EAP 

We share data with scheme operators to allow them to administer a benefits platform and an employee assistance program for our employees. Data that is required to administer this is shared and is limited to employee name and email address. Any further information that is provided to the companies directly by our employees becomes the responsibility of the company as they then become the data controller. 

Our Agreed Tuition Provider 

We share data with our agreed tuition provider on any apprentices that are employed through their apprenticeship scheme in order to provide the information required under the terms of the apprenticeship. 

Data collection requirements  

The DfE collects and processes personal data relating to those employed by schools (including Multi Academy Trusts) and local authorities that work in state funded schools (including all maintained schools, all academies and free schools and all special schools including Pupil Referral Units and Alternative Provision). All state funded schools are required to make a census submission because it is a statutory return under sections 113 and 114 of the Education Act 2005 

To find out more about the data collection requirements placed on us by the Department for Education including the data that we share with them, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools. 

The department may share information about Trust/school employees with third parties who promote the education or well-being of children or the effective deployment of school staff in England by: 

• conducting research or analysis 

• producing statistics 

• providing information, advice or guidance 

The department has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether DfE releases personal data to third parties are subject to a strict approval process and based on a detailed assessment of: 

• who is requesting the data 

• the purpose for which it is required 

• the level and sensitivity of data requested; and 

• the arrangements in place to securely store and handle the data 

To be granted access to school workforce information, organisations must comply with its strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data. 

For more information about the department’s data sharing process, please visit: 

https://www.gov.uk/data-protection-how-we-collect-and-share-research-data   

To contact the department: https://www.gov.uk/contact-dfe  

Your rights under GDPR 

Under data protection legislation, staff have the right to request access to information about them that we hold. To make a request for your personal information contact Peter Spruce, THLT Chief Operating Officer, via fd@thlt.academy

You also have the right to: 

• to have your personal data rectified, if it is inaccurate or incomplete 

• to request the deletion or removal of personal data where there is no compelling reason for its continued processing 

• to restrict our processing of your personal data (i.e. permitting its storage but no further processing) 

• to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics 

• not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you 

How to complain 

If you have a concern about the way we are collecting or using personal data, you should raise your concern with us in the first instance by making reference to the Trust’s Complaints Policy and by contacting: enquiries@thlt.academy 

You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/ 

Contact us 

If you would like to discuss anything in this privacy notice, please contact: enquiries@thlt.academy  

 

Why, and how, does the Trust collect and use Trustee and Governance information?  

Trustees and Governors play an essential role in our organisation and the personal data collected is required to allow the schools in the Trust to fulfil their official functions and meet legal requirements. 

We collect and use governance information in order to meet the statutory duties placed upon us. 

We collect this information directly from you, however, on occasion, information may be provided to us by third parties, such as the Disclosure and Barring Service, referees or complainants. 

Whilst the majority of personal information you provide to us is mandatory, some of it may be requested on a voluntary basis. In order to comply with UK-GDPR, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this. 

What do we need this data for?  

We use this data; 

• To support the governance function across our Trust 

• To comply with the law regarding governance and management of our Trust 

What type of data do we collect and use?  

The categories of data that we collect on Trustees and Governors include; 

• Personal information such as name, address and contact details 

• Characteristics such as ethnicity, language, country of birth 

• Attendance information including sessions attended 

• Governance details (such as role, start and end dates and governor ID) 

How do we ensure that we are using this information legally?  

All local authority maintained school governing bodies, under section 538 of the Education Act 1996 and academy trusts, under the Academy Trust Handbook have a legal duty to provide the governance information as detailed above. Therefore, the legal basis for processing information on Trustees and Governors, from Article 6,  is legal obligation. 

In addition, concerning any special category data, this would processed under either the substantial public interest basis where there is a matching condition under part 2 of schedule 1 of the DPA 2018, or where we have obtained explicit consent. 

How long do we keep your data for?  

We hold data on Trustees and Governors for varying periods from 3 years to indefinitely. Full details are shown in the Trust’s Data Protection Policy. 

Who do we share your information with?  

We routinely share student information with; 

• Government services such as Edubase and Get Information About Schools (GIAS) 

• Our local authority partners (where applicable) 

• The Department for Education (DfE) 

• Companies House 

• The Charity Commission 

We are also required, under the terms of The Academy Trust Handbook, to publish certain details on school websites. These include names, term of office, attendance at meetings and pecuniary interests. 

Why do we share your information?  

We do not share information about our Trustees or Governors with anyone without consent unless the law and our policies allow us to do so. 

We are required to share information about individuals in governance roles with the Department for Education (DfE) under the requirements set out in the Academy Trust Handbook. This extends to the publication of certain details relating to Trustees and Governors on our Trust and School websites. 

All data is entered manually on the GIAS service and held by the Department for Education (DfE) under a combination of software and hardware controls which meet the current government security policy framework. 

The governance data that we lawfully share with the Department for Education (DfE) via GIAS will: 

• increase the transparency of governance arrangements 

• enable local authority maintained schools, academies, academy trusts and the Department for Education (DfE) to identify more quickly and accurately individuals who are involved in governance and who govern in more than one context 

• allow the Department for Education (DfE) to be able to uniquely identify an individual and in a small number of cases conduct checks to confirm their suitability for this important and influential role 

Some of these personal data items are not publicly available and are encrypted within the GIAS system. Access is restricted to authorised Department for Education (DfE) and education establishment users with a Department for Education (DfE) ‘Sign-in’ account who need to see it in order to fulfil their official duties. The information is for internal purposes only and not shared beyond the Department for Education (DfE) unless the law allows it. 

If you want to see the personal data held about you by the Department for Education (DfE), you should make a subject access request (SAR). Further information on how to do this can be found within the Department for Education’s (DfE) personal information charter that is published at the address below: https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter To contact DfE: https://www.gov.uk/contact-dfe 

Your rights under GDPR 

Under data protection legislation, Trustees and Governors have the right to request access to information about them that we hold. To make a request for your personal information contact: enquiries@thlt.academy  

You also have the right: 

• to have your personal data rectified, if it is inaccurate or incomplete 

• to request the deletion or removal of personal data where there is no compelling reason for its continued processing 

• to restrict our processing of your personal data (i.e. permitting its storage but no further processing) 

• to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics 

• not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you 

How to complain 

If you have a concern about the way we are collecting or using personal data, you should raise your concern with us in the first instance by making reference to the Trust’s Complaints Policy and by contacting: enquiries@thlt.academy 

You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/ 

Contact us 

If you would like to discuss anything in this privacy notice, please contact: enquiries@thlt.academy  

 

Why does the Trust collect and use visitor information?  

We collect and use information on visitors to ensure that we run safe and effective schools and to fulfil our legal duty to safeguard the children in our care and the staff in our employ. 

What do we need this data for?  

We collect and use visitor data; 

• To safeguard pupils 

• To meet the requirements of Health and Safety Legislation 

• To meet the requirements of Fire Safety Legislation 

• To ensure that we keep a safe and secure site 

• To ensure that events and meetings are appropriately organised 

What type of data do we collect and use?  

We collect and use; 

• Personal information, such as name and photograph 

• CCTV images 

How do we ensure that we are using this information legally?  

We have a legal obligation under safeguarding legislation, to ensure that our site is safe and secure. We also have a legal obligation under fire safety law, to ensure that we can account for the people in our buildings. This includes visitors. 

Under article 6 of the UK General Data Protection Regulations (GDPR), Legal Obligation is a valid reason for collecting and processing personal data. 

How long do we keep your data for?  

We keep visitor data for 6 years plus the current year, in line with the Trust’s Data Protection policy. 
Visitor data may be stored on: 

• Electronic visitor management systems such as Inventry 

• Signing in books 

• Fire registers 

• CCTV systems 

• Visitor badges 

• Office 365 or Google Cloud based systems 

• Room booking software or systems 

Who do we share your information with?  

Visitor information is rarely shared but, in certain circumstances, we may share your data with; 

• The police 

• Insurers, in relation to insurance claims 

• HSE or external organisations where accident reporting or investigation is required 

• Other third parties in event of a safeguarding incident 

Why do we share your information?  

We only share your information without your consent where the law or our policies allow us to do so. 

Your rights under GDPR 

Under data protection legislation, visitors have the right to request access to information about them that we hold. To make a request for your personal information contact enquiries@thlt.academy  

You also have the right: 

• to have your personal data rectified, if it is inaccurate or incomplete 

• to request the deletion or removal of personal data where there is no compelling reason for its continued processing 

• to restrict our processing of your personal data (i.e. permitting its storage but no further processing) 

• to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics 

• not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you 

How to complain 

If you have a concern about the way we are collecting or using personal data, you should raise your concern with us in the first instance by making reference to the Trust’s Complaints Policy and by contacting: enquiries@thlt.academy 

You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/ 

Contact us 

If you would like to discuss anything in this privacy notice, please contact: enquiries@thlt.academy