How we use pupil information
Under UK data protection law, individuals have a right to be informed about how our Trust uses any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ to individuals where we are processing their personal data.
This privacy notice explains how we collect, store and use personal data about pupils at our Trust.
This privacy notice applies while we believe your child is not capable of understanding and exercising their own data protection rights (generally considered to be under age 12).
Our trust, Cygnus Academies Trust, is the ‘data controller’ for the purposes of the Data Protection Act 2018. We collect personal information from our pupils and may receive information about our pupils from their previous school.
Our data protection officer is Mrs Kellie McLaughlin.
The categories of pupil information that we collect, hold and share include:
• Personal information (such as name, unique pupil number and address)
• Parental/carer, sibling and extended family details
• Children who are adopted from care, looked after children, under special guardianship
• Characteristics (such as ethnicity, language, nationality, free school meal eligibility and Pupil Premium)
• Attendance information (such as sessions attended, number of absences and absence reasons)
• Safeguarding information
• Assessment information
• Relevant medical information
• Special educational needs information
• Exclusions and behavioural information
• School trips and excursions
• Pupil and curricular records
• Photographs of your child
• Carefully chosen and vetted educational apps
We may also hold data about pupils that we have received from other organisations including local authorities and the Department for Education.
We use pupil's data to:
- support pupil learning
- monitor and report on pupil progress
- provide appropriate pastoral care
- assess the quality of our services
- comply with the law regarding data sharing
- to keep pupils safe
- administer admissions waiting lists
Use of your child’s personal data in automated decision making and profiling
We do not currently process any personal data through automated decision making or profiling. If this changes in the future, we will amend any relevant privacy notices in order to explain the processing to you, including your right to object to it.
The lawful basis on which we use this information
Our lawful basis for collecting and processing pupils’ information is defined under Article 6 of the GDPR. We collect and use the vast majority of our pupils’ information under the lawful basis of ‘Public Task’ i.e. the processing is necessary for us to perform a task in the public interest or for our official functions. There are a small number of occasions when we would use the lawful basis of ‘Consent’ i.e. the individual has given clear consent for us to process their personal data for a specific purpose; this will only apply where, for example, we have sought consent to use a photo/name of a child in an external publication. Our lawful basis for collecting and processing pupils’ sensitive data is further defined under Article 9 of the GDPR where the following may apply:
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, shall be prohibited
2. Paragraph 1 shall not apply if one of the following applies:
a) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The Education (Information about Individual Pupils) (England) Regulations 2013 - Regulation 5 'Provision of information by non-maintained special schools and Academies to the Secretary of State' states 'Within fourteen days of receiving a request from the Secretary of State, the proprietor of a non-maintained special school or an Academy shall provide to the Secretary of State such of the information referred to in Schedule 1 and (where the request stipulates) in respect of such categories of pupils, or former pupils, as is so requested.' The Education Act 1996 – Section 537A – states that we provide individual pupil information to the relevant body such as the Department for Education. Children's Act 1989 – Section 83 – places a duty on the Secretary of State or others to conduct research.
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
We collect your personal information via the following methods:
• Registration forms
• Common Transfer File (CTF) from your previous school
• Child protection plans
Storing pupil data
We hold pupil data securely in electronic and paper form while the child remains at our Trust. Their file follows them to any subsequent school. The file is then securely disposed of as per retention guidelines. For further information please refer to the Trust’s Records Management Policy.
Who do we share pupil information with?
We routinely share pupil information with:
• schools that the pupils attend after leaving us
• our local authorities, Kent County Council and Bexley Borough Council
• the Department for Education (DfE)
• other agencies that we work with including:
- our auditors
- health authorities
- security organisations
- health and social welfare organisations
- police forces, courts, tribunals
Why we share pupil information
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Data collection requirements:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collectionand-censuses-for-schools
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the NPD, go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supportinginformation.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
• conducting research or analysis
• producing statistics
• providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether the DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
• who is requesting the data
• the purpose for which it is required
• the level and sensitivity of data requested: and
• the arrangements in place to store and handle the data
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data. For more information about the department’s data sharing process, please visit:
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:
How to find out what personal information the DfE holds about you
Under the Data Protection Act 2018, you are entitled to ask the DfE what personal information it holds about you. You have the right to ask the DfE:
• If it processes your personal data
• For a description of the data, it holds about you
• The reasons it is holding your data and any recipient it may be disclosed to
• For a copy of your personal data and any details of its source
To exercise these rights, you should make a subject access request. Information on how to do this can be found by following this link: https://www.gov.uk/government/organisations/department-foreducation/about/personal-information-charter
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact our Data Protection Officer, Mrs K McLaughlin (firstname.lastname@example.org)
You also have the right to:
• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns
If you would like to discuss anything in this privacy notice, please contact the Data Protection Officer:
Mrs K McLaughlin: email@example.com