PRIVACY NOTICE for pupils attending St Thomas More High School
St Thomas More High Schools privacy notice explains how and why we collect pupils’ data, what we do with it and what rights parents and pupils have.
Privacy Notice (How we use pupil information)
St Thomas More High School is part of the Assisi Catholic Trust.
Assisi Catholic Trust registered offices are:
C/O St Thomas More High School, Kenilworth Gardens, Westcliff-on-Sea, Essex, SS0 0BW.
This privacy notice explains how we collect, store and use personal data about pupils.
St Thomas More High School are the ‘data controller’ for the purposes of data protection law.
Our data protection officer is Mr G Mason.
Why do we collect and use pupil information?
We collect and use pupil information under the following lawful bases:
- where we have the consent of the data subject (Article 6 (a));
- where it is necessary for compliance with a legal obligation (Article 6 (c));
- where processing is necessary to protect the vital interests of the data subject or another person (Article 6(d));
- where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (e)).
Where the personal data we collect about pupils is sensitive personal data, we will only process it where:
- we have explicit consent;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; and / or
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Please see our Data Protection Policy for a definition of sensitive personal data.
We use the pupil data to support our statutory functions of running a school, in particular:
- to decide who to admit to the school;
- to maintain a waiting list;
- to support pupil learning;
- to monitor and report on pupil progress;
- to provide appropriate pastoral care;
- to assess the quality of our services;
- to comply with the law regarding data sharing;
- for the protection and welfare of pupils and others in the school;
- for the safe and orderly running of the school;
- to promote the school;
- to communicate with parents / carers.
The categories of pupil information that we collect, hold and share include:
- Personal information (such as name, unique pupil number and address);
- Characteristics (such as ethnicity, language, medical conditions, nationality, country of birth and free school meal eligibility);
- Attendance information (such as sessions attended, number of absences and absence reasons)
From time to time and in certain circumstances, we might also process personal data about pupils, some of which might be sensitive personal data, including information about criminal proceedings / convictions, child protection / safeguarding. This information is not routinely collected about pupils and is only likely to be processed by the school in specific circumstances relating to particular pupils, for example, if a child protection issue arises or if a pupil is involved in a criminal matter. Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and / or the Police. Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.
We collect information about pupils when they join the school and update it during their time on roll as and when new information is acquired.
As the school has a cashless catering system, we also process biometric data about pupils.
Collecting pupil information
Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. Where appropriate, we will ask parents / pupils for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to use photos or images of pupils on our website or on social media to promote school activities [or if we want to ask your permission to use your information for marketing purposes]. Parents / pupils may withdraw consent at any time.
When pupils are deemed old enough to make their own decisions in relation to their personal data, we will also ask the pupil for their consent in these circumstances. This will usually be around the age of 13. Although parental consent is unlikely to be needed, we wish to take a collaborative approach so we will keep parents informed when we are approaching pupils for consent up to the age of 18. Pupils with the maturity to make their own decisions about their personal data may withdraw consent if consent has previously been given.
In addition, the School also uses CCTV cameras around the school site for security purposes and for the protection of staff and pupils. CCTV footage may be referred to during the course of disciplinary procedures (for staff or pupils) or investigate other issues. CCTV footage involving pupils will only be processed to the extent that it is lawful to do so. Please see our CCTV policy for more details.
Storing pupil data
We hold pupil data for 10 years.
A significant amount of personal data is stored electronically, for example, in our School Information Management System (SIMS). Some information may also be stored in hard copy format.
Data stored electronically may be saved on a cloud-based system, which may be hosted in a different country within the EU.
Personal data may be transferred to other countries if we are arranging a school trip to a different country. Appropriate steps will be taken to keep the data secure.
Who do we share pupil information with?
We routinely share pupil information with:
- schools that pupils attend after leaving us;
- our local authority Southend Borough Council
- a pupil’s home local authority (if different);
- the Department for Education (DfE);
- school governors / trustees;
- Assisi Catholic Trust;
- approved third party software and support providers;
- exam boards.
From time to time, we may also share pupil information other third parties including the following:
- the Police and law enforcement agencies;
- NHS health professionals including the school nurse, educational psychologists,
- Education Welfare Officers;
- Courts, if ordered to do so;
- the National College for Teaching and Learning;
- the Joint Council for Qualifications;
- Prevent teams in accordance with the Prevent Duty on schools;
- other schools, for example, if we are negotiating a managed move and we have your consent to share information in these circumstances;
- our HR providers, for example, if we are seeking HR advice and a pupil is involved in an issue
- our legal advisors;
- our insurance providers / the Risk Protection Arrangement.
Some of the above organisations may also be Data Controllers in their own right in which case we will be jointly controllers of your personal data and may be jointly liable in the event of any data breaches.
In the event that we share personal data about pupils with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.
Aged 14+ qualifications
For pupils enrolling for post 14 qualifications, the Learning Records Service will give us a pupil’s unique learner number (ULN) and may also give us details about the pupil’s learning or qualifications
Why we share pupil information
We do not share information about our pupils with anyone without consent unless the law allows us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Youth support services
What is different about pupils aged 13+?
Once our pupils reach the age of 13, we also pass pupil information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
- youth support services
- careers advisers
A parent / guardian can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child / pupil once he/she reaches the age 16.
Our pupils aged 16+
We will also share certain information about pupils aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
- post-16 education and training providers;
- youth support services;
- Careers advisers.
For more information about services for young people, please visit our local authority website.
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.
To find out more about the pupil information we share with the department, for the purpose of data collections, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information.
The department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data;
- the purpose for which it is required;
- the level and sensitivity of data requested;
- the arrangements in place to store and handle the data.
To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit:
For information about which organisations the department has provided pupil information, (and for which project), please visit the following website:
To contact DfE: https://www.gov.uk/contact-dfe
Requesting access to your personal data
Under data protection legislation, pupils, and in some circumstances, parents, have the right to request access to information about them that we hold (“Subject Access Request”). From the age of 13, we generally regard pupils as having the capacity to exercise their own rights in relation to their personal data. This means that where we consider a pupil to have sufficient maturity to understand their own rights, we will require a Subject Access Request to be made by the pupil and not their parent(s) on their behalf. This does not affect any separate statutory right parents might have to access information about their child.
Subject to the section below, the legal timescales for the School to respond to a Subject Access Request is one calendar month. As the School has limited staff resources outside of term time, we encourage parents / pupils to submit Subject Access Requests during term time and to avoid sending a request during periods when the School is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible.
Parents of pupils who attend academies have a separate statutory right to receive an annual written report setting out their child’s attainment for the main subject areas that are taught. This is an independent legal right of parents rather than a pupil’s own legal right which falls outside of the GDPR, therefore a pupil’s consent is not required even if a pupil is able to make their own decisions in relation to their personal data, unless a court order is in place which states otherwise.
The term “parent” is widely defined in education law to include the natural or adoptive parents (regardless of whether parents are, or were married, whether a father is named on a birth certificate or has parental responsibility for the pupil, with whom the pupil lives or whether the pupil has contact with that parent), and also includes non-parents who have parental responsibility for the pupil, or with whom the pupil lives. It is therefore possible for a pupil to have several “parents” for the purposes of education law.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress;
- prevent processing for the purpose of direct marketing;
- object to decisions being taken by automated means;
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- Claim compensation for damages caused by a breach of the data protection responsibilities.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact: