Diocese of Southwell and Nottingham

Privacy Policy

1. Introduction

1.1 Individuals have a legal right (under the General Data Protection Regulation), to be informed about how Marches Academy Trust (the Trust) uses any personal information that the Trust holds about them. To comply with this, this privacy notice enables Marches Academy Trust (the Trust) to fulfil our legal requirement to be open and fair with individuals about the personal data we collect and process to benefit and support our children & young people’s (CYP) learning.

1.2 The Trust is committed to promoting transparency, giving individuals the chance to see what personal data is being collected, why and how it is being used, how long it will be kept, and the data provided to third parties. This privacy notice also gives individuals the information they need to decide whether to exercise their data subject rights.

1.3 We, the Trust, are the ‘data controller’ for the purposes of data protection law. The DfE’s guidance for privacy notices for schools explains that Data Controllers and Data Processors are responsible for providing personal information and all education settings and local authorities are classed as data controllers and may also be data processors in their own right and, as such, they have a duty to inform CYP, staff and responsible adults (known as Data Subjects) on how they process the data that is within their control. Within this policy, adults responsible for the care of CYP are referred to throughout as responsible adults, taken to mean those with parental responsibility1

i. Data Controller - the organisation who (either alone or in common with other people) determine the purpose for which, and the way data are processed.

ii. Data Processor - a person or organisation who process data on behalf of and on the orders of a controller.

iii. Data Subject – the person about who you are processing data.

iv. Data Protection Officer – an officer of the education establishment or local authority who is responsible for data protection issues within the organisation.

for the child or young person and may include parents, carers, kinship carers, corporate parents, or guardians.

1.4 Definitions

 i. Data Controller - the organisation who (either alone or in common with other people) determine the purpose for which, and the way data are processed.

ii. Data Processor - a person or organisation who process data on behalf of and on the orders of a controller.

iii. Data Subject – the person about who you are processing data.

iv. Data Protection Officer – an officer of the education establishment or local authority who is responsible for data protection issues within the organisation.

v. Personal Data is classed as any information which on its own or in conjunction with other information available to a Data Controller can identify a Data Subject.

Some personal data is classed as being part of a special category and if you control or process special category data you need additional reason to process the data. UK GDPR specifically defines ‘special category’ as data relating to:

i. racial or ethnic origin

ii. political opinions

iii. religious or philosophical beliefs

iv. trade-union membership

v. health or sex life; and

vi. data relating to criminal offences is also afforded similar special protection.

For the purposes of data protection legislation, the terms ‘process’, ‘processed’ or ‘processing’ apply to any activity involving the personal data, such as:

i. collecting

ii. storing

iii. sharing

iv. destroying.

Please note: this list is not exhaustive.

If you would like to discuss anything in this privacy notice, please contact our Trust’s Data Protection Officer Katherine Mills on 01948 660603 or by email at: [email protected]

2. Legislation, Standards and Guidance

This privacy notice takes account of our obligations under The Data Protection Act (2018) which sets out in UK law the legal framework with which education settings and local authorities must comply when they process the personal data. Providing accessible information to individuals about the use of their personal information (data) is a key element of their legal right to transparency as set out in the UK General Data Protection Regulation (UK GDPR).

This privacy notice will also have consideration for, and be compliant with, the following guidance and key information:

i. ICO guidance General Data Protection Regulation

ii. DfE privacy notices for schools

This privacy notice will also link to other Trust policies & procedures:

i. MAT GDPR policy

ii. MAT document retention schedule (within the MAT GDPR policy mentioned above in i)

iii. MAT ICT policy

3. How to use this document

This document is an overarching privacy notice for the entire Trust and applies to different categories of individuals. Please read the relevant section that affects the use of your personal data for:

i. Our Children & Young People (CYP) & Responsible Adults - Section 4, page 6;

ii. Our Workforce – Section 5, page 12;

iii. Our Members, Trustees & Governors, Section 6, page 17

4. Privacy notice for our Children & Young People (CYP) and Responsible Adults

4.1 What types of information do we collect from you?

Personal data that we may collect, use, store and share (when appropriate) about children & young people (CYP) includes, but is not restricted to:

i. contact details, contact preferences, date of birth, identification documents

ii. results of internal assessments and externally set tests

iii. CYP and curricular records

iv. characteristics, such as ethnic background, eligibility for free school meals, or special educational needs

v. bio-metric information, such as fingerprints

vi. exclusion information

vii. behavioural information

viii. details of any medical conditions, including physical and mental health

ix. attendance information

x. safeguarding information

xi. details of any support received, including care packages, plans and support providers

xii. photographs

xiii. CCTV images captured

xiv. film/video footage in classrooms for professional learning use.

We process personal information relating to our CYP and may receive information about them from their previous school or college, local authority, the Department for Education (DfE) and the Learning Records Service. We hold this personal data to:

i. support our CYP and staff’s professional learning

ii. monitor and report on their progress

iii. provide appropriate pastoral care

iv. provide appropriate systems to enhance learning

v. protect CYP welfare

vi. assess the quality of our services

vii. administer admissions waiting lists

viii. carry out research

ix. comply with the law regarding data sharing.

We also use CCTV in the interest of safety and security around site.

Organisations that we are most likely to share personal data with are:

i. the Local Authority (Shropshire Council)

ii. Arbor – Our management information partner

iii. the NHS

iv. the Department for Education (DfE)

v. Ofsted

vi. examining bodies

vii. Colleges or Universities

viii. ICT service providers

ix. providers of services within or on behalf of the school (e.g. school photographer, branded good suppliers, etc)

x. youth support services (CYP aged 13+)

xi. career information providers.

We may also hold data about CYP that we have received from other organisations, including other schools or academies, local authorities and the Department for Education.

For CYP enrolling for post 14 qualifications, the Learning Records Service will give us the unique learner number (ULN) and may also give us details about your learning or qualifications. In addition, once our CYP reach the age of 13, the law requires us to pass on certain information about them to Shropshire Local Authority who have responsibilities in relation to the education or training of 13-19 year olds. We provide them with these CYP’s names and addresses, dates of birth, name(s)/address(es) of their responsible adults and any other information relevant to their role. We may also share certain personal data relating to CYP aged 16 and over with post-16 education and training providers in order to secure appropriate services for them. A responsible adult can ask that no information apart from their child’s name, address and date of birth be passed to Shropshire Local Authority by informing the school. This right is transferred to the CYP once he/she reaches the age 16. For more information about services for CYP, please go to our local authority website https://www.shropshire.gov.uk and https://www.gov.uk/

Adults responsible for CYP care are referred to as responsible adults, taken to mean those with parental responsibility for the child or young person and may include parents, carers, kinship carers, corporate parents, or guardians, and other agencies.

For responsible adults we may collect

i. contact details, contact preferences, date of birth, identification documents

ii. characteristics, such as ethnic background

iii. your child’s eligibility for free school meals, or special educational needs

iv. safeguarding information

v. details of any support received, including care packages, plans and support providers

vi. CCTV images captured whilst on site.

4.2 Why we use this data

We only collect and use personal data when the law allows us to. Most commonly, we process it where:

i. we need to comply with a legal obligation

ii. we need it to perform an official task in the public interest

iii. we need it to perform a contract

iv. for professional learning and staff training purposes.

Less commonly, we may also process personal data in situations where:

i. we have obtained consent to use it in a certain way

ii. we need to protect the individual’s vital interests (or someone else’s interests).

Where we have obtained consent to use personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.

Some of the reasons listed above for collecting and using personal data overlap, and there may be several grounds which justify our use of this data.

4.3 Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

4.4 Collecting this information

We collect CYP information via:

i. registration forms at the start of the school year

ii. Common Transfer File (CTF)

iii. secure file transfer from previous school

iv. admissions form

v. our staff via MS Forms, Pupil & Parent surveys or other means.

Personal data for CYP and responsible adults is essential for the schools’ operational use. Whilst the majority of the information you provide to us is mandatory, some of it requested on a voluntary basis. In order to comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this and we will tell you what you need to do if you do not want to share this information with us.

We will not give information about you to anyone without your consent unless the law and our policies allow us to. We are required, by law, to pass certain information about our CYPs to our local authority (LA) and the Department for Education (DfE). If you need more information about how our local authority and/or DfE collect and use your information, please visit: our local authority at https://www.shropshire.gov.uk/privacy/our-use-of-personal-data/ or; the DfE website at https://www.gov.uk/guidance/data-protection-how-we-collect-and-share-research-data

If you want to receive a copy of the information about you that we hold, please contact the School Reception.

4.5 How Government uses CYP data

The CYP data that we lawfully share with the DfE through data collections:

i. underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.

ii. informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or CYP Progress measures).

iii. supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school).

Data is transferred securely and held by DfE under a combination of software and hardware controls, which meet the current government security policy framework.

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools

The National Pupil Database (NPD)

Much of the data about CYP in England goes on to be held in the National Pupil Database (NPD).

The NPD is owned and managed by the Department for Education and contains information about CYP in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

To find out more about the NPD, go to

https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information .

Sharing by the Department

The law allows the Department to share CYP personal data with certain third parties, including:

i. schools

ii. local authorities

iii. researchers

iv. organisations connected with promoting the education or wellbeing of children in England

v. other government departments and agencies; and/or

vi. organisations fighting or identifying crime.

For more information about the Department’s NPD data sharing process, please visit:

https://www.gov.uk/guidance/data-protection-how-we-collect-and-share-research-data

Organisations fighting or identifying crime may use their legal powers to contact DfE to request access to individual level information relevant to detecting that crime. Whilst numbers fluctuate slightly over time, DfE typically supplies data on around 600 CYP per year to the Home Office and roughly 1 per year to the Police. For information about which organisations the Department has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website:

https://www.gov.uk/government/publications/dfe-external-data-shares

5. Privacy Notice for our Workforce

5.1 What types of information do we collect from you?

We collect personal information (for example your name and address), and other more sensitive data that we would only collect and use in very particular circumstances that are set out in law. Those marked * will be held for applicants who may reach shortlisting and interview stage.

• Absence / Sickness

• Address*

• Annual Salary

• Assessments of your performance, and training

• Asylum & Immigration ID Documentation

• Bank account details

• Barred List 99

• Certificate of Age Exception Cards

• Change of address

• Change of Name

• Contracts

• Contracted work pattern

• Criminal convictions

• Current Salary details

• Data of birth and gender*

• Date of death /cause/certificate

• Date of Leaving

• Declaration of criminal convictions*

• Details of any performance, disciplinary or grievance you have been involved in until spent

• Details of leave taken

• Disability information*

• Driver License/Passport details

• Email address*

• Emergency contact details

• Employee Number

• Employer address*

• Employment History

• Education/qualifications/training*

• Employment history*

• Enhanced DBS Check

• Ethnic origin*

• Gender*

• Information about your criminal record

• Interview notes

• Job Title*

• Leave date

• Managers Name

• Marital status*

• Maternity / Paternity / Parental Leave information

• Medical health and history (OH)

• Membership of professional bodies*

• Name*

• National insurance number

• Nationality - entitlement to work in the UK

• New employer

• New Starter details

• Next of kin

• NI Number*

• Occupational Health reports

• Online search information*

• P45/P46

• Pay and deduction details

• Pension Membership

• Post number

• Previous employment*

• Proof of ID and age

• Referee contact details*

• References for future employers

• Religious beliefs*

• Right to work declaration*

• Sexual orientation*

• Signature*

• Statutory Body reference numbers e.g. teachers ref number*

• Tax code

• Telephone Number*

• Union Membership

• Work Base

5.2 How do we get the personal information from you?

We collect information directly from you when you apply for a position via the Trust’s recruitment platform website or when you complete a manual application form. If appointed, we collect further information by telephone, email or any other type of electronic and manual communication.

legally compliant. We use your data for all or some of the following purposes. Those marked * will be restricted to applicants who may have met the shortlisting and interview stage:

i. to effectively manage the employment relationship

ii. to be legally compliant

iii. to enable individuals to be paid

iv. to communicate with you throughout the recruitment process and about potential other Trust opportunities if your application is unsuccessful*

v. to consider your application in respect of the job you have applied for*

vi. to complete statutory surveys about pay and employment

vii. to determine whether you will proceed to the next recruitment and selection stages*

viii. to obtain information from your referees*

ix. to carry out checks on your right to work in the UK

x. to determine any other factors which may affect your suitability for the role e.g., criminal record, disqualification from childcare

xi. to determine your fitness for the role

xii. to determine if there is any prohibition from management

xiii. to determine if there is any prohibition from teaching

xiv. to maintain accurate and up-to-date employee records

xv. to ensure effective general HR and business administration

xvi. provide references on request for current or former employees

xvii. to respond to and defend against legal claims

xviii. to maintain and promote equality in the workplace*

xix. to enable the development of a comprehensive picture of the Trust workforce and how it is deployed

xx. to inform the development of recruitment and retention policies.

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful reasons for collecting and processing personal data during a recruitment exercise and subsequent employment relationship:

i. legitimate interest – this being the recruitment of staff to the Trust

ii. legal obligations – we may process the data to meet regulatory obligations.

5.4 Who has access to your information?

Our HR team, relevant Line Managers, Senior Managers and previous employers, so we can get references. We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

External organisations that provide services on the Trust’s behalf also have access to your information. These include:

i. our HR (including recruitment) & payroll software provider

ii. our occupational health provider

iii. previous employers, so we can obtain references

iv. the Disclosure and Barring Service

v. Department of Work & Pensions

vi. the Courts Service

vii. the National Fraud Initiative /Police

viii. BACS/BACS Bureau

ix. HM Revenue & Customs

x. Local Government Pension scheme

xi. Teachers’ Pension Scheme

xii. the Pension Regulator

xiii. organisations where voluntary deductions are taken from pay.

5.5 Who do we share workforce information with?

We routinely share this personal data with the following organisations:

i. the Department for Education (DfE) (We are required to share information about our school employees with the Department for Education (DfE) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments)

ii. HMRC (tax code changes)

iii. our Local Authority (where applicable).

6. Privacy Notice for our Members, Trustees & Governors

6.1 What types of information do we collect from you?

i. personal details

ii. contact details

iii. professional details

iv. relevant business and pecuniary interests details

v. role application details

vi. selection records

vii. references

viii. identity verification records

ix. meeting attendance records

x. records of communications

xi. records of visits to schools

xii. photographs of you or images on CCTV

xiii. information to identify you in the Trust and its schools

xiv. records of work you do in conjunction with our staff or CYP

xv. notes of meetings you may have attended

xvi. a biography/profile that may be published on our websites.

We also are required to collect and use information that is given additional protection under the GDPR, for example;

i. demographic information and protected characteristics required for monitoring equality, diversity, inclusion and belonging.

6.2 How is your information used?

i. to enable you to work with us

ii. to maintain a safe environment for our CYP

iii. to enable you to take part in appropriate training and professional development

iv. to meet the statutory duties placed upon us

v. to ensure your health and safety

vi. to keep you up to date with news about the Trust and its schools.

6.3 Our legal basis for using this data

Depending on the purpose, our use of your information will be legal due to one of the following:

i. to meet a legal requirement e.g. providing information to DfE for Get Information About Schools

ii. delivering a public task e.g. keeping register of business interests or records of your meetings with governors

iii. to protect the vital interests of you or someone else.

Academy trusts, under the Academies Handbook have a legal duty to provide the governance information as detailed above.

7. How do we store your personal information?

The Trust is strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration, or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us. However, we cannot guarantee the security of any information you transmit to us. We recommend that you also take every precaution to protect your personal information.

8. How do we keep your information up to date?

We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.

9. How long will we keep your information for?

The Trust keeps and disposes of all records in line with the Trust’s retention schedule. We will comply with Data Protection legislation in regard to how long we keep your data.

For more information on our data retention schedule and how we keep your data safe, please speak to the Trust’s Data Protection Officer.

10. What are your rights in relation to the personal information we hold?

Under data protection law, you have rights including:

i. access - you have the right to ask us for copies of your personal information.

ii. rectification - you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

iii. erasure - you have the right to ask us to erase your personal information in certain circumstances. We can refuse to erase if we have a lawful reason to keep this.

iv. right to object or restrict processing - you have the right to object to how your data is being used and how it is going to be used in the future.

v. portability - you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

vi. you also have the right not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you.

Other rights

Depending on the lawful basis above, you may also have the right to:

i. object to processing of personal data that is likely to cause, or is causing, damage or distress

ii. prevent processing for the purpose of direct marketing

iii. object to decisions being taken by automated means

iv. in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and

v. a right to seek redress, either through the ICO, or through the courts.

If you wish to make a request, please contact us at:

CYP - At your school reception. School staff should report this to the Trust’s Data Protection Officer.

Staff - via HR [email protected] / 01948 660603/ The Marches Academy Trust, Morda Road, Oswestry, Shropshire SY11 2AR

Trustees, Members & Governors – via your LGB Clerk or the Trust’s Governance Officer Belen Lopez Bloor [email protected]

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

11. Freedom of Information Requests (FOI)

The Freedom of Information Act, Environmental Information Regulations and INSPIRE Regulations give you rights to access official information. This does not grant you access to your own data/information, this must be accessed via a Subject Access Request (see below).

Under the Freedom of Information Act and the Environmental Information Regulations you have a right to request any recorded information held by the Trust. For more information regarding the Freedom of Information Act please visit the ICO’s website.

Before requesting you should:

i. search our websites for the information

ii. check other websites/source where we or the Department of Education publish more information such as https://www.find-school-performance-data.service.gov.uk/ or https://www.gov.uk/government/statistics

12. Subject Access Requests (SAR)

The General Data Protection Regulation (GDPR) grants you the “right to access” otherwise known as a “Subject Access Request”. This allows you or an individual acting on your behalf to request and gain access to personal information that the Trust holds about you. More information can be found on the ICO’s website.

If you make a subject access request, and if we do hold information about you, we will:

i. give you a description of it

ii. tell you why we are holding and processing it, and how long we will keep it for

iii. explain where we got it from

iv. tell you who it has been, or will be, shared with

v. let you know whether any automated decision-making is being applied to the data, and any consequences of this

vi. give you a copy of the information in an intelligible form.

Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.

For further information about submitting a SAR please read the Trust’s GDPR policy. If staff receive a Subject Access Request, they must immediately forward it to the Trust’s Data Protection Officer.

13. Complaints

If you have any concerns about our use of your personal information, you can contact the Trust’s Data Protection Officer Katherine Mills:

By email: [email protected]

By Post: The Marches Academy Trust c/o Sir John Talbot’s, Prees Road, Whitchurch SY13 2BY

By Phone: 01948 660603

You can also complain to the ICO if you are unhappy with how we have used your data.

By Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

By phone: 0303 123 1113

Alternatively visit www.ico.org.uk or email [email protected]

14. Monitoring

This privacy notice will be reviewed by the Trust's Data Protection Officer, Heads of Shared Services and Director of Education on an annual basis.