Privacy Notice
This privacy notice covers how Ysgol Caer Elen (as a Data Controller) will collect, use and share your personal data for the purpose of providing a successful education to children.
Why we need your information (purpose of processing)
We collect and use your personal information so that we can provide a safe, supportive and effective learning environment.
The information that you provide will be processed according to the UK General Data Protection Regulation and the Data Protection Act 2018, Local Government Act 2000 (Section 2), The Government of Wales Act 2006 (Section 60), Learning & Skills Act 2000 (Sections 33, 40, 138 & 140), Education Act 2004, SEN Code of Practice for Wales, Employment and Training Act 1973 (Sections 8, 9 & 10), The Education (Information about Individual Pupils (Wales) Regulations 2007, Frameworks such as Youth Engagement and Progression Framework, Special Educational Needs and Disability Act 2001, Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR), Management of Health and Safety at Work Regulations 1999.
We will also make any disclosures required by law and we may also share this information with other bodies responsible for detecting/preventing fraud/crime or auditing/administering public funds to ensure money is targeted and spent in the most appropriate and cost-effective way. In order to achieve this, information will be shared with our Audit Service within Pembrokeshire County Council and with The Auditor General for Wales (Audit Wales Privacy and Cookie Policy).
We will not make any disclosures to third parties for marketing purposes.
Your data will be secure and confidential at all times, and we will only collect the personal information that is required to provide you with our service.
What personal data is being collected?
The categories of personal data being collected are:
Pupil and ALN Data: Names, date of birth, UPN number, address, parent contact details, sibling details if in same school, ethnicity, traveller or service child, first language, health and medical records, allergies, dietary requirements, ALN information.
Staff Records: Contact details, next of Kin, date of birth, national insurance number, DBS details, qualifications.
School Governors: Email addresses and names.
Images: Photos, videos with sound.
Visitor Information / Sign In: Name, company name, vehicle registration, photo, whether or not they have a DBS.
Supply Staff: Name, DBS details, EWC registration.
Accident and Incident Reporting: Date, time and place of the incident, name (and class) of the injured or ill person, details of the injury or illness, details of any first aid provided, name and signature of the first aider or person dealing with the incident, whether the parent was contacted.
CCTV: Images / video.
Business Continuity: Name, contact details.
What is our lawful basis for processing your personal data?
The UK General Data Protection Regulations (UK GDPR) requires specific conditions to be met to ensure that the processing of your personal data is lawful. These relevant conditions are below:
- Article 6 (1)(b) Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
- Article 6 (1)(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
- Article 6 (1)(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Some types of personal data are more sensitive than others and need more protection. This is classed as ‘special category data’ and could include information about your racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic or biometric data, health and sex life and sexual orientation.
We process this type of special category data as it is necessary for reasons of:
- Article 9 (2)(g) Substantial public interest
- Safeguarding of children and individuals at risk
- Statutory and government purposes
Who will we share your information with?
We may need to share your personal data with internal departments of the Council, other organisations and third parties, this will include:
Pupil and ALN Data: School Management Information System (SIMS), Edukey, Careers Wales, School Nursing Service - Health, Speech and Language Therapy Service, Local Authority, social services (submitted via MARF), Catering, Youth Engagement and Progression Framework, Examination bodies, Learning Records Service, Welsh Government, Maths Pad, Carousel, Wonde, Times Table Rock Stars, National Health Service (NHS), Evolve (school trips), Primary & Secondary Schools (transition purposes), Haven System (school meals), Parent Mail, Seesaw, Class Dojo, Power BI, Darllen Co, Urdd, LexiaUK, GroupCall Xporter, GL Assessment.
Staff Records: School Management Information System (SIMS), PCC HR, HWB, Welsh Government SWAC, Mutual Absence Scheme, WJEC, Education Workforce Council (EWC), Governors
Images: Hwb platform, School Facebook, Twitter, Instagram, Class Dojo, school website. Notice boards, school newsletter weekly via parent mail and social media, school prospectus, school iPads.
Visitor Information / Sign In: EntrySign.
Supply Staff: Dosbarth, Equal, Teacher Active, Hoop, Intro Teach.
Accident and Incident Reporting: Local Authority Health & Safety department (Evotix Accident Reporting Software)
CCTV: Dyfed Alarms, Police
Business Continuity Plan: School Management Information System (SIMS)
We use data processors (third parties) who provide services to us in terms of IT provision and disaster recovery. We have contracts in place with these data processors and they cannot do anything with your personal information unless we have instructed them to do it. They will hold your data securely and your personal information will only be shared in accordance with UK GDPR. When it is necessary for your personal information to be transferred outside of the UK as part of these contracts, this will only be done in accordance with the UK GDPR.
Ysgol Caer Elen has a duty to protect the public funds it manages. Therefore, the information that you have provided to us may be used for the prevention and detection of fraud and for auditing purposes both internally and externally.
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by visiting CIFAS.
How long do we keep hold of your information?
Ysgol Caer Elen will only keep your information for as long as is necessary, we will retain the information provided to us for:
Pupil and ALN Data: Date of birth of the pupil + 25 years.
Staff Records: Termination of Employment + 6 years.
School Governors: Date appointment ceases + 6 years.
Images: Website imagery is updated on a 6 month to annual basis, notice boards are updated annually, school prospectus is updated every 3 to 4 years, school iPads get wiped every year.
Visitor Information / Sign In: Visitor information is stored for 18 months but Images are removed after 12 months.
Supply Staff: Emails are removed from the system once they have been dealt with.
Accident and Incident Reporting: 3 years after last entry in the accident book.
CCTV: 30 days.
Business Continuity: Until Employee leaves post.
Your information will be securely disposed of once it is no longer required.
Your Rights
Under the UK General Data Protection Regulation and Data Protection Act 2018, you have rights as an individual including:
- The right to Rectification – you have the right to ask to have your information corrected.
- The right to Restrict processing may apply – you may request that we stop processing your personal data however, this may delay or prevent us delivering a service to you. We will seek to comply with your request but may be required to hold or process information to comply with our legal duties.
- The right to Object – this is not an absolute right and will depend on the reason for processing your personal information.
- The right to Erasure - you may request that we erase your personal data however, this may delay or prevent us delivering a service or continuing to deliver a service. We will seek to comply with your request but may be required to hold or process information to comply with our legal duties.
- The right to not be subject to Automated decision making and profiling.
- The right of Access – you have the right to ask us for copies of your personal data. To make a request, please contact:
Access to Records
Pembrokeshire County Council
County Hall
Haverfordwest
SA61 1TP
Email: accesstorecords@pembrokeshire.gov.uk Telephone: 01437 764551
Complaints or Queries
Ysgol Caer Elen endeavours to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this seriously. We encourage people to bring to our attention if they believe that our collection or use of information is unfair, misleading or inappropriate.
This privacy notice does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below:
Data Protection Officer
Ysgol Caer Elen
Withybush Road
Haverfordwest
Pembrokeshire
SA62 4BN
Email: swyddfa@ysgolcaerelen.cymru Telephone: 01437 808 470
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office as the statutory body which oversees data protection law:
Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
Cardiff
CF10 2HH
Email: wales@ico.org.uk Telephone: 0330 414 6421
Our Contact Details as Data Controller are:
Ysgol Caer Elen
Withybush Road
Haverfordwest
Pembrokeshire
SA62 4BN
Emai: swyddfa@ysgolcaerelen.cymru Telephone: :01437 808 470
Our Data Protection Officer’s information is detailed above in the Complaints and Queries section.
Changes to this privacy notice
We keep our privacy notice under regular review.