Privacy Policy

Introduction

Under UK data protection law, individuals have a right to be informed about how our school uses any personal data that we hold about them. We comply with this right by providing a privacy notice for individuals where we are processing their personal data. This privacy notice explains how we collect, store and use personal data. “Personal data” means any information from which a natural person can be identified.

We, Parkgate House School, are the ‘data controller’ for the purposes of UK data protection law.

Our data protection officer is the Office Manager.

Contact details:

Telephone: 020 7350 2452
Email: [email protected]
Address: 80 Clapham Common Northside, London SW4 9SD

This privacy notice provides information about how we collect, store, use, share and/or otherwise process personal data about individuals, including current, past and prospective pupils and their parents, carers or guardians; current, past and prospective staff, contractors and suppliers; alumni, friends and supporters; donors; volunteers and others connected to or visiting our school (collectively referred to as “data subjects” in this privacy notice).

This privacy notice applies alongside any other information that we may provide about any particular use of personal data; for example, when collecting data via an online or paper form.

This privacy notice also applies in addition to our other relevant terms and conditions and policies, including:

any contract between the school and staff or the parents of pupils;
our data protection policy;
our safeguarding, pastoral, or health and safety policies, including reference to the ways in which concerns or incidents are recorded;
our IT policy and acceptable use policy;
any other policies or notices concerning the handling of personal data.

The personal data we hold

The personal data that we process about data subjects takes different forms – it may be factual information, expressions of opinions, images or other recorded information which identifies or relates to an individual. Examples of such personal data are:

names, addresses, telephone numbers, email addresses and other contact details;
dates of birth and identification documents, including copies of passports or birth certificates;
bank details and other financial information, e.g. about parents (or others) who pay fees to the school, and also members of staff and our suppliers;
past, present and prospective pupils’ academic, disciplinary, pastoral, safeguarding, admissions and attendance records (including information about any special educational needs or disabilities), and results and/or copies of internal assessments and externally set tests;
pupil and staff personnel files, including in connection with employment or safeguarding;
nationality, ethnicity, identification documents and immigration status information (e.g. the right to work or study in the UK), including copies of passports or birth certificates;
where appropriate, information about individuals’ physical and mental health and welfare;
information about any special requirements and about any family circumstances that might affect an individual’s welfare;
references given or received by the school about pupils, applicants or staff, and relevant information provided by previous educational establishments and/or other professionals or organisations working with pupils;
correspondence with and concerning staff, pupils and parents past and present;
images of pupils and staff (and occasionally other individuals) engaging in school activities; and
Information about the use of our information and communications systems and equipment (e.g. school computers and devices and our school network and Internet systems)

Where consent has been given, we may send marketing information by email. If you would like to withdraw consent or ‘opt out’ of receiving these emails, please contact us.

Special categories of more sensitive personal data

As a school, we also need to collect, process, store and share (when appropriate) information that falls into ‘special categories’ of more sensitive personal data. This includes, but is not restricted to, data concerning health (including physical and mental health), ethnicity, religion or criminal records information (such as when carrying out DBS checks). We do so in accordance with rights and duties imposed on us by law (including with respect to safeguarding and employment) or, from time to time, with explicit consent where required.

Our reasons for doing this include the following:

To safeguard pupils’ welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition or other relevant information where it is in the individual’s interests to do so: for example for medical advice, for social protection, safeguarding, and cooperation with police or social services, for insurance purposes or to caterers or organisers of school trips who need to be made aware of dietary or medical needs;
To provide educational services in the context of any special educational needs;
As part of any school or external complaints, disciplinary or investigation process that involves such data;
For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with our legal obligations and duties of care; and
For the establishment, exercise or defence of legal claims.

Why we use personal data

Personal data is required to maintain the academic, pastoral and operational functions of the school. For example, data is used to keep the school community safe, to support pupil learning, to monitor and report on pupil progress, to provide appropriate pastoral care, to protect pupil welfare, to provide extra-curricular activities and trips, to recruit and employ staff, to administer admissions processes, to fulfil our legal compliance obligations, to ensure that our information and communication systems, equipment and facilities (e.g. school computers and the school network) are used appropriately, legally and safely, and to fulfil the statutory duties placed upon us for the Department for Education (DfE) data collections.

Our lawful basis for using personal data

As a school, we need to process personal data for a range of purposes, in accordance with:

the ‘public task’ basis – we need to process data to fulfil our statutory function as a school
the ‘legal obligation’ basis – we need to process data to meet our responsibilities under law
the ‘consent’ basis – in certain circumstances we will obtain consent from parents to use a child’s data; for example, to use images for marketing purposes
the ‘vital interests’ basis – we will use this personal data in a life-or-death situation
the ‘contract’ basis – we need to process personal data to fulfil our contracts with parents, staff and suppliers
the ‘legitimate interests’ basis – where there is a minimal privacy impact and/or we have a compelling reason; for example:
- for the purposes of admissions processes and to confirm the identity of prospective pupils
- to support learning and education services, including musical education and physical education, to provide educational trips and extra-curricular activities, and to monitor pupils’ progress and educational needs
- to safeguard pupils’ health and welfare and provide appropriate pastoral (and where necessary, medical) care,
- to keep children safe
- to give and receive information and references about past, current and prospective pupils and staff
- to enable pupils to take part in competitions or assessments, and to publish the results or other achievements of pupils of the school
- to maintain relationships with alumni and the school community
- for the purposes of management planning and forecasting, research and statistical analysis including that imposed or provided for by law
- to enable relevant authorities to monitor the school’s performance and to intervene or assist with incidents as appropriate
- to raise invoices and process payments in accordance with the school’s terms and conditions and contractual obligations
- to monitor (as appropriate) use of the school’s IT and communications systems
- to make use of photographic images of pupils in school publications, on the school website and (where appropriate) on the school’s social media channels
- to provide information about the activities of the school, including by sending updates and newsletters by email or post
- to carry out or cooperate with any school or external complaints, disciplinary or investigation process
- where otherwise reasonably necessary for the school’s purposes, including to obtain appropriate professional advice and insurance for the school

Where you have provided us with consent to use your child’s data for a specific purpose, you may withdraw this consent at any time by contacting us.

This policy meets the requirements of the:

UK General Data Protection Regulation (UK GDPR) – the EU GDPR was incorporated into UK legislation, with some amendments, by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020

Data Protection Act 2018 (DPA 2018)

It is based on guidance published by the Information Commissioner’s Office (ICO) on the UK GDPR.

How we collect data

We usually receive personal data from the individual directly (including, in the case of pupils, from their parents). This may be via a form, by email or telephone, via a meeting, verbal communication or written assessments. However, in some cases, personal data will be supplied by third parties (for example, referees, previous schools/nurseries or employers, the DBS or other professionals, organisations, local authorities, government departments or authorities working with that individual), or collected from publicly available resources.

How we store data

Most personal data collected by the school usually remains within the school, and is processed by appropriate individuals only in accordance with access protocols, and on a ‘need to know’ basis.

We retain personal data securely and in line with guidance about how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for data retention is to keep staff and pupil personnel files for seven years following departure from the school. However, incident reports and safeguarding files need to be kept for much longer, in accordance with specific legal requirements.

We dispose of personal data securely when it is no longer required.

Keeping in touch

We use the contact details of parents, alumni and other members of the school community to keep you updated about the activities of the school, including by sending updates and newsletters, by email and/or by post. Should you wish to limit or object to any such use, please contact us.

Sharing data

Most personal data collected by the school usually remains within the school. However, some data needs to be shared and processed by third parties, where required by law or where reasonably necessary for the operation of the school. We do not otherwise share or sell personal data to other organisations for their own purposes. Third parties with whom we may need to share data include financial organisations, IT providers, database providers, online learning platforms, website developers, cloud storage providers, school trip providers and organisers, photographers and videographers, peripatetic teaching staff, caterers, contractors, professional advisers (including lawyers, insurers, PR advisers and accountants), examination boards, other educational institutions, our local authority (London Borough of Wandsworth), Government departments or agencies, youth support services, Ofsted, suppliers and service providers, auditors, survey and research organisations, health authorities, security organisations, health and social welfare organisations, professional advisers and consultants, charities and voluntary organisations and police forces, courts or tribunals.

In accordance with data protection law, this type of external data processing is always subject to contractual assurances that personal data will be stored and processed securely and used only to fulfil the specific need of the school or in accordance with legal requirements.

Particularly strict rules of access apply in the context of special categories of personal data, particularly regarding medical records, pastoral records and safeguarding files. The school needs to process this data to comply with statutory duties and to keep pupils and others safe, but the school ensures that only authorised staff can access information on a need-to-know basis. This may include wider dissemination if needed; for example, for school trips or for catering purposes. Data is shared with relevant members of staff in order to provide the necessary care and education that a pupil requires.

The school uses iSAMS, a secure management information system, to store personal data such as academic, pastoral, health and attendance data. Data is added to secure individual files with restricted access for different levels of staff.

Transferring data internationally

Data may need to be transferred internationally; for example, where data needs to be shared with and/or processed by:

Other schools or educational establishments
Government departments or agencies
Security organisations
IT, app or cloud server providers
School trip providers

Where we transfer personal data to a third-party country or territory, we will do so in accordance with UK data protection law.

Data accuracy and security

The school will endeavour to ensure that all personal data held in relation to an individual is as up-to-date and accurate as possible. Please keep us informed if your personal information (such as contact details) changes, by notifying the School Office: [email protected].

Your rights

You have a right to make a ‘subject access request’ to gain access to personal data that we hold about you or your child.

If you make a subject access request, and if we do hold information about you or your child, we will (subject to any exemptions that apply):

Provide a description of it
Explain why we are holding and processing it, and how long we will keep it for
Explain where we obtained it from, if not from you
Tell you who it has been, or will be, shared with
Provide a copy of the information in an intelligible form

If you would like to make a request, please contact us.

Once a child is able to understand their rights over their own data (generally considered to be age 12, but this has to be considered on a case-by-case basis), we will need to obtain consent from the child for a parent to make a subject access request on their behalf.

Under UK data protection law, you have certain rights regarding how your child’s personal data is used and kept safe. For example, you have the right to:

Object to our use of your child’s personal data
Prevent your child’s data being used to send direct marketing
In certain circumstances, have inaccurate personal data corrected
In certain circumstances, have the personal data we hold about your child deleted or destroyed, or restrict its processing
Withdraw your consent, where you previously provided it for the collection, processing and transfer of your child’s personal data for a specific purpose
In certain circumstances, be notified of a data breach
Make a complaint to the Information Commissioner’s Office

To exercise any of these rights, please contact us.

Complaints

We take any complaints about our collection and use of personal data very seriously.

If you have a concern about our data processing, please raise this with us in the first instance.

Contacting us

If you have any questions or concerns, or if you would like more information about anything mentioned in this privacy notice, please contact us.

Our data protection officer is the Office Manager.

Contact details:

Telephone: 020 7350 2452
Email: [email protected]
Address: 80 Clapham Common Northside, London SW4 9SD

Policy Reviewer:	Office Manager
Date of Policy Review:	June 2024
Date of Next Policy Review:	June 2025