Skip to content

Privacy Policy

Privacy Notice for Pupils and Families (How we use pupil information)

Privacy Notice – General Data Protection Regulation (GDPR)

This Privacy Notice has been written to inform parents and pupils of St. Peter’s C of E  Primary and Nursery School about what we do with your personal information.

Who are we?

St. Peter’s C of E  Primary and Nursery School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The categories of pupil information that we process include:

  • personal identifiers and contacts (such as name, unique pupil number, contact details and address)
  • characteristics (such as ethnicity, language, and free school meal eligibility)
  • safeguarding information (such as court orders and professional involvement)
  • special educational needs (including the needs and ranking)
  • medical and administration (such as doctors information, child health, dental health, allergies, medication and dietary requirements)
  • attendance (such as sessions attended, number of absences, absence reasons and any previous schools attended)
  • assessment and attainment (such as phonics results, post 16 courses enrolled for and any relevant results)
  • behavioural information (such as exclusions and any relevant alternative provision put in place)
  • participation in trips and visits
  • school dinners and free school meal management
  • inclusion in the Thrive programme

This list is not exhaustive.

Why we collect and use pupil information

We collect and use pupil information, for the following purposes:

  1. to support pupil learning
  2. to monitor and report on pupil attainment progress
  3. to provide appropriate pastoral care
  4. to assess the quality of our services
  5. to keep children safe (food allergies, or emergency contact details)
  6. to meet the statutory duties placed upon us for the Department for Education (DfE) data collections

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing pupil information are:

Article 6 and Article 9 of GDPR.

Our legal basis for processing your personal data, in line with Article 6(1)(c) include:

  • Education Act 1944,1996, 2002
  • Education and Adoption Act 2016
  • Education (Information About Individual Pupils)(England) Regulations 2013
  • Education (Pupil Information) (England) Regulations 2005
  • Education and Skills Act 2008
  • Children Act 1989, 2004
  • Children and Families Act 2014
  • Equality Act 2010
  • Education (Special Educational Needs) Regulations 2001

We also process information in accordance with Article 6(e) and Article 9(2)(g) as part of the official authority vested in us as Data Controller and for reasons of substantial public interest. Such processing, which is not mandatory but is considered to be in our pupils’ interests, include:

  • School trips
  • Extra curricular activities

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. When we do process this additional information we will ensure that we ask for your consent to process this.

Collecting pupil information

Much of the information we process will be obtained directly from you (pupils and parents). We will also process information received from:

  • Department for Education (DfE)
  • Local Education Authority – Nottinghamshire County Council
  • Previous schools attended

Who we share pupil information with

We routinely share pupil information with:

  • schools that the pupils attend after leaving us
  • our Local Education Authority – Nottinghamshire County Council
  • the Department for Education (DfE)
  • National Health Service bodies

We use a range of companies and partners to either store personal information or to manage it for us. Where we have these arrangements there is always a contract, memorandum of understanding or information sharing protocol in place to ensure that the organisation complies with data protection law.

We complete privacy impact assessments before we share personal information to ensure their compliance with the law.

For more information on information sharing with the DfE (including the National Pupil Database and Census) please go to:

https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information

We will not share any information about you outside the school without your consent unless we have a lawful basis for doing so.

The law does not allow us to share your information without your permission, unless there is proof that someone is at risk or it is required by law. This risk must be serious before we can go against your right to confidentiality. When we are worried about physical safety or we feel that we need to take action to protect someone from being harmed in other ways, we will discuss this with you and, if possible, get your permission to tell others about your situation. We may still share your information if we believe the risk to others is serious enough to do so. There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why as soon as or if we think it is safe to do so.

Pupil data is essential for the schools’ operational use. Whilst the majority of pupil information you provide to us is mandatory, some of it requested on a voluntary basis. In order to comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this.

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.

Storing pupil data: retention and security

We hold pupil data securely for the set amount of time shown in our data retention schedule. For more information on our data retention schedule and how we keep your data safe, please click on the link to the school’s GDPR page on the website: GDPR | St Peter's CofE Primary School

Here you will find the School’s ‘Records and Retention Management Policy’

We will do what we can to make sure we hold personal records (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them.

Our security includes:

  • Encryptin allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.
  • Pseudnymisation allows us to hide parts of your personal information from view so only we can see it. This means that someone outside of ECC could work on your information for us without ever knowing it was yours.
  • Cntrolling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
  • Training fr our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong.
  • Ways fr us to access your information should something go wrong and our systems not work, including how we manage your information in event of an emergency or disaster.
  • Regular testing f our technology and processes including keeping up to date on the latest security updates (commonly called patches).

View our policy on information security on the school’s website.

If your information leaves the country

Sometimes, for example where we receive a request to transfer Organisation records to a new Organisation, it is necessary to send that information outside of the UK.

In such circumstances additional protection will be applied to that data during its transfer, and where the receiving country does not have an adequacy decision from the European Commission, advice will be sought from the Information Commissioners Office prior to the data being sent.

Department for Education (DfE)

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our pupils with the Department for Education (DfE) either directly or via our local authority for the purpose of those data collections, under:

section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.

All data is transferred securely and held by the Department for Education (DfE) under a combination of software and hardware controls, which meet the current government security policy framework.

For more information, please see ‘How Government uses your data’ section. For privacy information on the data the Department for Education collects and uses, please see: https://www.gov.uk/government/publications/privacy-information-early-years-foundation-stage-to-key-stage-3

and

https://www.gov.uk/government/publications/privacy-information-key-stage-4-and-5-and-adult-education

Requesting access to your personal data

The UK-GDPR gives parents and pupils certain rights about how their information is collected and used. To make a request for your personal information, or be given access to your child’s educational record, contact the School’s Data Protection Officer, Helen White via email: hwhite@blyth.notts.sch.uk or by calling 01909 591218.

You also have the following rights:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’.
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’, this is also known as a subject access request (SAR), data subject access request or right of access request.
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’.

You should let us know if you disagree with something written on your file. We may not always be able to change or remove the information; however, we will correct factual inaccuracies and may include your comments in the records. Please contact the school to report inaccurate information.

  • the right to ask us to delete your personal information – this is called ‘right to erasure’

In some circumstances you can request the erasure of the personal information used by the Organisation, for example:

  • Where the persnal information is no longer needed for the purpose for which it was collected
  • Where yu have withdrawn your consent to the use of your information (where there is no other legal basis for the processing)
  • Where there is n legal basis for the use of your information
  • Where erasure is a legal bligation

Where personal information has been shared with others, the Organisation shall make every reasonable effort to ensure those using your personal information comply with your request for erasure.

Please note that the right to erasure does not extend to using your personal information where:

  • Is required by law
  • It is used fr exercising the right of freedom of expression
  • It is in the public interest in the area f public health
  • It is fr archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where it would seriously affect the achievement of the objectives of the processing
  • It is necessary fr the establishment, defense or exercise of legal claims.

 

  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’.

You have the right to ask us to restrict what we use your personal data for where one of the following applies:

  • Yu have identified inaccurate information, and have notified us of this
  • Where using yur information is unlawful, and you wish us to restrict rather than erase the information
  • Where yu have objected to us using the information, and the legal reason for us using your information has not yet been provided to you

When information is restricted, it cannot be used other than to securely store the data, and with your consent, to handle legal claims, protect others, or where it is for important public interests of the UK.

Where restriction of use has been granted, we will inform you before the use of your personal information is resumed. You have the right to request that the Organisation stop using your personal information for some services. However, if this request is approved this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with your request, but we may need to hold or use information in connection with one or more of the Organisation’s legal functions.

  • the ‘right to object to processing’ of your information, in certain circumstances

You have the right to object about decisions being made about you by automated means (by a computer and not a human being), unless it is required for any contract you have entered into, required by law, or you have consented to it.

  • rights in relation to automated decision making and profiling.

You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information. If and when the Organisation uses your personal information to profile you, you will be informed. If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who will be able to advise you about how your information is being used.

There are legitimate reasons why we may refuse your information rights request, which depends on why we are processing it. For example, some rights will not apply:

  • right to erasure does not apply when the lawful basis for processing is legal obligation or public task.
  • right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests.
  • right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t haven’t the right to object, but you have the right to withdraw consent.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at raise a concern with ICO.

For further information on how to request access to personal information held centrally by the Department for Education (DfE), please see the ‘How Government uses your data’ section of this notice.

Withdrawal of consent and the right to lodge a complaint

Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the School Data Protection Officer, Helen White, at St. Mary & St. Martin’s C of E Primary School, Blyth: hwhite@blyth.notts.sch.uk or call 01909 591218

Last updated

We may need to update this privacy notice periodically so we recommend that you revisit this information from time to time. This version was last updated on 1st September 2025.

Contact

If you would like to discuss anything in this privacy notice, please contact:

Mrs Yvonne Reeson (head teacher)

St. Peter’s C of E Primary & Nursery School,

Mill Road,

Gringley-on-the-Hill,

Doncaster

DN10 4QT

Telephone: 01777 817330

or Helen White, hwhite@blyth.notts.sch.uk or by calling 01909 591218.  (Data Protection Officer)

 

How Government uses your data

The pupil data that we lawfully share with the Department for Education (DfE) through data collections:

  • underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
  • informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
  • supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (DfE) (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education (DfE) and contains information about pupils in schools in England. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

The data in the NPD is provided as part of the operation of the education system and is used for research and statistical purposes to improve, and promote, the education and well-being of children in England.

The evidence and data provide DfE, education providers, Parliament and the wider public with a clear picture of how the education and children’s services sectors are working in order to better target, and evaluate, policy interventions to help ensure all children are kept safe from harm and receive the best possible education. 

To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-npd-privacy-notice/national-pupil-database-npd-privacy-notice

Sharing by the Department for Education (DfE)

DfE will only share pupils’ personal data where it is lawful, secure and ethical to do so. Where these conditions are met, the law allows the Department for Education (DfE) to share pupils’ personal data with certain third parties, including:

  • schools and local authorities
  • researchers
  • organisations connected with promoting the education or wellbeing of children in England
  • other government departments and agencies
  • organisations fighting or identifying crime

For more information about the Department for Education’s (DfE) NPD data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

Organisations fighting or identifying crime may use their legal powers to contact the Department for Education (DfE) to request access to individual level information relevant to detecting that crime.

For information about which organisations the Department for Education (DfE) has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares

How to find out what personal information the Department for Education (DfE) holds about you

Under the terms of the UK GDPR, you are entitled to ask the Department for Education (DfE):

  • if they are processing your personal data
  • for a description of the data they hold about you
  • the reasons they’re holding it and any recipient it may be disclosed to
  • for a copy of your personal data and any details of its source

If you want to see the personal data held about you by the Department for Education (DfE), you should make a ‘subject access request’.  Further information on how to do this can be found within the Department for Education’s (DfE) personal information charter that is published at the address below:

https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter

or 

https://www.gov.uk/government/publications/requesting-your-personal-information/requesting-your-personal-information#your-rights 

To contact the Department for Education (DfE): https://www.gov.uk/contact-dfe

 

Where can I get advice?

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email casework@ico.org.uk

 

Cookies Used

Necessary

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.

You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

  • Categories
    Provider
    Cookies
  • Allow Cookies

    This cookie is used to determine whether the user allows cookies or not.

    Juniper Education
    • cookiesAllowed
  • Cookie Consent ID

    This cookie references the level of consent you have given for cookies, and is used when you update your consent settings.

    Juniper Education
    • cookieConsentID
  • High Visibility

    If set, this cookie ensures the website is displayed in high visibility mode.

    Juniper Education
    • highvis