This Privacy Notice has been written to inform pupils, parents and staff of Lythe School about how we are using your information in light of the measures that have been introduced in response to the Coronavirus (COVID-19) pandemic. This Privacy Notice should be read in conjunction with our standard Pupils and Parents, and Employees Privacy Notices (available on www.lythe.n-yorks.sch.uk)

 Who are we?

 Lythe School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

 The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:

Schools Data Protection Officer

Veritau Ltd

County Hall

Racecourse Lane

Northallerton

DL7 8AL

schoolsDPO@veritau.co.uk

01609 53 2526

*Please ensure you include the name of the School in all correspondence with the DPO

 What information are we collecting?

 The categories of information that we collect, hold and share include the following:

• Basic personal information (e.g. name, pupil number, DOB and address) (pupils, parents and staff)
• Safeguarding information (pupils)
• Job role and evidence of employment in this role (parents)
• Attendance information (pupils and staff)

 We will also process information which may include ‘special category’ data about our pupils including:

• Information which identifies children that are ‘vulnerable’ (those who have a social worker, such as children in the care of the Local Authority and those children and young people up to the age of 25 with education, health and care (EHC) plans) 
• Relevant medical information (pupils and staff)

Why do we process your personal data?

We are processing this information to facilitate the provision of care for vulnerable children and the children of critical workers.

This involves:

• Processing pupil information to facilitate their learning and meet any care requirements that they have.
• Processing parents’ employment information to confirm their status as a critical worker.
• Processing the information of staff members who have been redeployed in order to meet resourcing needs.

Any personal data that we process about our pupils and parents is done so in accordance with Article 6 and Article 9 of GDPR:

Article 6 (c) legal obligation

Article 6 (d) public task

Article 6(b) contract (for staff)

Article 9 (b) Employment, social security and social protection (for staff)

Article 9 (g) Reasons of substantial public interest

Please refer to our standard Pupils and Parents and Employees Privacy Notices for further information about the lawful basis we rely upon to process your data.

Who do we obtain your information from?

Much of the information we process will be obtained directly from you. We will also process information received from:

• Department for Education (DfE)
• Local Education Authority. If your child is attending our school as a result of the COVID-19 pandemic response and your child’s previous school was in a neighbouring LEA, then we may need to obtain information from this LEA.
• Previous schools attended

Who do we share your personal data with?

We are obliged to share attendance data with the Department for Education during this time. The following information will be shared:

1. The names of all children who are in attendance on each day

2. If the child is not enrolled at your school, the name of the school where the child is enrolled

3. Whether the child is present on each day  

4. Whether the child has parents who are critical workers  

5. If the child is vulnerable e.g. they have on an education health and care plan (EHCP), have a social worker (CiN), or are looked after children  

6. If the child is on an EHCP

7. If the child has a social worker

8. The time the child signed into the school

9. The time the child signed out of the school

We may also be required to share information with neighbouring Local Education Authorities if your child is attending our school as a result of the COVID-19 pandemic response and your child’s previous school was in a neighbouring LEA.

For further details about who we share information with, please see our full Pupil and Parents and Employees Privacy Notices.

How long do we keep your personal data for?

We will only retain your data for as long as it is necessary to do so. In respect of parents, we will not retain a copy of the evidence that you provide to us to prove that you are a critical worker.

For further details about retention of your data, please refer to our full Pupils and Parents and Employees Privacy Notices.

What rights do you have over your data?

Under GDPR data subjects have the following rights in relation to the processing of their personal data:

• to be informed about how we process your personal data. This notice fulfils this obligation
• to request access to your personal data that we hold, and be provided with a copy of it
• to request that your personal data is amended if inaccurate or incomplete
• to request that your personal data is erased where there is no compelling reason for its continued processing
• to request that the processing of your personal data is restricted
• to object to your personal data being processed

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:

First Contact Team

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow Cheshire

SK9 5AF

casework@ico.org.uk  // 0303 123 1113

Lythe CEVC School – COVID-19 Testing of Staff in Primary Schools Privacy Statement

Ownership of the Personal Data 

To enable the Covid-19 testing to be completed at Lythe School we need to process personal data, including the sharing of personal data where this is allowed under data protection legislation.  Lythe School is the Data Controller for the data required for the management of tests and implementing local arrangements in the event of a positive test. 

We will process personal data relating to staff under article 6.1(f) of the UK GDPR – it is necessary in the legitimate interest of the data controller.  We will process special category personal data under the provisions of article 9.2(i) of the UK GDPR, and Part 1 of Schedule 1(3) of DPA 2018 where it is in the public interest on Public Health Grounds to ensure we can minimise the spread of COVID in a timely manner and enable us to continue to deliver education services as safely and securely as possible.  This data is processed under the obligations set out in Public Health legislation (Regulations 3(1) and (4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI)) which allows the sharing of data for COVID related purposes and where it is carried out by a health care professional OR someone who owes an equivalent duty of confidentiality to that data.

Ownership of the Personal Data you share with DHSC
Every time you use a lateral flow test you must report the results. More details can be found here – Report a COVID-19 test result – GOV.UK (www.gov.uk). The Department for Health and Social Care (DHSC) is the data controller for the information that you transfer to them about you and your test results. For more information about what the DHSC do with your data please see their COVID-19 Privacy Notice 

The school remains the Data Controller for the data we retain about you for the management of tests and implementing local arrangements in the event of a positive test.

You should read both this Privacy Notice and the DHSC COVID-19 Privacy Notice to understand how your personal data is used prior to taking a test.

Personal Data involved 

The following personal data is processed by the school in relation to your test: 

• Name
• Unique code assigned to each individual test and which will become the primary reference number for the tests.
• Test result 

For more information about what the DHSC do with your data please see their COVID-19 Privacy Notice 

How we store your personal information

The school will maintain a test kit log which will record against your name details of the testing kit which has been provided to you.  The school may also record Personal Data about you in its internal COVID-19 results register (the school’s COVID-19 results register will not be shared with DHSC).  This information will only be stored securely on locally managed systems with appropriate access controls in schools and will only be accessible to personnel involved in the management of tests and implementing local arrangements in the event of a positive test.  

The school will retain its test kit log and COVID-19 results register for a period of twelve (12) months from the date of the last entries made by the school into them.

For more information about what the DHSC do with your data please see their COVID-19 Privacy Notice 

Processing of Personal Data Relating to Positive test results 

We will use this information to enact our own COVID isolation and control processes without telling anyone who it is that has received the positive test.

For more information about what the DHSC do with your data please see their COVID-19 Privacy Notice 

This information will be kept by the school for period of twelve (12) months by the school and by the NHS for eight (8) years.

Processing of Personal Data Relating to Negative and Void test results 

We will record a negative and void result for the purpose of stock controls of tests and general performance of the testing process.

Data Sharing Partners

The personal data associated with test results will be shared with 

• DHSC, NHS, PHE – to ensure that they can undertake the necessary Test and Trace activities and to conduct research and compile statistical information about Coronavirus.
• Your GP – the NHS may share the information you provide with your GP to maintain your medical records and to offer support and guidance as necessary. Any data you provide to the school will not be shared with your GP.
• Local Government to undertake local public health duties and to record and analyse local spreads.

Personal Data in the school’s test kit log will be shared with DHSC to identify which test kit has been given to which individual in the event of a product recall. The school will not share its internal COVID-19 results register with DHSC.

Your Rights

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information. 

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. 

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances. 

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances. 

Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at [insert email address, phone number and or postal address of school’s DPO] if you wish to make a request.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at [Insert your organisation’s contact details for data protection queries].

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:            

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Who are we?

Lythe School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. If you would like to discuss anything in this privacy notice, please contact (insert SPOC details) or Veritau Ltd. Veritau’s contact details are:

  Schools Data Protection Officer

Veritau Ltd

County Hall

Racecourse Lane

Northallerton

DL7 8AL

 schoolsDPO@veritau.co.uk

01609 53 2526

 *Please ensure you include the name of the School in all correspondence with the DPO

What information do we collect?

The categories of information that we collect, hold and share include the following:

 Personal information of pupils and their family members  (e.g. name, pupil number, DOB and address)

• Educational and assessment attainment (such as KS1 and phonics results, post 16 courses and relevant results)
• Free school meal eligibility
• Attendance information (such as sessions attended, number of absences, absence reasons and any previous schools attended)
• Behavioural information (such as exclusions and any relevant alternative provision put in place)
• Safeguarding information (including but not limited to court orders and professional involvement)
• Photographs and communication preferences
• School trips
• Extra curricular activities
• Before and after school clubs

 We will also process certain ‘special category’ data about our pupils including:

 Relevant medical information – please be aware that where the pupil has a severe allergy or is thought to be at risk of needing emergency care for a medical issue then this will be shared with all relevant staff members. We may do this in the form of photo identification in the staff room to ensure that all staff members are aware of the issues should an emergency situation arise

• Special Educational Needs and Disabilities information (including the needs and ranking)
• Race, ethnicity and religion
• Biometric data e.g. thumbprints
• The school may also have information relating to you or your child’s sexual orientation and/or sexual activity. This is not routine and only likely to be collected if there is a safeguarding risk.

 Why do we collect your personal data?

We use the information we collect:

 to support pupil learning

• to monitor and report on pupil progress
• to provide appropriate pastoral care
  • to assess the quality of our services
  • to keep children safe (food allergies or emergency contact details)to meet the statutory duties placed upon us by the DfE
  • we also may keep some information for historical and archiving purposes in the public interest

 Any personal data that we process about our pupils and parents is done so in accordance with Article 6 and Article 9 of GDPR.

 Our legal basis for processing your personal data, in line with Article 6(1)(c) (legal obligation) includes (but not necessarily limited to):

• Education Act 1944,1996, 2002, 2011
• Education and Adoption Act 2016
• Education (Information About Individual Pupils)(England) Regulations 2013
• Education (Pupil Information) (England) Regulations 2005
• Education and Skills Act 2008
• Children Act 1989, 2004
• Children and Families Act 2014
• Equality Act 2010
• Education (Special Educational Needs) Regulations 2001

 We also process information in accordance with Article 6(e) (public task), Article 6(a) (consent), Article 9 (2)(a) (explicit consent where applicable) and Article 9(2)(g) (reasons of substantial public interest).

 We mainly collect pupil information through admission forms and common transfer file or secure file transfer from previous school. The majority of pupil information you provide to us is mandatory in line with your parental responsibility – for further details please see the following link https://www.gov.uk/government/publications/dealing-with-issues-relating-to-parental-responsibility/understanding-and-dealing-with-issues-relating-to-parental-responsibility.

However, some information we ask for on a voluntary basis. When we do process this additional information we will ensure that we ask for your consent to process it. 

 Where we are processing your personal data with your consent you have the right to withdraw that consent. If you change your mind, or are unhappy with our use of your personal data, please let us know by contacting the headteacher.

 Who do we obtain your information from?

Much of the information we process will be obtained directly from you (pupils and parents). We will also process information received from:

• Department for Education (DfE)
• Local Education Authority (North Yorkshire County Council)
• Previous schools attended

 Who do we share your personal data with?

We routinely share pupil information with:

• schools that the pupils attend after leaving us
• our Local Education Authority (North Yorkshire County Council) to ensure that they can conduct their statutory duties
• the Department for Education (DfE)
• National Health Service bodies

For more information on information sharing with the DfE (including the National Pupil Database and Census) please go to: https://www.gov.uk/government/publications/national-pupil-database-user-guide-and-supporting-information

We will not share any information about you outside the school without your consent unless we have a lawful basis for doing so. For example, we may also share your data with classroom/teaching apps and some websites for the purpose of enhancing pupil learning. Where we do this we will rely on either Article 6(e) (public task) or Article 6(a) (consent).

Where we rely on Article 6(e) you have the right to object to processing and where we are relying on Article 6(a) you have the right to withdraw that consent at any time. Please see section below on data subject rights.

How long do we keep your personal data for?

Lythe School will keep your data in line with our Information Policy. Most of the information we process about you will be retained as determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is necessary to fulfil our organisational needs.

What rights do you have over your data?

Under GDPR parents and pupils have the following rights in relation to the processing of their personal data:

• to be informed about how we process your personal data. This notice fulfils this obligation
• to request access to your personal data that we hold, and be provided with a copy of it
• to request that your personal data is amended if inaccurate or incomplete
• to request that your personal data is erased where there is no compelling reason for its continued processing
• to request that the processing of your personal data is restricted
• to object to your personal data being processed

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.

Please be aware that usually pupils are considered to have the mental capacity to understand their own data protection rights from the age of 12 years old. The school may therefore consult with the pupil if it receives a request to exercise a data protection right from a parent.

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:

First Contact Team

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow Cheshire

SK9 5AF

casework@ico.org.uk  // 0303 123 1113

Last Updated

We may need to update this privacy notice periodically so we recommend that you revisit this information from time to time. This version was last updated on 24^th April 2020.

This Privacy Notice has been written to inform you about how Lythe School processes your personal data when you visit our website. This notice only applies to how the school uses your data when you visit our website. For more information about how the school uses personal data in general please see our other privacy notices by clicking on the links to the left.

Who are we?

Lythe School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:

Information Governance     

Veritau Ltd

County Hall

Racecourse Lane

Northallerton

DL7 8AL

 schoolsDPO@veritau.co.uk

01609 53 2526 

 Cookies

When you visit our website we will place a small file on your electronic device (computer, phone, or tablet etc) – this file is called a ‘Cookie’. This is a common practice that most websites that you visit will use.

Cookies are used so that:

• We can remember the  information you’ve provided us with while on our website, so you don’t have to keep re-entering the information whenever you visit a new page
• We can look at how you use our website so that we can improve it for other users

When you use our website you agree that we can put these cookies on your device. 

We do not use Cookies that also monitor other websites that you’ve visited (these are known as privacy intrusive cookies).

Our cookies will not identify you but if you prefer you may wish to turn Cookies off. For more information about how to this, and more information about Cookies i general, please see https://www.aboutcookies.org/ 

Google Analytics

Because we want to make sure our web content is the best that it could possibly be we use something called Google Analytics to collect information about how people use this website.

Google Analytics collects information about:

• · What pages you visit on this website,
• · How long you are on this website,
• · What you did to get here (through another website or by search engine),
• · What you clicked on when visiting this website,
• · The number of times a word is searched for and the number of negative returns of a search result.

We do not collect any personal information (such as your name) only the above activity.

This is an example of how we store this data and how long we keep it for:

For more information about Google Analytics and to opt out of Google Analytics all together please see: http://tools.google.com/dlpage/gaoptout

Copyright

Any information on this website, including not limited to graphics, design, text, and images are subject to Copyright which belongs to the School or a third party that has given permission for the School to use this information. The School grants permissions to electronically copy, print to hard copy, or transfer such material so long as it is for school business only.

Disclaimer and External Links

The School makes every effort to ensure the content on this website is correct and factual. The School accepts no liability for any inconvenience or loss caused by reliance on any information contained on this website.

The School makes every effort to ensure links to external websites are secure. The School accepts no liability for the privacy practices of those external websites.

Accessibility

To see our website accessibility statement, click here.

This Privacy Notice has been written to inform volunteers (including governors of Lythe CEVC SChool about what we do with your personal information.

Who are we?

Lythe School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:

Information Governance     

Veritau Ltd

County Hall

Racecourse Lane

Northallerton

DL7 8AL

 schoolsDPO@veritau.co.uk

01609 53 2526 

What information do we collect and why do we require it?

As part of your volunteer role Lythe School may need to assess your suitability for the role. This means that we need to collect information about you in order to facilitate this.

The personal data we collect about you includes:

 Personal identifiers (your name, address, contact details)

• Personal information relating to your particular role (i.e. if you are a parent governor etc)
• Information relating to the history of your appointment
• Register of business interests
• Race and/or ethnicity may be collected for equality monitoring purposes

 Who do we obtain your information from?

Much of the information we process will be obtained directly from your application form. However, we may need to collect data about you from, but not necessarily limited to, the following organisations:

• The Local Authority.
• The Disclosure & Barring Service

Who do we share your personal data with?

Your information will only be made available to those who need it to do their job in relation to your role as a volunteer. This includes the relevant administrative staff.

We will share your information with the following organisations

• Disclosure and barring service to conduct criminal record checks, if applicable

• Department for Education
• Local Authority

How long do we keep your personal data for?

The school will keep your data in line with our Information Policy. Most of the information we process about you will be determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is necessary to fulfil our organisational needs.

Do you transfer my data outside of the UK?

Generally the information that the school holds is all held within the UK. However, some information may be held on computer servers which are held outside of the UK. We will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK government. If we do need to send your data out of the European Economic Area it will ensure it has extra protection from loss or unauthorised access.

What is our lawful basis for processing your personal data?

The School processes your personal data and special category data based on its legal responsibilities to:

• Safeguard pupils it has responsibility for,
• Maintain adequate health and safety standards,
• Monitor equality and diversity at our school.

The School relies on Article 6(1)(c) and Article 9(2)(b) of the GDPR to process your personal and special category data.

What rights do you have over your data?

Under GDPR, individuals have the following rights in relation to the processing of their personal data:

• to be informed about how we process your personal data. This notice fulfils this obligation
• to request access to your personal data that we hold, and be provided with a copy of it
• to request that your personal data is amended if inaccurate or incomplete
• to request that your personal data is erased where there is no compelling reason for its continued processing
• to request that the processing of your personal data is restricted
• to object to your personal data being processed

You can exercise any of these rights by contacting: Head Teacher Mrs Lisa Armstrong

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:

This Privacy Notice has been written to inform prospective employees of Lythe School  about what we do with your personal information.

Who are we?

Lythe School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:

Schools Data Protection Officer

Veritau Ltd

County Hall

Racecourse Lane

Northallerton

DL7 8AL

schoolsDPO@veritau.co.uk

01609 53 2526

*Please ensure you include the name of the School in all correspondence with the DPO.

What information do we collect and why do we require it?

As part of your job application Lythe School will need to assess your suitability for the vacancy. This means that we need to collect information about you in order to facilitate this.

This information includes, but is not necessarily limited to:

• Your name(s), title, contact details, address, and National Insurance Numbers;
• ID Documents;
• Eligibility to Work
• Previous employment history;
• Education and Professional Qualifications;
• Membership of professional or government bodies;
• Referee Details;
• Equalities information (so that we can monitor workplace equality);
• Any information provided by your nominated referees (which includes any relevant disciplinary actions and/or sickness information)
• Any other relevant information you wish to provide to us;

Who do we obtain your information from?

Much of the information we process will be obtained directly from your application form. However, we may need to collect data about you from, but not necessarily limited to, the following organisations:

• Your nominated referees,
• The Disclosure and Barring Service,
• The Local Authority.

Who do we share your personal data with?

Generally we will keep your personal data within the school but in some instances may be required to disclose your personal data to:

• Third party assessment providers (in order to facilitate your suitability for a role),
• The Local Authority (who may assist the school with the recruitment process),
• Our governing body.

Sometimes your application may need to be submitted to an assessment panel. These panels could include individuals from other organisations. We will tell you if this is the case.

How long do we keep your personal data for?

What is our lawful basis for processing your personal data?

The School is required to process your personal data and your special category data for the performance of your employment contract or to take necessary steps to enter in to an employment contract.

The School is also legally required to collect some information as defined by employment law (i.e equalities and diversity).

What rights do you have over your data?

Under GDPR you have the following rights in relation to the processing of your personal data:

• To be informed about how we process your personal data. This notice fulfils this obligation
• To request access to your personal data that we hold, and be provided with a copy of it
• To request that your personal data is amended if inaccurate or incomplete
• To request that your personal data is erased where there is no compelling reason for its continued processing
• To request that the processing of your personal data is restricted
• To object to your personal data being processed

You can exercise any of these rights by contacting: <Insert Contact Details of School>

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:

This privacy notice has been written to inform prospective, current, and former employees of Lythe School about how and why we process their personal data.

Who are we?

Lythe School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

Employees of voluntary controlled and community schools are considered to be employees of the local authority and therefore both the School and North Yorkshire County Council are considered to be joint data controllers in regards to employee data.

The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:

Information Governance     

Veritau Ltd

County Hall

Racecourse Lane

Northallerton

DL7 8AL

 schoolsDPO@veritau.co.uk

01609 53 2526  

What information do we collect and why do we need it?

The School and the Local Authority require your personal information, and sometimes your special category data, in order to fulfil requirements set out in both your employment contract and by employment legislation.

To find out more about what information we collect, why we collect it, and what our lawful basis is then please see the Employment Privacy Notices on the Local Authority’s website:

Delete/Add as appropriate

North Yorkshire County Council  

City of York Council

East Riding of Yorkshire County Council

Hartlepool Borough Council

Redcar and Cleveland Borough Council

Doncaster Council

Cumbria County Council

Newcastle Council

Photographs

We will seek your consent to use your photo on our website. Please note that you can withdraw this consent at any time.

Who has access to your personal data in the School?

Your information will only be made available to those who need it to do their job in relation to your employment. This includes your line manager(s), the business manager, and relevant administrative staff.

Please see the Council Privacy Notices to see who in the Council has access to your personal data.

Your name, job title, work email address, telephone number and photograph will be available in your personnel file and on SIMS, which are accessible to the Head Teacher and the school Secretary.

Who do we share your personal data with?

Please see the Council employee privacy notices to find out more about who the School and Council may share your data with.

We have duties under the Freedom of Information Act 2000 to disclose information we hold unless there is a very good reason to withhold it. Therefore we may disclose your name and work email address publicly in response to a request if we are required to do so.

The school also has a specific duty (section 537A of the Education Act 1996) to share your information with the Department of Education for the purpose of the annual school census.

How long do we keep your personal data for?

Lythe School will keep your data in line with our Information Policy. Most of the information we process about you will be determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is necessary to fulfil our organisational needs.

Do we transfer your data outside of the UK?

Generally the information that the school holds is all held within the UK. However, some information may be held on computer servers which are held outside of the UK. We will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK government. If we do need to send your data out of the European Economic Area it will ensure it has extra protection from loss or unauthorised access.

What rights do you have over your data?

Under GDPR, individuals have the following rights in relation to the processing of their personal data:

• to be informed about how we process your personal data. This notice fulfils this obligation
• to request access to your personal data that we hold, and be provided with a copy of it
• to request that your personal data is amended if inaccurate or incomplete
• to request that your personal data is erased where there is no compelling reason for its continued processing
• to request that the processing of your personal data is restricted
• to object to your personal data being processed

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:

First Contact Team

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow Cheshire

SK9 5AF

casework@ico.org.uk  // 0303 123 1113

The Surveillance Policy and CCTV privacy notice are under review September 2019

The privacy notice for parents of children in Reception can be found by clicking here.

This Privacy Notice has been written to inform individuals who are contemplating making a complaint, are in the progress of making a complaint, or have previously made a complaint about what Lythe CEVC School does with your personal data as part of the school’s complaints process.

Who are we?

Lythe CEVC School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:

Schools Data Protection Officer

Veritau Ltd

County Hall

Racecourse Lane

Northallerton

DL7 8AL

schoolsDPO@veritau.co.uk

01609 53 2526

*Please ensure you include the name of the School in all correspondence with the DPO

 What information do we collect and why do we require it?

As school we are obliged to have a complaints procedure in place. As part of our complaints procedure we are required to process personal data. 

The personal data we collect about you includes:

• Personal identifiers (your name, address, contact details)
• Any relevant information we hold on School systems and databases,
• Any information you, or a party to the complaint, provides us with,
• Any information passed to us by any other organisation,
• Witness statements,
• Any relevant correspondence we have had with you or another party to the complaint – including internal correspondence about you,
• Any relevant video recording (including CCTV), audio recordings,  or images,
• Investigation interview notes.

Who do we obtain your information from?

Much of the information we process will be obtained directly from your complaint or from a complaint made by another individual. However, we may need to collect data about you from, but not necessarily limited to, the following organisations:

• Department of Education,
• The Local Authority,
• Our appointed Data Protection Officer
• Ofsted
• The Police and/or other Law Enforcement bodies
• Local Health and/or social care providers

Who do we share your personal data with?

According to our complaints procedure all complaints are handled by the Headteacher or Governors. However, Within the School we will disclose any relevant data to any individual (usually an employee or governor) that requires the data in order to complete the investigation, to administer the complaint, or to receive advice about how to handle a complaint.

The following organisations may also receive your data if allowed by law:

• Department of Education
• The Local Authority
• Our appointed Data Protection Officer
• Ofsted
• Information Commissioner’s Office
• Any other organisation and/or regulator when the School is legally required to disclose your information.

How long do we keep your personal data for?

Generally the school will keep personal data collected as part of the complaints process for six years upon closure of the complaint. This is to ensure that the School can demonstrate the complaint has been handled appropriately.

In some cases information gathered as part of a complaint investigation will need to be kept for longer than six years in accordance with various legislation. For example any complaints in relation to Looked after Children will be kept for 70 Years from closure of the file.

Do you transfer my data outside of the UK?

Generally the information that the school holds is all held within the UK. However, some information may be held on computer servers which are held outside of the UK. We will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK government. If we do need to send your data out of the EU it will ensure it has extra protection from loss or unauthorised access.

What is our lawful basis for processing your personal data?

The School is legally required to operate a relevant complaints procedure as per the

(Maintained Schools, VA Schools, VC Schools) Education Act 2002

As such the School relies on Article 6(1)(c) and Article 9(2)(g) of the GDPR to process your personal and special category data. This is in pursuance with Schedule 1, Part 2 (6)(2)(a) of the Data Protection Act 2018 – this means that the School can process your data as part of the official authority vested in us by the above legislation.

What rights do you have over your data?

Under GDPR, individuals have the following rights in relation to the processing of their personal data:

• to be informed about how we process your personal data. This notice fulfils this obligation
• to request access to your personal data that we hold, and be provided with a copy of it
• to request that your personal data is amended if inaccurate or incomplete
• to request that your personal data is erased where there is no compelling reason for its continued processing
• to request that the processing of your personal data is restricted
• to object to your personal data being processed

You can exercise any of these rights by contacting: Headteacher Mrs Lisa Armstrong

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:

We use a number of websites for sharing information with parents and for educational purposes for the children.  Privacy notices for companies that we use can be found by clicking below:

Tapestry (Acorn Class only)

Facebook

Class Dojo

Times Tables Rock Stars

SpellingFrame