Privacy Policy
For the latest information on what data we hold and how we comply with GDPR regulations please refer to the following. A copy of these documents can also be downloaded from the policies page.
GDPR POLICY
St Angela’s Ursuline School Data Protection Policy
Purpose
St Angela’s is committed to being transparent about how it collects and uses the personal data of its pupils, parents and staff. As a school we are determined to meet our data protection obligations. This policy sets out the school's commitment to data protection, and individual rights and obligations in relation to personal data.
This policy applies to all pupils, parents, governors and stakeholders within the wider school. This policy applies to the personal data of job applicants, employees and former employees, referred to as HR-related personal data.
Definitions
"Personal data" is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
"Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
Data protection principles
St Angela’s processes personal data in accordance with the following data protection principles:
-
processes personal data lawfully, fairly and in a transparent manner;
-
collects personal data only for specified, explicit and legitimate purposes;
-
processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing;
-
keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
-
keeps personal data only for the period necessary for processing;
-
adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
St Angela’s believes in telling individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons. Where the school relies on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.
Where the school processes special categories of personal data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data.
The school pledges to update HR-related personal data promptly if an individual advises that their information has changed or is inaccurate. Similarly, the school pledges to update any other personal information that may be held by the school on request.
Personal data is held in the individual's personal file (in hard copy or electronic format, or both), and on other encrypted/locked systems. This is true for all stakeholders. The periods for which the school holds all personal data are contained in its privacy notices to individuals and in accordance with the schools data protection retention schedule.
St Angela’s keeps a record of its processing activities in respect of all personal data in accordance with the requirements of the General Data Protection Regulations (GDPR).
Individual rights
As a data subject, individuals have a number of rights in relation to their personal data.
The use of images and/or data for a specified purpose
The school will always seek consent from an individual (and where applicable parents also) prior to the use of personal data and/or images for any purpose. We acknowledge that this consent may also be withdrawn at any time.
Subject access requests
Individuals (whether pupil, parent or any other stakeholder for which we may hold data) have the right to make a subject access request*. If an individual makes a subject access request, the school will tell them:
-
whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
-
to whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
-
for how long their personal data is stored (or how that period is decided);
-
their rights to rectification or erasure of data, or to restrict or object to processing;
-
their right to complain to the Information Commissioner if they think the organisation has failed to comply with their data protection rights; and
-
whether or not the school carries out automated decision-making and the logic involved in any such decision-making.
(*please note that for pupils below the age of 16 such a request would, in most cases, have to have the support of a parent/legal guardian)
To make a subject access request, the individual should send the request to datamanager@stangelas-ursuline.co.uk or use the school's form for making a subject access request which can be found on our website. In some cases, the school may need to ask for proof of identification before the request can be processed. The school will inform the individual if it needs to verify their identity and the documents it requires.
The school will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the organisation processes large amounts of the individual's data, it may respond within three months of the date the request is received. The school will write to the individual within one month of receiving the original request to tell them if this is the case.
If a subject access request is manifestly unfounded or excessive, the school is not obliged to comply with it. Alternatively, the school can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the school has already responded. If an individual submits a request that is unfounded or excessive, the school will notify them that this is the case and whether or not it will respond to it.
Other rights
Individuals have a number of other rights in relation to their personal data. They can require the school to:
-
rectify inaccurate data;
-
stop processing or erase data that is no longer necessary for the purposes of processing;
-
stop processing or erase data if the individual's interests override the schools legitimate grounds for processing data (where the school relies on its legitimate interests as a reason for processing data). This includes exercising ‘the right to be forgotten’;
-
stop processing or erase data if processing is unlawful; and
-
stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override the schools legitimate grounds for processing data.
To ask the organisation to take any of these steps, the individual should send the request to datamanager@stangelas-ursuline.co.uk
Data security
The School takes the security of all personal data very seriously. The school has internal controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by staff in the proper performance of their duties.
Where the school engages third parties such as Payroll (for Staff) or SIMS (for pupils & parents) to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Data breaches
If the school discovers that there has been a breach personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The school will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
International data transfers
The school will never transfer personal data to countries outside the European Economic Area regardless of the current legal status of the UK with the European Union.
Individual responsibilities
Individuals are responsible for helping the school keep their personal data up to date. Individuals should let the school know if data provided changes, for example if an individual moves house (pupils & parents) or changes their bank details (staff).
Members of staff may have access, depending on their role, to the personal data of other individuals in the course of their employment in order to exercise their duties. Where this is the case, the school relies on staff to help meet its data protection obligations to students, parents and colleagues.
Individuals who have access to personal data are required:
-
to access only data that they have authority to access and only for authorised purposes;
-
not to disclose data except to individuals (whether inside or outside the school) who have appropriate authorisation;
-
to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
-
not to remove personal data, or devices containing or that can be used to access personal data, from the schools premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
-
not to store personal data on local drives or on personal devices that are used for work purposes; and
-
report data breaches of which they become aware to datamanager@stangelas-ursuline.co.uk immediately.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the schools disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing pupil or staff data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
Training
The school will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
Click here to download our GDPR POLICY
PARENT AND PUPIL PRIVACY NOTICE
St Angela’s Ursuline School Parent and Pupil Privacy Notice
Appendix 3 - St Angela’s Ursuline School – Parent, Carer & Pupil Privacy Notice
St Angela’s collects and processes personal data relating to the pupils it serves. St Angela’s is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations and compliance with data protection legislation (GDPR).
What information does St Angela’s collect?
St Angela’s Ursuline School, St Georges Road, Forest Gate, E7 8HU is the ‘Data Controller’ and as such stores information provided by you. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
St Angela’s collects and processes a range of information about yourself and pupils.
This may include:
-
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
-
Date of birth
-
Gender
-
Nationality
-
Parental/Guardian contact details emergency contact information
-
Dietary Information
-
Medical information
-
Ethnic/Cultural information
-
Additional language information
-
Religious observance details
-
Free School Meal entitlement
-
Previous school history
-
Welfare information
-
Special Educational Needs information
-
Biometric information
-
CCTV images
-
Photographs recorded for numerous purposes (for example newsletter pictures etc…)
St Angela’s collects this information in numerous ways, the majority by secure electronic transfer (CTF) from feeder primary schools and other pieces as time goes by. For example, data is collected from forms completed by you when your daughter/son (6th form) joins the school; from correspondence with you; or through interviews, meetings or other methods.
Data is stored in a range of different places, but the majority is stored within the schools information system (SIMS) and also in the pupils own electronic file. Information may also be held in other secure locations.
Why does St Angela’s process personal data?
St Angela’s needs to process data in order to ensure we meet our educational and safeguarding obligations. We will not hold information that we do not need to this end.
In some cases, the school needs to process data to ensure that it is complying with its legal obligations to students and to ensure that pupil’s needs are being met. For example, the school will analyse the progress being made by key groups of pupils as they move through the school.
Who has access to data?
In any school information that is not sensitive is shared between staff, usually via the schools information systems (SIMS). More sensitive information is only shared with staff on a ‘need to know’ basis.
Sometimes information is shared with external agencies electronically via secure electronic means. Only information that relates to educational purposes is shared, and never the more personal information. The school uses various systems for management purposes. Otherwise the school would never share personal information with any third party and would certainly never transfer your data to countries outside the European Economic Area, regardless of the current or future status of the UK within the European Union.
How does St Angela’s protect data?
The school takes the security of your data seriously. The school has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Where the school engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement the appropriate technical measures to ensure the security of data.
For how long does St Angela’s keep data?
The periods for which data is held after a pupil leaves are kept in accordance with St Angela’s Data Protection Retention Schedule, a copy of which can be found on our website. We would certainly never keep information longer than we would need.
Your rights
As a data subject, you have a number of rights. You can:
-
access and obtain a copy of your data on request;
-
require the school to change incorrect or incomplete data;
-
require the school to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
-
object to the processing of your data where the school is relying on its legitimate interests as the legal ground for processing;
-
ask the school to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the school's legitimate grounds for processing data; and
-
In certain instances, request that your personal data be deleted or rectified.
If you believe that the school has not complied with your data protection rights, you can complain to the Information Commissioner. https://ico.org.uk/
What if you do not provide personal data?
If you do not provide information, this could hinder the school's ability to administer the rights and obligations arising from our role as educators. The school would only ever request the information that it needs, and would never hold on to information for longer than it has to.
Contact & Further Information
St Angela’s has appointed Miss S Osun as the Data Protection Officer (DPO), the person with responsibility for data protection and compliance within the school.
You can contact the DPO if you wish to exercise any of your rights, have queries about this privacy notice, or requests for further information by email datamanager@stangelas-ursuline.co.uk
If you believe that the school has not complied with your data protection rights, you can complain to the Information Commissioner. https://ico.org.uk/
Click here to download our PARENT AND PUPIL PRIVACY NOTICE
JOB APPLICANT PRIVACY NOTICE
St Angela’s Ursuline School Job Applicant Privacy Notice
Appendix 2 - St Angela's Ursuline School – Job Applicant Privacy Notice
St Angela’s Ursuline School, St Georges Road, Forest Gate, E7 8HU is the Data Controller.
As part of any recruitment process, St Angela’s Ursuline School collects and processes personal data relating to job applicants. The school is committed to being transparent about how it collects and uses that data and to meeting data protection obligations (GDPR).
What information does St Angela’s collect?
The school collects a range of information about you. This includes:
-
your name, address and contact details, including email address and telephone number;
-
details of your qualifications, skills, experience and employment history;
-
information about your current level of remuneration, including benefit entitlements;
-
whether or not you have a disability for which the school needs to make reasonable adjustments during the recruitment process;
-
information about your entitlement to work in the UK; and
-
equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
The school collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment.
In certain cases, St Angela’s Ursuline School will also collect personal data about you from third parties, such as references supplied by former employers. St Angela’s Ursuline School will seek information from third parties you provide details for on your application form or otherwise agreed.
Data will be stored in a range of different places, including on your application record, in HR management systems and on other encrypted IT systems.
Why does St Angela’s process personal data?
St Angela’s Ursuline School needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.
In some cases, the school needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.
The school has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the school to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The school may also need to process data from job applicants to respond to and defend against legal claims.
The school processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.
On appointment where St Angela’s Ursuline School processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.
The school will not use your data for any purpose other than the recruitment exercise for which you have applied.
Who has access to data?
Your information will be shared internally for the purposes of the recruitment exercise. This includes HR, interviewers & Senior Leaders involved in the recruitment process.
The school will not share your data with third parties other than those provided and agreed to provide references for you (ie. former employers).
The school will not transfer your data to countries outside the European Economic Area, regardless of the current or future status of the UK within the European Union.
How does St Angela’s protect data?
The school takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
For how long does St Angela’s keep data?
If your application for employment is unsuccessful, the school will hold your data on file for 6 months after the end of the relevant recruitment process.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.
Your rights
As a data subject, you have a number of rights. You can:
-
access and obtain a copy of your data on request;
-
require the school to change incorrect or incomplete data;
-
require the school to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
-
object to the processing of your data where the school is relying on its legitimate interests as the legal ground for processing;
-
ask the school to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the school's legitimate grounds for processing data; and
-
In certain instances, request that your personal data be deleted or rectified.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to the school during the recruitment process. However, if you do not provide the information, the school may not be able to process your application properly or at all.
Automated decision-making
Recruitment processes are not based solely on automated decision-making.
Contact & Further Information
St Angela’s has appointed the School Business Manager as the Data Protection Officer (DPO), the person with responsibility for data protection and compliance within the school.
You can contact the DPO if you wish to exercise any of your rights, have queries about this privacy notice, or requests for further information by email datamanager@stangelas-ursuline.co.uk
If you believe that the school has not complied with your data protection rights, you can complain to the Information Commissioner. https://ico.org.uk/
Click here to download our JOB APPLICANT PRIVACY NOTICE
DATA RETENTION SCHEDULE
Click here to download our DATA RETENTION SCHEDULE
STAFF PRIVACY NOTICE
Click here to download our STAFF PRIVACY NOTICE
FREEDOM OF INFORMATION
Click here to download our FREEDOM OF INFORMATION guidance
St Angela's Privacy Promise
Some of our students describe how we aim to respect your privacy at all times:
Cookies Used
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.
You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
Functional Cookies
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.
If you do not allow these cookies then some or all of these services may not function properly.
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.