PRIVACY NOTICE

Eagle-Logo-web-tr
General Statement of the School’s Duties
Data Protection Law (the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018, as amended or superseded) places duties on organisations and individuals to process personal information fairly and lawfully.  Where there are safeguarding concerns with regard to a pupil which might result in their being placed at risk of harm, the School will follow its Safeguarding Policy with regard to sharing of information.

The School processes personal data of pupils and their parents or guardians, as well as staff and others involved with the School, as part of its operation and shall take all reasonable steps to do so in accordance with this Notice.  Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data.  In this Notice any reference to pupils includes current, past or prospective pupils.
 
Responsibility for Data Protection
The School has appointed the Bursar as Data Protection Officer (DPO).  The DPO will endeavour to ensure that all personal data is processed by the School in accordance with this Notice and in compliance with Data Protection Law. Any queries about this Notice and data protection should be directed to the DPO: Margaret Fowler, Belhaven Hill School, Belhaven Road, Dunbar, East Lothian, EH42 1NN (email: margaretfowler@belhavenhill.com).
 
The Principles
The School shall comply with the Data Protection Principles (‘the Principles’) contained in Data Protection Law to ensure all data is:
  1. Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
  2. Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
  4. Accurate and where necessary kept up to date (Accuracy).
  5. Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
The School is responsible for and must be able to demonstrate compliance with the Principles listed above (Accountability)

Types of Personal Data
Personal data is information from which a living individual can be identified either directly or indirectly when taken together with other information held by the School. Personal data covers both facts and opinions about an individual. 
 
The School may process a wide range of personal data of pupils, their parents or guardians, staff and others as part of its operation.  This personal data may include (but is not limited to); names and addresses, bank details, academic and disciplinary records, admissions and attendance records, references, examination scripts and marks.
 
Processing Personal Data
The School will need to carry out this processing in order to fulfil its legal rights, duties or obligations – including those pursuant to contract with its staff or with parents.
 
Other uses of personal data will be made in accordance with the School’s legitimate interests, or the legitimate interests of third parties, provided that these are not outweighed by the impact on the individuals concerned, and provided it does not involve special or sensitive types of personal data.  The School expects that the following uses of personal data may fall within that category of its “legitimate interests”:
  • for the purposes of admission to the School;
  • to provide education services, including musical education, physical training or spiritual development, and extra-curricular activities to pupils, and monitoring pupils' progress and educational needs;
  • maintaining relationships with alumni, their families, former staff and the school community;
  • for the purposes of management planning and forecasting, research and statistical analysis;
  • to enable relevant authorities to monitor the School's performance and to intervene or assist with incidents as appropriate;
  • to give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil attended or where it is proposed they attend; and to provide references to potential employers of past pupils;
  • to enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the School;
  • to safeguard pupils' welfare and provide appropriate pastoral care;
  • to monitor (as appropriate) use of the School's IT and communications systems
  • for security purposes; and
  • where otherwise reasonably necessary for the School's purposes, including to obtain appropriate professional advice and insurance for the School.
 
Sensitive Personal Data
The School may, from time to time, be required to process sensitive personal data regarding a pupil, their parents or guardians, staff and others involved with the School.  Sensitive personal data includes medical information and data relating to religion, race, or criminal records and proceedings. Examples of where the School processes sensitive personal data of pupils are; school health records, wellbeing assessments and wellbeing self-assessments. Where sensitive personal data is processed by the School, the explicit consent of the appropriate individual will generally be required in writing unless another condition for processing under Data Protection Law is met, for example where disclosure is necessary to protect the vital interests of a pupil, is necessary for the purposes of exercising or performing any right or legal obligation in relation to employment; is necessary for the purpose of establishing, exercising or defending legal rights; or is necessary for the exercise of any function conferred on the School by law.
 
Sharing Information
The School may, from time to time, need to share personal data relating to pupils and their parents or guardians, staff and others involved with the School with third parties, such as professional advisers (professional bursary assessors, lawyers and accountants) or relevant authorities (HMRC, police or the local authority.)  In considering whether to share personal data the School must first establish who is requesting the personal data and for what purpose.  In determining whether data should be shared with any third party, the School will consider the provisions of Data Protection law and where relevant refer to Data Sharing checklists produced by the Information Commissioner’s Office.  The School will consider the following:
  • necessary & proportionate - how much information is needed and whether the amount of information to be shared is proportionate to that need and the level of risk attached to sharing the information,
  • relevant - only information that is relevant will be shared with those who need it,
  • adequate - information must be of sufficient quality that it can be understood and relied upon,
  • accurate - information must distinguish between fact and opinion and must be accurate and up to date,
  • timely - the need for urgency must be considered and balanced with the risk of delay in obtaining consent,
  • secure - the means of sharing information must be secure and confined to those for whom the information is intended
  • recorded - decisions to share information or not to do so must be recorded, with reasons given and a record taken of whom the information has been shared with.
 
The School may also receive requests from third parties to disclose personal data it holds about pupils, their parents or guardians, staff or others.  The School confirms that it will not generally disclose information unless the data subject has given their consent, another legal condition applies, or one of the specific exemptions under the Legal Framework applies.  The School may, for example disclose such personal data as is necessary to third parties for the following purposes:
  • To give a confidential reference relating to a pupil to any educational institution which it is proposed that the pupil may attend.
  • To give information relating to outstanding fees or payment history to any educational institution which it is proposed that the pupil may attend.
  • To publish the results of public examinations or other achievements of pupils of the School.
  • To disclose details of a pupil’s medical condition where it is in the pupil’s interests to do so, for example for medical advice, or to organisers of school trips.
 
RIGHTS OF ACCESS
  • Subject access request under Data Protection Law
Under Data Protection Law, individuals have a right of access to their personal data processed by the School (a subject access request or SAR).  Any individual wishing to access their personal data should put their request in writing to the DPO.  The School will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within a month.  Where appropriate the School may require confirmation of identity (e.g. passport copy), a signed mandate authorising a representative to exercise the right on another’s behalf; or further information to locate the requested personal data.
 
You should be aware that certain personal data is exempt from the right of access under the Legal Framework.  This may include information which identifies other individuals or information which is subject to legal professional privilege.
 
The School is also not required to disclose any pupil examination scripts.  The School will also treat as confidential any reference given by the School for the purpose of the education, training or employment, or prospective education, training or employment of any pupil.  The School acknowledges that an individual may have the right to access a reference relating to them received by the School.  However, such a reference will only be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent or if disclosure is reasonable in all the circumstances.
 
  • Right to request educational record
Under the Pupils Educational Records (Scotland) Regulations 2003 (“the 2003 Regulations”), parents have an independent right to request access to the educational records of their child.  To be valid a request must be made in recorded format, include the contact details of the requester and describe the requested information.  If the School is in doubt, confirmation as to the identity of the requester should be sought. Within 15 school days following receipt of the request, the School should either have the information ready for inspection, or provide a copy.
 
Under the 2003 Regulations, an educational record means any records of information, excluding information contained in a Record of Needs or a coordinated support plan, which is processed by or on behalf of the School that:
  • relates to a person who is or has been a pupil at the School;
  • relates to the school education of that person; and
  • originated or was supplied by a teacher, other employee of the School, the pupil to whom the information relates or their parent, other than information which is kept and intended to be kept by a teacher or by an employee of the responsible body solely for their own use.
 
Under the 2003 Regulations, the School should not disclose any information:
  • that is the pupils’ sensitive personal data as defined in Data Protection Law (this includes information as to the pupil’s physical or mental health or condition)
  • to the extent that its disclosure would in the opinion of the School, be likely to cause significant distress or harm to the pupil or any other person; or
  • that consists of a reference given or to be given in confidence by the School for the purposes of the education, training or employment, or prospective education, training or employment, of the pupil.
 
Where a pupil transfers to another school, if requested by the new school, the School should provide a copy of the pupil’s education record to the new school, free of charge and within 15 school days.
 
Other Rights
As well as the right to access, individuals have the following rights under Data Protection Law in relation to the processing of their personal data:
  • The right to request that inaccurate data held about them is rectified
  • The right to request the erasure of personal data
  • The right to restriction of processing
  • The right to object to processing, and
  • The right to data portability.
 
Where the School is relying on consent as a means to process personal data, an individual may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that the School may have another lawful reason to process the personal data in question without an individual’s consent. That reason will usually have been asserted under this Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment or parent contract, or because a purchase of goods, services or membership of an organisation has been requested).
 
For more information and guidance about any of these rights individuals should go to the website of the Information Commissioner’s Office at https://ico.org.uk/.

Whose Rights
In Scotland, the law presumes that a child aged 12 years or more has the capacity to exercise their rights under Data Protection Law  or to make a Subject Access Request (SAR).  In considering the rights of children under Data Protection Law, the School will consider the particular pupil’s maturity/ understanding in relation to their rights and the nature of the information requested.
 
The rights under Data Protection Law are the individual’s to whom the data relates.  Where consent is required, the School will, however, often rely on parental consent to process data relating to pupils unless, given the nature of the processing in question, and the pupil’s age and understanding, it is unreasonable in all the circumstances to rely on the parents’ consent.  Parents should be aware that in such situations they may not be consulted.
 
Where a pupil withholds their agreement to their personal data being disclosed to their parents or guardian, the School will maintain confidentiality unless it has reasonable grounds to believe that the pupil does not fully understand the consequences of withholding their consent, or where the School believes disclosure will be in the best interests of the pupil or other pupils.
 
Use of Personal Information by the School for promotional/marketing purposes
The School will, from time to time, make use of personal data relating to pupils, their parents or guardians in the following ways; 
  • To make use of photographic images of pupils in School publications and on the School website. 
  • For fundraising, marketing or promotional purposes and to maintain relationships with pupils of the School, including transferring information to any association society or club set up for the purpose of establishing or maintaining contact with pupils or for fundraising, marketing or promotional purposes. 
 
In these circumstances the School will obtain specific consent to the processing of relevant personal data.
 
 
Accuracy
The School will endeavour to ensure that all personal data held in relation to an individual is accurate.  Individuals must notify the DPO of any changes to information held about them. 
 
Security
The School will take reasonable steps to ensure that members of staff will only have access to personal data relating to pupils, their parents or guardians where it is necessary for them to do so.  The School have put in place appropriate technical and organisational measures to ensure the security of personal data about individuals. The School has information security measures in place to prevent unauthorised access to or loss of personal data.  All staff will be made aware of these measures and their duties under Data Protection Law, including through regular training.
 
Record Keeping
The School will only retain personal data as long as necessary or for historical or statistical archive purposes as permitted by the Legal Framework. The School’s data retention periods are informed by the School’s relevant legal obligations and are set out in the School’s Records Retention Schedule which forms part of the School’s Records Management Policy, for example, under the Pupils’ Educational Records (Scotland) Regulations 2003, the School is required to keep a pupil’s education record for 5 years following the pupil having ceased to receive School Education. Due to the Scottish Child Abuse Inquiry, the School must retain all school records 1945 and 2014. Once this Inquiry has been completed and the statutory obligation to retain records no longer applies, the retention schedule will be applied.  All personal data will be disposed of securely.
 
Complaints
If an individual believes that the School has not complied with this Notice or acted otherwise than in accordance with Data Protection Law, they should utilise the School complaints procedure and should also notify the DPO. A referral can also be made, or a complaint can be lodged, with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve a matter where possible with a data controller, i.e. the School, before involving the ICO.
 
Review
This Notice will be reviewed annually by the DPO and the Board of Governors.

May 2018
 
Close This site uses cookies. If you continue to use the site you agree to this. For more details please see our cookies policy.