To meet the requirements of the Data Protection Act 2018 and General Data Protection Regulation (GDPR), schools are required to issue a Privacy Notice to children and young people and/or parents and guardians summarising the information held on record about children and young people, why it is held, and the third parties to whom it may be passed.
This Privacy Notice provides information about the collection and processing of children’s or young people’s personal and performance information by St Teilo's, Cardiff Council (LA) and the Welsh Government.
The collection of personal information
The school collects information about children and young people and their parents or legal guardians when children and young people enrol at the school. The school also collects information at other key times during the school year and may receive information from other schools when children and young people transfer.
The School processes the information it collects to administer the education it provides to children and young people. For example:
- the provision of educational services to individuals;
- monitoring and reporting on pupils’/children’s educational progress;
- the provision of welfare, pastoral care and health services;
- the giving of support and guidance to children and young people, their parents and legal guardians;
- the organisation of educational events and trips;
- the planning and management of the school.
The Welsh Government receives information on the school workforce and pupils directly from schools normally as part of statutory data collection which consists of the following:
- Post-16 data collection
- Pupil Level Annual School Census (PLASC)
- Educated other than at school (EOTAS) pupil level collection
- National data collection (NDC)
- Attendance collection
- Welsh National Tests (WNT) data collection
- The School Workforce Annual Census (SWAC)
In addition to the data collected as part of PLASC, the Welsh Government and Local Authorities also receives information regarding National Curriculum assessments, public examination results, and attendance data at individual pupil level which comes from Schools and/or Awarding Bodies (e.g. WJEC).
The Local Authority also uses the personal information collected to do research. It uses the results of this research to make decisions on policy and the funding of schools, to calculate the performance of schools and help them to set targets. The research is carried out in a way that ensures individual children and young people cannot be identified.
Personal information held
The sort of personal information that will be held includes:
- personal details such as name, address, date of birth, child/young person identifiers and contact details for parents and guardians;
- information on any special educational needs;
- information on performance in internal and national assessments and examinations;
- information on the ethnic origin and national identity of children and young people (this is used only to prepare summary statistical analyses);
- details about children’s and young people’s immigration status (this is used only to prepare summary statistical analyses);
- medical information needed to keep children and young people safe while in the care of the school/Early Years provider;
- information on attendance and any disciplinary action taken;
- information about the involvement of social services with individual children and young people where this is needed for the care of the child/young person.
Organisations which may share personal information
Information held by the school, Early Years providers, LA and the Welsh Government on children and young people, their parents or legal guardians may also be shared with other organisations when the law allows and providing all appropriate steps are taken to keep the information secure, for example:
- other education and training bodies, including schools, when children and young people are applying for courses or training, transferring schools or seeking guidance on opportunities;
- bodies contracted to conduct research for the Welsh Government, LA and schools/Early Years providers with appropriate steps taken to ensure that the information secure;
- central and local government for the planning and provision of educational services;
- social services and other health and welfare organisations where there is a need to share information to protect and support individual children and young people;
- management Information System (MIS) providers in order to ensure that system functionality and accuracy is maintained;
- the Council’s and or Schools approved suppliers of the schools ‘cashless’ system to ensure all pupils, parents & guardians with parental responsibility and school staff are able to use it as appropriate;
- the Central South Consortium Joint Education System (CSCJES) to support regional statistical analysis as required by Welsh Government;
- various regulatory bodies, such as ombudsmen and inspection authorities, where the law requires that information be passed on so that they can do their work;
- the Office of National Statistics (ONS) in order to improve the quality of migration and population statistics;
- companies that provide services which assist the school to collect information from parents and carers (for example, surveys or questionnaires).
Children and young people have certain rights under the Data Protection Act and General Data Protection Regulation, including a general right to be given access to personal data held about them by any “data controller”. The law allows that, by the age of 13, children and young people have sufficient maturity to understand their rights and to make an individual right request themselves if they wish. A parent would be expected to make a request on a child’s behalf if the child is younger. If you wish to access your personal data, or that of your child, then please contact the relevant organisation in writing.
The LA, school and Welsh Government place a high value on the importance of information security and have a number of procedures in place to minimise the possibility of a compromise in data security. The LA, school and Welsh Government will endeavour to ensure that information is kept accurate at all times and processed in accordance with our legal requirements.
Your rights under the Data Protection Act 2018 and General Data Protection Regulation (GDPR)
The Data Protection laws give individuals certain rights in respect of personal information held on them by any organisation. These rights include:
- the right to ask for and receive copies of the personal information held on yourself, although some information can sometimes be legitimately withheld;
- the right, in some circumstances, to prevent the processing of personal information if doing so will cause damage or distress;
- the right to ask for incorrect information to be put right;
- the right to request that information is not processed
You also have the right to ask the Information Commissioner, who enforces and oversees the Data Protection Act, to assess whether or not the processing of personal information is likely to comply with the provisions of our legislative responsibilities.
Seeking further information
We contract with Cardiff Council’s Information Governance Team as the contracted Data Protection Officer. For further information about the personal information collected and its use, if you have concerns about the accuracy of personal information, or wish to exercise your rights under the Data Protection Act 2018 and General Data Protection Regulation, you should contact:
- St Teilo’s Church in Wales High School, Circle Way East, Llanedeyrn , Cardiff, CF23 9PD (Contact us)
- Cardiff Council’s Data Protection Officer at County Hall, Atlantic Wharf, Cardiff Bay, Cardiff, CF10 4UW (email@example.com)
- Welsh Government’s Data Protection Officer at the Welsh Government, Cathays Park, Cardiff, CF10 3NQ (Data.ProtectionOfficer@gov.wales)
- The Information Commissioner’s Office help line 029 2067 8400 (Wales helpline) or 0303 123 1113 (UK helpline)
- Information is also available from www.ico.gov.uk