20/8/2020
Who are we?
Nidderdale High School is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.
The school has appointed Veritau Ltd to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the school is compliant with GDPR and to oversee data protection procedures. Veritau’s contact details are:
Schools Data Protection Officer
schoolsDPO@veritau.co.uk
*Please ensure you include the name of the School in all correspondence with the DPO
What information are we collecting?
The categories of information that we collect, hold and share include the following:
• Basic personal information (e.g. name, pupil number, DOB and address) (pupils, parents and staff)
We will also process information which may include ‘special category’ data about our pupils including:
• Information which identifies children that are ‘vulnerable’ (those who have a social worker, such as children in the care of the Local Authority and those children and young people up to the age of 25 with education, health and care (EHC) plans)
Why do we process your personal data?
We are processing this information to facilitate the provision of care for vulnerable children and the children of critical workers.
This involves:
• Processing pupil information to facilitate their learning and meet any care requirements that they have.
Any personal data that we process about our pupils and parents is done so in accordance with Article 6 and Article 9 of GDPR:
Article 6 (c) legal obligation Article 6 (d) public task Article 6(b) contract (for staff)
Article 9 (b) Employment, social security and social protection (for staff) Article 9 (g) Reasons of substantial public interest
Please refer to our standard Pupils and Parents and Employees Privacy Notices for further information about the lawful basis we rely upon to process your data.
Who do we obtain your information from?
Much of the information we process will be obtained directly from you. We will also process information received from:
• Department for Education (DfE)
Who do we share your personal data with?
We are obliged to share attendance data with the Department for Education during this time. The following information will be shared:
1. The names of all children who are in attendance on each day
We may also be required to share information with neighbouring Local Education Authorities if your child is attending our school as a result of the COVID-19 pandemic response and your child’s previous school was in a neighbouring LEA.
For further details about who we share information with, please see our full Pupil and Parents and Employees Privacy Notices. How long do we keep your personal data for?
We will only retain your data for as long as it is necessary to do so. In respect of parents, we will not retain a copy of the evidence that you provide to us to prove that you are a critical worker.
For further details about retention of your data, please refer to our full Pupils and Parents and Employees Privacy Notices.
What rights do you have over your data?
Under GDPR data subjects have the following rights in relation to the processing of their personal data:
• to be informed about how we process your personal data. This notice fulfils this obligation
If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.
If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the school has handled your personal data. You can do so by contacting:
First Contact Team
NHS Test and Trace
All UK schools have an obligation to respond appropriately to the Government’s advice regarding coronavirus. In order to aid the Government in fighting COVID-19 (coronavirus) and to help keep everyone safe as children return to school, the school will take part in the NHS “Test and Trace” service.
If there is a suspected or confirmed case of COVID-19 then we may be required to share staff, students, parents and visitor’s personal data with NHS Test and Trace, who act as a Data Controller in their own right. We may also share this information with the Local Authority, who will use it for the purposes of COVID-19 prevention and detection only. This information may include:
- Your full name
- Your date of birth
- Your contact details
- Relevant medical information
We will keep a record of any information shared.
If the NHS Test and Trace service contacts you, the service will use text messages, email or phone.
All information which we share through this service is shared in accordance with Article 6 and 9 of the GDPR:
Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’
Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare’
For more information about the service please see the Government guidance and Public Health England’s privacy notice: