Data Protection Privacy Notice for Pupils, Parents, Guardians and Alumnae at Walthamstow Hall

Introduction

For the purposes of the Data Protection Act 2018 and EU General Data Protection Regulations (GDPR) Walthamstow Hall (“the School”) Holly Bush Lane, Sevenoaks (03245514) is the “Data Controller” of personal data about employees, volunteers, Governors, pupils and their parents and/or guardians (“your personal data”).   The Charity’s object is to advance education by the provision of a preparatory and secondary day school for girls with a preference for the daughters of Protestant Christian Missionaries with facilities for boys to be admitted to the sixth form. Some of our activities are undertaken by our wholly owned subsidiary Walthamstow Hall (Sevenoaks) Limited (registered number 03621443).

The new regulations, in force from around 25 May 2018, include rules on giving privacy information to those whose data is held by an organisation (data subjects).  These place an emphasis on making privacy notices understandable and accessible. Data Controllers are expected to take ‘appropriate measures’ to ensure that this is the case.  The School interprets this as using very clear language to outline each of the responsibilities for each of the data subject groups.

Information provided to data subjects about how the School processes their personal data must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

These requirements are about ensuring that privacy information is clear and understandable for data subjects.  This policy includes how the School deals with its overall privacy responsibilities and includes, as annexes the particular notices that apply to parents and pupils and those pupils over the age of 17.  The relevant annex should be read by the appropriate data subject along with this overarching policy. Separate Privacy Notices have been produced for Staff, Governors and volunteers.

Each annex deals with two sources of data, that obtained directly from the subject and, data not obtained directly from the subject.  For both sources the identity and contact details of the data handler (and where applicable, the handler’s representative) and the Privacy and Compliance officer are provided.

Responsibility for data protection

The School has appointed Mr Andrew Horner (the Bursar) as the Data Protection and Compliance Officer (DPCO) who will deal with all your requests and enquiries concerning the School’s uses of your personal data (see section on Your Rights below) and endeavour to ensure that all personal data is processed in compliance with this policy and Data Protection Law. He can be contacted on 01732 454227 or by email at bursar@walthamstow-hall.co.uk.

Glossary of Key Terms

“Data Controller” means an organisation processing personal data, in this case the School.

“Data Handler” a member of staff responsible for handling personal data.

“Data Processor” is responsible for processing personal data on behalf of the School (Data Controller).  This can be a member of staff (ie a Data Handler) or a third party.

“Data Subjects” means any living individuals whose data the Data Controller processes.

“Personal Data” includes everything from which a Data Subject can be identified.  It ranges from simple contact details via personnel or pupil files to safeguarding information, and encompasses opinions, file notes or minutes, a record of anyone’s intentions towards that person, and communications (such as emails) with or about them.  Some categories of Personal Data are “special category data”.  These comprise data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, sex life or sexual orientation and biometric data.  Extra safeguards are provided by law for processing of such data.

“Processing” means any action in relation to that personal data, including filing and communication.

“Staff” includes all employees, volunteers, governors and service providers.

Why a new policy?

The new Regulations (effective across the UK from around 25 May 2018) is the biggest change to data protection law in 20 years.  One of its core tenets is “transparency”, meaning an emphasis on how data controllers tell data subjects how they use their personal data, in clear language.

This makes the role of a Privacy Notice even more critical.  GDPR also has particular requirements in terms of what must included.  Three new requirements particularly relevant are:

  • Privacy Notices intended for children need to be in age-appropriate language;
  • There are new data subject rights that need to be notified to individuals; and
  • Where relying on “legitimate interests” as a basis for processing, these must be individually listed as part of the Privacy Notice (See also the appropriate Annex).

What this policy is for

This policy is intended to provide information about how the School will use (or “process”) personal data about individuals including: staff, its current, past and prospective pupils; and their parents, carers or guardians (referred to in this policy as “parents”).

This information is provided because Data Protection Law gives individuals rights to understand how their data is used.  Staff, parents and pupils are all encouraged to read this Policy and the appropriate Annex and understand the School’s obligations to its entire community.

This Policy applies alongside any other information the School may provide about a particular use of personal data, for example when collecting data via an online or paper form.

This Policy also applies in addition to the School’s other relevant terms and conditions and policies, including:

  • any contract between the School and its staff or the parents of pupils;
  • the School’s policy on taking, storing and using images of children and staff;
  • the School’s CCTV policy;
  • the School’s retention of records policy;
  • the School’s safeguarding, pastoral, and health and safety policies, including as to how concerns or incidents are recorded; and
  • the School’s IT policies, including Acceptable Use Policy, eSafety Policy and Bring Your Own Device policy.

Anyone who works for, or acts on behalf of, the school (including staff, volunteers, governors and service providers) should also be aware of and comply with the School’s data protection policy, which also provides further information about how personal data about those individuals will be used.

Why the school needs to process personal data

In order to carry out its ordinary duties to staff, pupils and parents, the School needs to process a wide range of personal data about individuals (including current, past and prospective pupils or parents) as part of its daily operation.

Some of this activity the School will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with staff, parents of its pupils or others who use the School’s facilities.

Other uses of personal data will be made in accordance with the School’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data.

The school expects that the following uses will fall within that category of its (or its community’s) “legitimate interests”:

  • For the purposes of pupil selection (and to confirm the identity of prospective pupils and their parents);
  • To provide education services, including musical education, physical training or spiritual development, career services, and extra-curricular activities to pupils, and monitoring pupils’ progress and educational needs;
  • To enable relevant authorities to monitor the School’s performance and to intervene or assist with incidents as appropriate;
  • To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil attended or where it is proposed they attend; and to provide references to potential employers of past pupils;
  • To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the School;
  • To safeguard pupils’ welfare and provide appropriate pastoral care;
  • To monitor (as appropriate) use of the school’s IT and communications systems in accordance with the School’s IT: Acceptable Use Policy;
  • To make use of photographic images of pupils (and staff) in School publications, on the School website and (where appropriate) on the School’s social media channels in accordance with the School’s policy on taking, storing and using images of children;
  • For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
  • For security purposes, including CCTV in accordance with the school’s CCTV Policy;
  • To give and receive information and references about past, current and prospective pupils;
  • In connection with, and to enable, the School’s community engagement and commercial activities;
  • To carry out or cooperate with any School or external complaints, disciplinary or investigation process; and
  • Where otherwise reasonably necessary for the School’s purposes, including to obtain appropriate professional advice and insurance for the School.

In addition, the School will on occasion need to process special category personal data (concerning health, ethnicity, religion, biometrics or sexual life) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons will include:

  • To safeguard pupils’ welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition or other relevant information where it is in the individual’s interests to do so: for example for medical advice, for social protection, safeguarding, and cooperation with police or social services, for insurance purposes or to caterers or organisers of School trips who need to be made aware of dietary or medical needs;
  • To provide educational services in the context of any special educational needs of a pupil;
  • To provide spiritual education in the context of any religious beliefs;
  • In connection with employment of its staff, for example DBS checks, welfare, union membership or pension plans;
  • As part of any School or external complaints, disciplinary or investigation process that involves such data, for example if there are SEN, health or safeguarding elements; or
  • For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.

Types of personal data processed by the school

This will include by way of example:

  • names, addresses, telephone numbers, e-mail addresses and other contact details;
  • car details (about those who use our car parking facilities);
  • bank details and other financial information, e.g. about parents who pay fees to the school;
  • past, present and prospective pupils’ academic, disciplinary, admissions and attendance records (including information about any special needs), and examination scripts and marks;
  • personnel files, including in connection with academics, employment or safeguarding;
  • where appropriate, information about individuals’ health and welfare, and contact details for their next of kin;
  • references given or received by the School about pupils, and relevant information provided by previous educational establishments and/or other professionals or organisations working with pupils;
  • correspondence with and concerning pupils and parents past and present; and
  • images of pupils (and occasionally other individuals) engaging in school activities, and images captured by the school’s CCTV system (in accordance with the School’s policy on taking, storing and using images of children);

How the school collects data

Generally, the School receives personal data from the individual directly (including, in the case of pupils, from their parents).  This may be via a form, or simply in the ordinary course of interaction or communication (such as email or written assessments).

However, in some cases personal data will be supplied by third parties (for example another school, or other professionals or authorities working with that individual); or collected from publicly available resources.

Data handling

The School deals with five main streams of data. These are:

  • Pupils
  • Parents
  • Governors
  • Employees
  • Alumnae

Each has its own sensitivities, methods of processing, retention period, disposal method and timescale.  There are distinct roles for which staff need to be identified and in which they need to be trained. These are the Data Handlers (DH) and the Data Protection and Compliance Officer.  The DHs are as follows:

  • Joining, Progress and Departure data – The Registrar, School Secretary and Payroll Administrator.
  • Marketing and Communications – Director of Marketing and Marketing Assistants.
  • Medical data – Medical Staff (Sisters).
  • Development office / Alumnae information – Director of Marketing and Registrar.
  • Education –  Each class, form and specialist teacher.
  • Pastoral Information – All form teachers, Heads of Departments, Head of the JS and Deputy Heads.
  • Disciplinary Information – All form teachers, Heads of Departments, Head of the JS and Deputy Heads.
  • Incidents and Accidents – Medical staff, form teachers, sports staff and the Bursar.
  • Safeguarding – The Headmistress (the DSL) and Mr C Hughes and Mrs D Wood (DDSL) or as dictated by the circumstances.

Who has access to personal data and who the school shares it with

Different data sets need to be seen by different members of the School staff.  There should be a discipline between the data holders which does not allow the sharing of pupil information unless there is a need to know by another member of staff within the School.  This policy will assist in reducing or preventing internal data breaches where information is shared inadvertently.

Occasionally, the School will need to share personal information relating to its community with third parties, such as:

For the most part, personal data collected by the School will remain within the School, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis).  Particularly strict rules of access apply in the context of:

  • medical records held and accessed only by appropriate medical staff or otherwise in accordance with express consent; and
  • pastoral or safeguarding files.

However, a certain amount of any girl’s medical records or any SEN pupil’s relevant information will need to be provided to staff more widely in the context of providing the necessary care and education that the pupil requires.  This for example may include sharing widely with School staff information on allergies in order to safeguard relevant girls.

Staff, pupils and parents are reminded that the School is under duties imposed by law and statutory guidance (including Keeping Children Safe in Education) to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This is likely to include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as the LADO or police. For further information about this, please view the School’s Safeguarding Policy.

Pupils who take advantage of the School Counsellor should note that any personal data provided to her does not belong to the School.  The School Counsellor is a Data Holder in their own right and data is not held by the School. The Counsellor has their own Privacy Statement; pupils/parents will provide consent for them to hold their/their daughters data as such.

Finally, in accordance with Data Protection Law, some of the School’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers.  This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the School’s specific directions.

How long we keep personal data

The School will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason.  Typically, the legal recommendation for how long to keep ordinary pupil and staff personnel files is up to 7 years following departure from the School.  However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements (including IICSA).

If you have any specific queries about how our retention policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact the Data Protection and Compliance Officer.  However, please bear in mind that the School will often have lawful and necessary reasons to hold on to some personal data even following such a request. A limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (called a “suppression record”).

Please see also the School’s Records, Retention and Storage Policy.

Keeping in touch and supporting the school

The School will use the contact details of parents, alumnae and other members of the School community to keep them updated about the activities of the School, or alumnae and parent events of interest, including by sending updates and newsletters, by email and by post. Unless the relevant individual objects, the School will also:

  • Share personal data about parents and/or alumnae, as appropriate, with organisations set up to help establish and maintain relationships with the school community, such as the Friends and Parents of Walthamstow Hall (F&PWH) and Walthamstow Hall Old Girls Association (W.O.G.A.)
  • Contact parents and/or alumnae (including via the organisations above) by post and email in order to promote and raise funds for the School;
  • Collect information from publicly available sources about parents’ and former girls’ occupation and activities, in order to maximise the School’s fundraising potential.

Should you wish to limit or object to any such use, or would like further information about them, please contact the Data Protection and Compliance Officer in writing.  You always have the right to withdraw consent, where given, or otherwise object to direct marketing or fundraising. However, the School is nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular address, email or telephone number).

Your rights

Rights of access, etc.

Individuals have various rights under Data Protection Law to access and understand personal data about them held by the School, and in some cases ask for it to be erased or amended or have it transferred to others, or for the School to stop processing it – but subject to certain exemptions and limitations.

Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should put their request in writing to the Data Protection and Compliance Officer.

The School will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits (which is one month in the case of requests for access to information).

The School will be better able to respond quickly to smaller, targeted requests for information. If the request for information is manifestly excessive or similar to previous requests, the School may ask you to reconsider, or require a proportionate fee (but only where Data Protection Law allows it).

Requests that cannot be fulfilled

You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access.  This will include information which identifies other individuals (and parents need to be aware this may include their own daughter, in certain limited situations – please see further below), or information which is subject to legal privilege (for example legal advice given to or sought by the School, or documents prepared in connection with a legal action).

The School is also not required to disclose any pupil examination scripts (or other information consisting solely of pupil test answers), provide examination or other test marks ahead of any ordinary publication, nor share any confidential reference given by the School itself for the purposes of the education, training or employment of any individual.

You may have heard of the “right to be forgotten”.  However, we will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your (or your child’s) personal data: for example, a legal requirement, or where it falls within a legitimate interest.  All such requests will be considered on their own merits.

Pupil requests

Pupils can make subject access requests for their own personal data, provided that, in the reasonable opinion of the School, they have sufficient maturity to understand the request they are making (see section Whose Rights? below).  A pupil of any age may ask a parent or other representative to make a subject access request on their behalf.

Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger pupils, the law still considers the information in question to be the child’s: for older pupils, the parent making the request may need to evidence their child’s authority for the specific request.

Pupils at Senior School aged 17 and above, are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home.  Slightly younger children may however be sufficiently mature to have a say in this decision, depending on the child and the circumstances.

Parental requests, etc.

It should be clearly understood that the rules on subject access are not the sole basis on which information requests are handled.  Parents may not have a statutory right to information, but they and others will often have a legitimate interest or expectation in receiving certain information about pupils without their consent.  The School may consider there are lawful grounds for sharing with or without reference to that pupil.

Parents will in general receive educational and pastoral updates about their children, in accordance with the Guide for New Parents.  Where parents are separated, the School will in most cases aim to provide the same information to each person with parental responsibility, but may need to factor in all the circumstances including the express wishes of the child.

All information requests from, on behalf of, or concerning pupils – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.

Consent

Where the School is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above).  Examples where we do rely on consent are: e.g. certain types of uses of images, certain types of fundraising activity. Please be aware however that the School may not be relying on consent but have another lawful reason to process the personal data in question even without your consent.

That reason will usually have been asserted under this Policy, or may otherwise exist under some form of contract or agreement with the individual (e.g. a parent contract, or because a purchase of goods, services or membership of an organisation such as an alumnae or parents’ association has been requested).

Whose rights?

The rights under Data Protection Law belong to the individual to whom the data relates.  However, the School will often rely on parental authority or notice for the necessary ways it processes personal data relating to pupils – for example, under the parent contract, or via a form.  Parents and pupils should be aware that this is not necessarily the same as the School relying on strict consent (see section on Consent above).

Where consent is required, it may in some cases be necessary or appropriate – given the nature of the processing in question, and the pupil’s age and understanding – to seek the pupil’s consent.  Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.

In general, the School will assume that pupils’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil’s activities, progress and behaviour, and in the interests of the pupil’s welfare.  That is unless, in the School’s opinion, there is a good reason to do otherwise.

However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the School may be under an obligation to maintain confidentiality unless, in the School’s opinion, there is a good reason to do otherwise; for example where the School believes disclosure will be in the best interests of the pupil or other pupils, or if required by law.

Pupils are required to respect the personal data and privacy of others, and to comply with the School’s relevant policies, e.g. IT: Acceptable Use Policy and the School rules. Staff are under professional duties to do the same covered under this policy and The Staff Handbook.

Data accuracy and security

The School will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible.   Individuals must notify the School Office or Bursar’s Office of any significant changes to important information, such as contact details, held about them.

An individual has the right to request that any out-of-date, irrelevant or inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why the School may need to process your data, of who you may contact if you disagree.

The School will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to School systems.  All staff and governors will be made aware of this policy and their duties under Data Protection Law and receive relevant training.

This policy

The School will update this Privacy Notice from time to time.  Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.

Queries and complaints

Any comments or queries on this policy should be directed to the Data Protection and Compliance Officer using the following contact details bursar@walthamstow-hall.co.uk or 01732454227.

If an individual believes that the School has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise the School’s complaints / grievance procedure and should also notify the Headmistress.  You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the School before involving the regulator.

ANNEX A

Privacy Notice Walthamstow Hall – Parents of children at the School, or applying to join the School

This annex should be read in conjunction with the covering policy.

This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly.

Data will be processed for the purposes of responding to requests for information about joining the School and the School will therefore have a “legitimate interest” for processing basic personal data and sensitive personal data. The data the School holds will be the minimum it requires to form and maintain the contract between you and the School.

The school will share your data with the following companies who have contracts with the School and who have equalled the School’s precautions and systems for dealing with data, these are:

  • School Photographer
  • Insurance provider (Marsh Ltd)
  • IT Contractors (Host My Office)
  • IT software/’App’ provider (OASIS, SchoolBase, Firefly, Durham University for Evaluation and Monitoring, Tojo, GoAnimate, Tapestry )

It is not necessary for data to be shared with other countries. The exception to this will be international trips that the School organises, should this be envisaged for your child, you will be contacted for your consent, the consent will be limited in time and content if it is required.

The retention period for pupil data will be until the pupil reaches the age of 25, and / or be modified by any other legal obligation the school finds itself under.

You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.

You can complain at any time about how the school has handled your data, the Information Commissioner is available as follows:

The ICO helpline is 0303 123 1113. A template letter, should you need it, is at Appendix 1.

We will obtain the data the School requires from you, should we need data from other sources we will contact you within a month.

The ICO states: Where data is not obtained directly, the source from which it was obtained and whether or not it is a publicly available source. For data obtained indirectly, the privacy notice should be provided within one month (referred to as a reasonable period of time), when the first communication takes place with an individual, or if disclosure is envisaged to another recipient, at the latest, before the information is disclosed.

We see the provision of personal data as necessary to properly admit you child to the School and to administer, and for the School to fulfil its obligations under the contract once your child is a pupil here.

There is no automated decision making or profiling involved in this data stream into and through the School.

Data Streams and Your Daughter – an outline

When dealing with your daughters, the Schools has to deal with two broad sets of data. The first is generated by the child joining, progressing through, and departing from, the school and is provided on the whole by you. The second set is generated by the interaction between your daughter and the School; this will cover education, pastoral information, disciplinary information and any incidents or accidents the child is involved in. This is data processed by Data Handlers:

  • Education: termly and annual reports will be generated as will data on test and exam results. Distribution of this data will change with the age of your daughter as they progress through the School.
  • Pastoral information: reports and contact with your daughter or you will be raised from time to time.
  • Disciplinary information: reports will be raised as required, contact with you may be required. Within the School, the senior management and house staff may need to be involved at different times during her career.
  • Incidents and Accidents: this is data that would be generated by the completion of an Accident or Near Miss form or, for something more serious, a Health and Safety (RIDDOR) report.

Most, but not all, of that information will be straightforward to deal with as second category data, however, there will be instances where special category or sensitive personal data (such as that concerning health, medical conditions, family circumstances or some other factor) has to be processed.

Both categories can be processed as the School, with a contract in place between it and you, has a “legitimate interest” to process data. It will be necessary to get separate consents for particular activities that the pupil and school undertakes. These will include, but will not be limited to:

  • taking, using, storage and disposal of images;
  • allergies and health issues;
  • school trips and events and
  • minibus use.

ANNEX B

Privacy Notice Walthamstow Hall – children at the school over the age of 17

This annex should be read with the introductory paragraphs in the covering policy. The paragraphs in red refer to guidance from the Information Commissioner’s Office (ICO) on the compilation of privacy notices. And are the sections that the ICO needs the School to comply with in its dealings with you.

(The privacy notice should be provided at the time the data was obtained, if it was obtained directly from the data subject.)
This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly. This means you get this when the School gets your data from your parents, or within a month.

(The purpose of the processing and the legal basis for processing must be clearly stated and the categories of personal data held must be clearly stated.)
Data will be processed for the purposes of allowing you to make the best of your time at Walthamstow Hall. The School will therefore have what is called a “legitimate interest” for processing basic personal data and sensitive personal data. The data the School holds will be the minimum it requires to allow you to thrive in your years here.

(Any recipient or categories of recipient must be clear and it should also be clear if data transfer to other countries and the safeguards in place.)
The School will share your data with the following companies who have contracts with the School and who have equalled the School’s precautions, systems and procedures for dealing with data, these are:

  • School Photographer
  • Insurance provider (Marsh Ltd)
  • IT Contractors (Host My Office)
  • IT software provider (Firefly, OASIS, SchoolBase)

It is not necessary for data to be shared with other countries. The exception to this will be international trips that the School organises. Should this be envisaged for you, you will be contacted for your consent; the consent will be limited in time and content if it is required.

(The retention period for the data or the criteria used to determine the retention period.)
The retention period for your data will be until you reach the age of 25.

(The existence of each data subject’s rights. The right to withdraw consent at any time.)
You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.

(The right to lodge a complaint at any time with a supervisory authority.)
You can complain at any time about how the school has handled your data, the Information Commissioner is available as follows:

The ICO helpline is 0303 123 1113. A template letter, should you need it, is at Appendix 1.

(Where data is not obtained directly, the source from which it was obtained and whether or not it is a publicly available source.)
(For data obtained indirectly, the privacy notice should be provided within one month (referred to as a reasonable period of time), when the first communication takes place with an individual, or if disclosure is envisaged to another recipient, at the latest, before the information is disclosed.)
We will obtain the data the School requires from you, should we need data from other sources we will contact you.

(Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data.)

We see the provision of personal data as necessary to properly manage your time at Walthamstow Hall and for the School to fulfil its obligations to you.

(The exitance of automated decision making including profiling and the information about how decisions are made, the significance and the consequences.)
There is no automated decision making or profiling involved handling this data.

Data Streams and You – an outline

As identified in the Policy, the School has to deal with two broad sets of data. The first data is generated by you or your parents as you join, progress through, and depart from the School. The second set is generated by the interaction between you and the School; this will cover education, pastoral information, disciplinary information and any incidents or accidents you are involved in. This is data generated and processed by Data Handlers:

  • Education: termly and annual reports will be generated as will data on test and exam results. Distribution of this data will change with your age initially starting with your parents but then to you as you progress through the School.
  • Pastoral information: reports and contact with you or your parents will be raised from time to time.
  • Disciplinary information: reports will be raised as required, contact with your parents may be required. Within the School, the senior management and house staff may need to be involved at different times during your progression.
  • Incidents and Accidents: this is data that would be generated by the completion of an Accident or Near Miss form or, for something more serious, a Health and Safety (RIDDOR) report.

Most, but not all, of that information will be straightforward to deal with as personal data, however, there will be instances where special category or sensitive personal data (such as that concerning health, medical conditions, family circumstances or some other factor) has to be processed.

Both categories can be processed as the School, with a contract in place between it and your parents, has a “legitimate interest” to process data. It will be necessary to get separate consents for particular activities that you and the School undertakes.

These will include, but will not be limited to:

  • taking, using, storage and disposal of images;
  • allergies and health issues;
  • School trips and events and
  • minibus use.

ANNEX C

Privacy Notice Walthamstow Hall – Alumnae

This annex should be read in conjunction with the introductory paragraphs in the covering policy. The italicised paragraphs in red refer to guidance from the ICO on the compilation of privacy notices.

Routine contact with alumnae will be by surface mail, email will only be used as a method of contact if the individual alums gives consent to be contacted in this way.

(The privacy notice should be provided at the time the data was obtained, if it was obtained directly from the data subject.)
This privacy notice will be provided to you at the time your data is being obtained, if it is being obtained directly.

(The purpose of the processing and the legal basis for processing must be clearly stated and the categories of personal data held must be clearly stated.)
Should you give consent data will be processed for the purposes of maintaining an accurate record of those who were educated at Walthamstow Hall. The school will process only the minimum personal data to achieve this purpose.

(Any recipient or categories of recipient must be clear and it should also be clear if data transfer to other countries and the safeguards in place.)
The school will not share your data with any companies associated with the school.
It is not necessary for data to be shared with other countries.

(The retention period for the data or the criteria used to determine the retention period.)
The retention period for alumnae data will be unlimited as long as the school believes it has a relationship to serve with the alumnae.

(The existence of each data subject’s rights. The right to withdraw consent at any time.)
You have the right to withdraw your consent to data processing at any time, however this will only apply to certain groups of data for which you have given particular consent.

(The right to lodge a complaint at any time with a supervisory authority.)
You can complain at any time about how the school has handled your data, the Information Commissioner is available as follows:

ICO helpline is 0303 123 1113. A template letter, should you need it is at the appended to this notice.

(Where data is not obtained directly, the source from which it was obtained and whether or not it is a publicly available source.)
(For data obtained indirectly, the privacy notice should be provided within a one month (referred to as a reasonable period of time), when the first communication takes place with an individual, or if disclosure is envisaged to another recipient, at the latest, before the information is disclosed.)
We will obtain the data the school requires from you, should we need data from other sources we will contact you first.

(Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data.)