Staff Privacy Notice

Willow Nursery School

Goldstone Crescent, Dunstable, Beds, LU5 4QU

Headteacher: Mrs L. Davies

How we use personal information relating to staff

This Privacy Notice is to let you know how we as an educational setting look after personal information about individuals we employ or engage with at our school.  This notice explains the reasons why we hold personal information about our staff, how we use this information, who we share it with and how we keep it secure. This notice meets with the requirements of the UK General Data Protection Regulations (UK GDPR).

If you have any questions or queries or would like to discuss anything in this Privacy Notice, please contact: Trina Evans School Manager Willow Nursery School 01582662600.


Collecting workforce information

We collect personal information from new members of staff starting at each academic year through our ‘new staff’ information form. We also collect any changes to staff information through update forms during the academic year as part of our data administration process to keep the information we hold as up-to-date as possible.  The majority of our staff information is processed in our main Management Information System (MIS).
Workforce data is essential for our school’s operational use. Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with UK GDPR, we will inform you at the point of collection whether you are required to provide certain information to us or you have a choice in this

We collect and hold workforce information that covers the following categories:

  • Personal information (such as name, teacher number, national insurance number, address)
  • Characteristics information (such as date of birth, sex, ethnic group, marital status)
  • Contract information (such as work history, start date, hours worked, post, roles, salary details)
  • Work absence information (such as number of absences and reasons)
  • Qualifications and training record
  • Emergency contact information (such as next of kin, contact names and telephone numbers)
  • Bank account details including National Insurance number

 

In addition to the information we collect directly from you, we also record and hold the following information:

  • DBS clearance details
  • Photographs
  • Performance information relating to appraisals
  • Recruitment information collected through application forms, including copies of right of work documentation, references and cover letters as part of the application process
  • Pension and benefits information
  • Outcomes of any disciplinary and/or grievance procedures
  • Copies of forms of ID (e.g. driving licence etc.)

Why we collect and use workforce information

 

We use workforce data to:

  • Enable the development of a comprehensive picture of the workforce and how it is deployed
  • Inform the development of our recruitment and retention policies
  • Enable staff members to be paid
  • Facilitate safer recruitment as part of our safeguarding obligations towards pupils
  • Contact next of kin/other contacts in cases of emergency
  • Support effective performance management
  • Enable equalities monitoring
  • Allow for financial monitoring and planning

The lawful basis on which we hold and use workforce information

We collect and use workforce information under the legal basis of public interest as an educational setting/school with the delegated task of educating and safeguarding the children in our care and under a legal obligation which necessitates our school making statutory data returns to the Department for Education (DfE) and our Local Authority in accordance with items c) and e) as described in Article 6, UK GDPR:

  • c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

We also acknowledge that some of the data items collected are deemed as Special Category Personal Data and that item g) processing is necessary for reasons of substantial public interest as described in Article 9, UK GDPR, is the condition under which our school collects and processes the following:

  • ethnic origin data (as part of the school workforce census)
  • religious belief
  • health (i.e. medical data (including any disability) to ensure your medical needs are properly addressed and catered for
  • biometric data for identification (where IT or security systems requires it)

We also apply similar processing safeguards to other data we hold which, although not specifically identified under UK GDPR, we treat as sensitive:

  • photographs
  • safeguarding (DBS) information
  • pay details and performance management outcomes
  • emergency contact details/next of kin

As a staff member, you cannot decline a data collection but you have the right to decline providing information for self-declared data items by selecting the ‘Refused’ option e.g. for ethnicity.


Legislation that supports the lawful bases

Our school is obliged to make statutory school workforce census returns and hold absence information under the following legislation:

  • Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school workforce census) go to  https://www.gov.uk/government/statistics/school-workforce-in-england-november-2023


Data collected under consent

Whilst the majority of information you provide to us is mandatory (under the lawful bases described above), there may be some information we ask you for on a voluntary basis to support an operational functions relating to safeguarding or an educational purpose that extends beyond the lawful bases of legal obligation or public interest (for example, photographs).

Any voluntary Information asked for will be carefully considered and processed in accordance with items a) and b) as described in Article 6, UK GDPR:

  • a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

For all voluntary data or changes to purpose, we will ask you for your explicit consent. As a data subject, you can change your decision to grant or withdraw consent at any time for any of the data items collected under consent. If at any point in the future, we seek to use any previously collected information for another purpose or use the information in new software, we will ask for your explicit consent to do so.
If you are unhappy with our use of your personal data, please let us know by contacting our Data Protection Lead at Trina Evans School Manager 01582662600

Who we share workforce information with

We routinely share some of this information with:

  • our local authority
  • the Department for Education (DfE)
  • our contracted HR provider

 

Why we share workforce information with external parties

We do not share information about our workforce members with anyone without consent unless the law and our policies require/allow us to do so.
We are required to share information about our workforce members with the DfE and our local authority under Section 5 of the Education (Supply of Information about the School Workforce ) (England) Regulations 2007 and amendments.

The data shared with the DfE and the local Authority is for the purpose of:

  • informing departmental policy on pay
  • monitoring the effectiveness and diversity of the school workforce
  • making links to school funding and expenditure
  • supporting ‘longer term’ research and monitoring of educational policy

The Data Sharing Agreement with the Local Authority relating to school workforce information can be found at  https://www.centralbedfordshire.gov.uk/info/102/performance_hub/574/data_and_information

All data is transferred securely through specific data transfer systems with the DfE and local authority.
Information held by DfE is under a combination of software and hardware controls which meet the current government security policy framework .   Refer to Department of Education’ section at the end of this document for more details.

How we keep personal data secure

We fully adhere to our Data Protection policies which outline our procedures and processes for accessing, handling and storing data safely in accordance with all the UK GDPR principles. These policies are regularly reviewed and ratified by our governors. The following processes ensure that we comply with data protection legislation in how we manage the protection of personal data:

  • Our networks, file systems and server operating systems are secured through firewalls and spyware/ virus detection programs on our servers to prevent unauthorised access to our data. We closely monitor these filtering systems in accordance with our Safeguarding and Child Protection Policies
  • Data held in a physical location within the school is held securely and only accessible by staff with appropriate authorisation
  • Access to data on systems is through individual passwords which are carefully managed and monitored
  • Any data that is removed from the school is minimised and encrypted
  • Older data is safely removed from computers and other devices
  • Data shared with the DfE and the Local Authority is shared through secure file transfer systems. Any data shared with other legitimate third parties where there is a legal basis for sharing will only be shared through secure methods.
  • Data shared with third party software suppliers is controlled by the school. We will only deal with suppliers who can demonstrate that they comply with the requirements of data protection legislation and not use personal data for any other purpose than the purpose for fulfilling the functions we have contracted with them
  • We ensure all staff receive regular training on data protection

We also adhere to our Data Breach Procedures Policy in the event of a data breach. These procedures explain how our school responds to occurrences of known or reported data breaches. A copy of this policy is available on our school website at https://www.willownursery.co.uk/

Requesting access to your personal data

Under UK GDPR, you have certain rights about how your information is collected and used as below:

  • Right to be informed about the collection and use of your personal data
  • Right to access to your personal information – you can ask for copies of your information through the Subject Access Request (SAR) process (see SAR below)
  • Right to rectification – you can ask to have inaccurate or incomplete personal data changed
  • Right to erasure – you can ask to have personal information deleted
  • Right to object to processing of personal data that is causing, damage or distress in certain circumstances
  • Right to restrict processing – you can ask for your information not be used
  • Right to data portability – you can ask for your information not to be shared
  • Right to object to decisions being taken and profiling by automated means
  • Right to claim compensation for damages caused by a breach of the Data Protection regulations

It should be noted that some of these rights will not apply in circumstances where allowing them would significantly reduce or prevent our ability to perform our duties as a school and safeguard the children in our care. There are legitimate reasons why we may refuse your information rights request depending on the reason why we are processing it – for example:

  • Right to erasure does not apply when the lawful basis for processing is a legal obligation and/or a public task
  • Right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. If the lawful basis is consent, you do not have the right to object but you have the right to withdraw consent.

If you feel we have not used your information in the right way, you have the right to complain to the Information Commissioner (see Reporting concerns below)

For further information on how to request access to personal information held centrally by the DfE, please refer to the Department of Education section at the end of this document.

Subject Access Request (SAR)- you do have the right to request access to your personal information that we hold. To request access to your personal information, you can make a Subject Access Request (SAR).

Our school will follow procedures outlined in our Subject Access Request Policy available from our website https://www.willownursery.co.uk/  which follows the guidelines promoted by the data protection regulations. For further information about this contact Trina Evans School Manager 01582662600

Please note that whilst we aim to respond to requests within the required time period of one month, we may not be able to honour this time period if we receive requests during school holidays as our school email is not monitored. We will contact you to acknowledge receipt of your request at our first opportunity and will agree a date with you by which time we can provide the information requested.
Additionally, if the nature of the request is complex, we will aim to reach a mutually agreed alternative time period.

How long we keep personal information

We hold workforce data for the period determined appropriate for the different types of data we hold.
We will keep information for the minimum period necessary in accordance with DfE’s data retention recommendations which take into account legal and safeguarding considerations linked to the types of data held. We also adhere to requirements specified by financial and/or employment legislation/ guidance.
Our Data Retention Schedule can be found on our website at https://www.willownursery.co.uk/.

All information is held securely and will be destroyed as appropriate under secure and confidential conditions.

Let us know of any changes to personal information and emergency contact information

As a matter of course, we will contact you at least once a year to ensure that all the personal information and emergency contact details we have for you is accurate and up to date. We would encourage you to inform the school’s School Manager Trina Evans of any changes to your personal details as soon as possible.

Reporting concerns about our data protection processes
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting <insert name> < contact details as per first page > . Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Keeping you informed through this Privacy Notice

We aim to keep you informed of any changes to our data collections and data protection obligations through this Privacy Notice – the latest copy will be available on our website at https://www.willownursery.co.uk/

 

Department for Education (DfE)

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections.
We are required to share information about our school employees with the Department for Education (DfE) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments.

How Government uses your data

The workforce data that we lawfully share with the Department for Education (DfE) through data collections:

  • informs the Department for Education (DfE) policy on pay and the monitoring of the effectiveness and diversity of the school workforce
  • links to school funding and expenditure
  • supports ‘longer term’ research and monitoring of educational policy


Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (DfE) including the data that we share with them, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools


Sharing by the Department for Education (DfE)

The Department for Education (DfE) may share information about school employees with third parties who promote the education or well-being of children or the effective deployment of school staff in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The Department for Education (DfE) will only share your personal data where it is lawful, secure and ethical to do so and has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether the Department for Education (DfE) releases personal data to third parties are subject to a strict approval process and based on a detailed assessment of public benefit, proportionality, legal underpinning and strict information security standards.

 

For more information about the Department for Education’s (DfE) data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data

For information about which organisations the Department for Education (DfE) has provided information, (and for which project) please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares

 

How to find out what personal information the Department for Education (DfE) hold about you

Under the terms of UK GDPR, you’re entitled to ask the Department for Education (DfE):

  • if they are processing your personal data
  • for a description of the data they hold about you
  • the reasons they’re holding it and any recipient it may be disclosed to
  • for a copy of your personal data and any details of its source

If you want to see the personal data held about you by the Department for Education (DfE), you should make a ‘subject access request’ to the DfE. Further information on how to do this can be found within the Department for Education’s (DfE) personal information charter that is published at the address below:

https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter

or

https://www.gov.uk/government/publications/requesting-your-personal-information/requesting-your-personal-information#your-rights

To contact the Department for Education (DfE): https://www.gov.uk/contact-dfe

 

Important GDPR Definitions

  • Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
  • Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
  • A Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
  • A Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.