Privacy notice (Governing Body)

Privacy Notice for members of the Governing Body

Privacy Notice (How we use governance information)

St Mark’s CE Primary School is the data controller under the UK General Data Protection Regulation (UK GDPR) for the use of personal data explained in this Privacy Notice.

The categories of governance information that we process include:

·        personal information like name, date of birth, gender identity, contact details including address and postcode;

·        financial or business information like a governor’s outside financial or business interests, or bank details for expense payments;

·        Special categories of data like criminal conviction or social care action information for legal and safeguarding reasons, next of kin and medical information (to prevent or manage a health or medical issue), and protected characteristics information like gender identity or religion.

·        governance details like their role, start and end dates and governor ID.

Why we collect and use this information

The personal data we collect is essential to fulfil our official functions and meet legal requirements.

We are a maintained school and have a legal duty under section 538 of the Education Act 1996 to provide governance information to the Get Information About Schools (GIAS) scheme online.

We also use governor data to:

a)     comply with the law and keep governors safe;

b)     recruit appropriately; and

c)     enable individuals to be paid expenses.

Under UK GDPR, the lawful bases we rely on for processing personal governance information are:

6(1)(b)      to enter into or carry out a contract e.g. to appoint governors, include them in services we buy like access to online subscriptions we hold, or to engage with our training or activity providers.

6(1)(c)      to comply with the law e.g. publishing information on our website and submitting data to GIAS.

6(1)(a)      having consent e.g. to use images and names in publicity.

When we process sensitive personal information like medical data or criminal history we rely on lawful bases:

9(2)(a)      having consent e.g. for referral to occupational health or other support services.

9(2)(b)      to comply with the law e.g. pre-appointment criminal record checks, providing reasonable adjustments to governor tasks or election procedures.

9(2)(i)       to improve public health e.g. we are required to report infections, like meningitis, Covid-19[1] or e-Coli, to local and national government departments;

9(2)(f)       to make or defend a legal claim e.g. all accident records etc.

This list is not exhaustive.  For more information about the categories of information we process please see the data asset register.

Collecting governance information

We collect personal information via various governor application and registration processes run by the school (parent and staff governors), the Diocese (foundation governors) or the Local Authority (LA governors).

Most of the information we ask for is required by law or necessary so we can run the school effectively and some of it is voluntary.  To comply with data protection legislation, if you have a choice about providing information, we will tell you when we ask for it.

Storing governance information

We hold governor data securely in line with the Information and Records Management Society (IRMS) Records Management Toolkit for Schools.  Most data about governors is kept for between 6 months and 6 years after an election or term of office ends, although some is kept for much longer e.g. minutes of governor meetings showing attendees are kept for the lifetime of a school.  For more information about how long we keep some information for and why (data retention), and how we keep the data safe, please see our Data Protection Policy and data asset register.

Who we share governance information with and why

We do not share information about individuals in governance roles with anyone without consent unless the law and our policies allow us to do so.  The laws listed in this notice that require us to collect information also require us to share it.  Data is transferred securely by hand delivery or registered post, via a government data transfer system like GIAS, and sometimes in other secure ways. 

We routinely share governor information with:

·        our local authority (as above),

·        our financial services provider to pay expenses;

·        Public Health England and, to support test and trace and similar public health emergency action, other partners like the NHS, Local Authority Public Health, and District Council Environmental Health Departments

·        other organisations like an off-site training or activity provider that needs next of kin or medical details to manage them safely, and third-party service providers like online subscriptions, but usually only with consent.

Sharing with the Department for Education

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections.

We are required to share information about our governors with the Department for Education (DfE) under section 538 of the Education Act 1996.

All data is entered manually on the GIAS system and held by DfE under a combination of software and hardware controls which meet the current government security policy framework.

For more information, please see ‘How Government uses your data’ section.

Requesting access to your personal data

Under UK GDPR, you have the right to request access to information about you that we hold.  To make a request for your personal information, contact the Headteacher, School Business Manager or Clerk to the Governing Body.

·        Depending on which lawful basis above was used to process the data, you may also have a right to:

·        object to processing of personal data that is likely to cause, or is causing, damage or distress,

·        prevent processing for the purpose of direct marketing,

·        object to decisions being taken by automated means,

·        in some circumstances, have inaccurate personal data rectified, blocked, erased, or destroyed; and

·        a right to seek redress, either through the ICO, or through the courts

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/.

For more information on how to request access to personal information held centrally by the DfE, please see the ‘How Government uses your data’ section of this notice.

Withdrawal of consent and the right to lodge a complaint

If we are only processing your personal data because you consented, you have the right to withdraw that consent.  If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the Headteacher, School Business Manager or Clerk to the Governing Body.

Last updated

This privacy notice was compiled using DfE advice and model documents.  We may need to review it periodically, so we recommend that you revisit this information from time to time. This version was last updated in September 2021.

Contact

If you would like to discuss anything in this privacy notice, please contact: the Headteacher, School Business Manager or Clerk to the Governing Body via admin@st-marks.cumbria.sch.uk .

How Government uses your data

The governance data that we lawfully share with the DfE via GIAS will:

·        increase the transparency of governance arrangements;

·        enable maintained schools and academy trusts and the department to identify more quickly and accurately individuals who are involved in governance and who govern in more than one context;

·        allow the DfE to be able to uniquely identify an individual and in a small number of cases conduct checks to confirm their suitability for this important and influential role.

Data collection requirements

To find out more about the requirements placed on us by the DfE including the data that we share with them, go to https://www.gov.uk/government/news/national-database-of-governors

Note: Some of these personal data items are not publicly available and are encrypted within the GIAS system. Access is restricted to a small number of DfE staff who need to see it in order to fulfil their official duties. The information is for internal purposes only and not shared beyond the department, unless the law allows it.

How to find out what personal information DfE hold about you

Under the terms of the UK Data Protection Act 2018, you’re entitled to ask the Department:

·        if they are processing your personal data;

·        for a description of the data they hold about you;

·        the reasons they’re holding it and any recipient it may be disclosed to;

·        for a copy of your personal data and any details of its source.

If you want to see the personal data held about you by the DfE, you should make a ‘subject access request’.  Further information on how to do this can be found in the DfE’s personal information charter published at: www.gov.uk/government/organisations/department-for-education/about/personal-information-charter

To contact the department: www.gov.uk/contact-dfe