As part of its day-to-day operation, and in order to carry out its duties as a provider of education and an employer, the DDTST collects and processes a wide range of personal information, or data, about certain individuals. These will include the following:
· past, present and future employees
· past, present and future pupils
· the parents/carers of past, present and future pupils
Personal information may be held by the DDTST on paper or electronically in its capacity as “Data Controller”. The DDTST needs to collect and process data in order to fulfil its legal rights, duties and obligations, including those required to form contracts with families and staff. The DDTST Group is committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”). The purpose of this privacy notice is to make you aware of how and why we collect and use personal information both during and after our relationship. We are required under the GDPR to notify you of the information contained in this privacy notice.
Data protection principles Under the GDPR, there are eight data protection principles that the DDTST must comply with. These provide that the personal information we hold about you must be:
1. Processed lawfully, fairly and in a transparent manner.
2. Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to those purposes.
4. Accurate and, where necessary, kept up to date.
5. Retained in a form that permits identification for no longer than is necessary for those purposes.
6. Processed in accordance with a data subject’s rights.
7. Processed in a way that ensures appropriate security of the data.
8. Kept in the UK and not transferred abroad.
The DDTST must be able to demonstrate compliance with these principles. For the Purposes of collecting and storing personal information The DDTST will only use personal information when the law allows us to. These are known as the legal bases for processing. We will use personal information in one or more of the following circumstances:
· Where we need to do so to take steps at your request prior to entering into a contract with you, or to enter into a contract with you
· Where we need to comply with a legal obligation
· Where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our interests. We need all the types of personal information listed under “What types of personal information do we collect about you?” primarily to enable us to take steps at your request to enter into a contract with you and to enable us to comply with our legal obligations. In some cases, we may also use your personal information where it is necessary to pursue our legitimate interests (or those of a third party), provided that your interests or your fundamental rights and freedoms do not override our interests. The purposes for which we are processing, or will process, your personal information include (but are not limited) to: Pupils:
· monitor pupils’ ongoing progress.
· maintain effective communication with families through emails, texts and Portal messages
· hold medical details, including known allergies or specific health concerns, so that we may act in case of emergency
· enable pupils to take part in any assessments and for us to publish the results
· continue our relationship with past pupils as they become alumni
· provide references for future educational establishments or potential employers of past pupils .
Staff:
· manage the recruitment process of staff and assess suitability for employment or engagement through the collection of references
· administer the contract we have entered into with you
· maintain an accurate record of your employment and engagement terms
· comply with statutory and/or regulatory requirements and obligations, e.g. checking your right to work in the UK
· ensure compliance with your statutory rights
· ensure effective HR, personnel management and business administration
· ensure compliance with income tax requirements,
· monitor equal opportunities
· plan for career development and succession
· enable us to establish, exercise or defend possible legal claims
General:
· fulfil our legal duties as required by law such as the monitoring of equality, diversity, gender pay gap analysis etc
· for security purposes, including the collection of images on CCTV in accordance with the Security Policy
· use photographic images of pupils in school publications, on the school websites and (where appropriate) on the social media channels in accordance with the Use of ICT Policy
· where otherwise reasonably necessary for the purposes of DDTST , including to obtain appropriate legal or professional advice. In addition, the DDTST may need to process special category personal data or criminal records information in accordance with rights or duties imposed on it by law, including for safeguarding and employment, or from time to time by explicit consent where required. These reasons may include to:
· safeguard pupils' welfare and provide appropriate pastoral and/or medical care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual's medical condition where it is in the individual's interests to do so
· carry out in-depth staffing checks, such as a prospective employee’s criminal record check with the DBS
· comply with legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with any legal obligations and duties of care. What types of personal information do we collect about you? Personal information is any information about an individual from which that person can be directly or indirectly identified. It doesn’t include anonymised data, i.e. where all identifying particulars have been removed. The DDTST collects, uses and processes a range of personal information. This includes (as applicable):
· contact details, including names, addresses, telephone numbers, e-mail addresses etc
· personal information about a child as included in a Registration form.
· personal information about a prospective or future member of staff as included in a CV, Application Form, covering letter or interview notes
· information about a staff member’s right to work in the UK, copies of qualification certificates, copies of driving licences or passports for identity checks or other background check documentation
· information about staff members’ salary levels.
· bank details and other relevant financial information for monthly staff payrolls
· details in case of emergency
· images or pupils, families, staff and others captured by CCTV systems on each site, in accordance with the Security Policy
· pupils’ dance exam, disciplinary, admissions and attendance records.
· detailed information about an individual’s health
· details of an individual’s next of kin
· information about criminal convictions and offences .
We do store bank or credit card details from parents who pay school fees electronically. How do we collect your personal information? The DDTST collects personal information about you directly from you. We may also collect personal information from other external third parties, such as references from current and former employers, information from background check providers, information from credit reference agencies and criminal record checks from the Disclosure and Barring Service (DBS). The DDTST will only seek personal information from third parties during the recruitment process once an offer of employment or engagement has been made to you and we will inform you that we are doing so. Your personal information may be stored in different places, including on your application record, in the DDTST HR management system and in other IT systems, such as the e-mail system. What if you fail to provide personal information? If you fail to provide certain personal information when requested, we may not be able to process your application properly or at all, as we may not be able to enter into a contract with you, or we may be prevented from complying with our legal obligations. You may also be unable to exercise your statutory rights. It is likely to harm any chance of employment with the DDTST.
Change of purpose : We will only use your information for the purposes for which we collected it. However, if your job application is unsuccessful, the DDTST may wish to keep your personal information on file in case there are future suitable opportunities with us. We will ask for your consent before we keep your personal information on file for this purpose. Your consent can be withdrawn at any time. Who has access to your personal information? Your personal information may be shared internally within the DDTST, including with members of the HR department or recruitment team. Occasionally, the DDTST will need to share personal information relating to its community with third parties including:
· external organisations (eg DBS) for the purposes of conducting pre-employment reference and employment background checks
· former employers or schools to obtain references
· professional advisors, such as lawyers, accountants and insurers
· relevant authorities, such as HMRC or the Police
· external IT providers
· external auditors
· regulatory bodies such as the ISTD For the most part, personal data collected by the DDTST will remain within the DDTST and will be processed by appropriate individuals only on a ‘need to know’ basis. With increased use of social media in all areas we now use our website as more than an information tool. For example, we advise, update and/or send reminders to parents/carers of events, trips etc. using different forms of social media, i.e. messaging service, and Twitter. When using our messaging service, we have to share your contact details with the company who sends the messages, which at present is Dancebiz . In accordance with Data Protection Law, some of the DDTST processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the DDTST specific directions. Where your personal information is shared with third parties, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes. The DDTST also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
For how long does the DDTST keep your personal information? The DDTST will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed. If a prospective staff member’s application for employment or engagement is unsuccessful, the DDTST will generally hold personal information for six months after the end of the relevant recruitment exercise. However, please bear in mind that the School may have lawful and necessary reasons to hold on to some data. Personal information that is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal information where applicable. In some circumstances we may anonymise your personal information so that it no longer permits your identification. In this case, we may retain such information for a longer period. Your rights in connection with your personal information As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:
· request access to your personal information - this is usually known as making a ‘data subject access request’ and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
· request rectification of your personal information - this enables you to have any inaccurate or incomplete personal information we hold about you corrected
· request the erasure of your personal information - this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing, e.g. it’s no longer necessary in relation to the purpose for which it was originally collected
· restrict the processing of your personal information - this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy and so want us to verify its accuracy
· object to the processing of your personal information - this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on this ground
·. If you believe that the DDTST has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. Data Accuracy and Security DDTST will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the Principal, Deborah Day of any significant changes to important information, such as contact details, held about them. An individual has the right to request that any out-of-date, irrelevant or inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why the DDTST may need to process your data, or who you may contact if you disagree. The DDTST will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around the use of technology and devices, and access to school systems. All staff have been made aware of this Notice and their duties under Data Protection Law, and have received relevant training.
Transferring personal information outside the European Economic Area:
The DDTST will not transfer your personal information to countries outside the European Economic Area.
Automated decision: making Automated decision making occurs when an electronic system uses your personal information to make a decision without human intervention. We do not envisage that any recruitment decisions will be taken about you based solely on automated decision-making, including profiling. Changes to this privacy notice The DDTST reserves the right to update or amend this privacy notice at any time. We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways. Data Protection Policy The latest up-to-date Data Protection and GDPR Policy is available to download from the school’s website. If you have any questions about this privacy notice or how we handle your personal information, please contact The Principal, Miss Deborah Day
Reviewed May 2018