6. Protecting privacy
Achieving for Children Privacy Notice
School Support Services – School Admissions and Child Employment
Data Protection Act 2018; General Data Protection Regulation (2016).
As a provider of services for the Royal Borough of Windsor and Maidenhead local authority, Achieving for Children (along with other agencies such as schools and early years settings) process information about children and young people in order to help administer education and service provision. In doing so we must comply with the Data Protection Act 2018, Human Rights Act 1998 and the European Union General Data Protection Regulation (2016).
This means (amongst other things) that the data held about children must only be used for specific purposes allowed by law. The following information explains the types of data held, why that data is held, and to whom it may be passed on.
Types and use of data
Types of data
The categories of child and young person’s information that we process includes personal identifiers and contacts (such as applicant name, pupil’s name, unique pupil number, contact details, school history and address history)
Use of data
We collect and use data to carry out the statutory function of providing a school place for statutory age children, including the administration of school admission appeals, fair access allocations and data returns central government departments.
Under the General Data Protection Regulation (GDPR), the legal basis / bases we rely on for processing personal information for general purposes are The General Data Protection Regulation conditions Article 6, paragraph 1:
- Section a: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Section c: processing is necessary for compliance with a legal obligation to which the controller is subject;
- Section e: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Section f: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Collecting child and young person’s information
We collect personal information via a number of means including:
- Face to face interviews
- Telephone conversations
- Written letters, and emails
- Forms and documents submitted through websites
- From other 3rd parties
Children and young person’s data is essential for the local authority’s operational use. Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with the data protection legislation, we will inform you at the point of collection, whether you are required to provide certain personal information to us or if you have a choice in this.
Storing child and young person’s data
We hold data securely (either in locked and secured databases or storage facilities for ‘hard copy’ documents). Hard copies of documents are destroyed after six years. Data remains on the online system until the pupil is 20 years of age.
Sharing data and information
Information may be shared with other agencies for statistical or research purposes only.
Data is also used and passed on for specific purposes to the following agencies:
- Department for Education (DfE),
- Local Government Ombudsman (LGO)
- Office of the School’s Adjudicator (OSA)
- Education and Skills Funding Agency (EFSA)
Department for Education
The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our children and young people with the Department for Education (DfE) for the purpose of those data collections, under:
- section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
All data is transferred securely and held by DfE under a combination of software and hardware controls which meet the current government security policy framework.
Other external agencies
We may need to pass your information to external organisations and other service providers, but only where it is necessary or to comply with a legal obligation, or where permitted under the Data Protection Act or the General Data Protection Regulation. When disclosing personal data to a third party we will strive to ensure that the third party has sufficient procedures and systems in place to prevent the loss and unlawful use of that data. We have an overarching information sharing protocol agreed with other partners so you can be confident local partners all comply with the same privacy principles.
We may also share information with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud or crime. These third parties include other departments within the Royal Borough of Windsor and Maidenhead, other local authorities, Shared Audit and Investigation Service Wokingham), Shared Legal Services (Wokingham) the police.
Single Point of Access (SPA) and Multi Agency Safeguarding Hub (MASH)
Sharing information about individuals with partner organisations is sometimes necessary in order to protect individuals if there are concerns they may be at risk of significant harm and to keep those individuals and the wider public safe.
Partner agencies included in the Achieving for Children MASH include:
- Social Care Services
- Metropolitan Police
- Health services
- Probation services
- Education and schools
- Housing services
- Child and Adolescent Mental Health Services (CAMHS)
- Targeted Support services
- Youth Offending services
Information will be processed within the MASH under strict protocols in accordance with the Data Protection Act 2018 and other relevant legislation. Information will be held securely by Achieving for Children and will only be used and shared on a strict need to know basis with limited partners, for the purposes of keeping children or young people safe or ensuring they get the best services they need. Personal information may also be shared if there is a lawful reason to do so such as for crime prevention or detection purposes or where it is in the interest of maintaining public safety. The parent / carer will normally be informed at the time the enquiry is made unless this could place the child or someone else at further risk or undermine a police investigation.
Personal information held in the MASH will be deleted when it is no longer needed for these purposes, in accordance with formal record retention policies (https://www.achievingforchildren.org.uk/wp-content/uploads/2016/11/doc-retention-schedule.pdf)
All these are data controllers and are subject to the same legal constraints. Other disclosures may be made as required by law.
Sharing information with our partner councils
We will use information about you for the provision of services. This includes (but is not limited to) accessing the Royal Borough of Windsor and Maidenhead's council tax database to verify your address information.
We may also check information you have provided, or information about you that someone else has provided, with information already held by us. We may also receive information about you from certain third parties, or provide them information in order to:
- prevent or detect fraud or crime
- to protect public funds
- to ensure the information is correct
Schools and education information
We hold information about young people living in our area, including about their education and training history. This is to support the provision of their education up to the age of 20 (and beyond this age for those with a special educational need or disability). Under parts 1 and 2 of the Education and Skills Act 2008, education institutions and other public bodies (including the Department for Education (DfE), police, and probation and health services) may pass information to us to help us to support these provisions
How we communicate
Wherever possible we use secure means to communicate our information. This is usually through the use of systems and databases that have very limited access and high levels of security to ensure the risk of data loss is minimised.
Where we send information it is usually sent using secured data connections within Achieving for Children and between partners. When we email information to external partners we use secure email processes wherever possible that encrypt information.
With the advent of new technologies using email as a method of communication is becoming more widespread. If you have a preference to receive your communications from us in alternative ways please liaise with your Achieving for Children worker or school.
Whilst Achieving for Children has a presence on social media we will never process, publish or communicate sensitive or personal information using these forums and would not enter into personal communications with any parties using these methods.
Data rights and access
Requesting access to your personal data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s record, contact
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to seek redress, either through the ICO, or through the courts
If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact our Data Protection Officer: [email protected]