Thank you for visiting our website www.stjohns-primary.surrey.sch.uk we consider the privacy of its users to be a serious issue. This Policy set out the basis on which any personal data provided to us by you, or received by us from third parties, will be used by us.
Please read this Policy carefully and ensure that you understand our rights and responsibilities under it.
We are St John’s C of E Primary School data controller of personal data provided to us and are registered as a data controller with the ICO under the DfE.
We have appointed a Data Protection Officer who is responsible for addressing data protection matters, including any questions you may have in relation to this Policy. You can contact our Data Protection Officer at firstname.lastname@example.org
Full details are set out in the relevant sections of this Policy below, but in summary:
- we generally receive personal data relating to you directly from you. For example, we will receive that data if you contact us through the Site or otherwise, or if we deal with you in our operations;
- personal data may occasionally be provided to us by third parties with whom each of you and us have some form of relationship. For example, if we deal with your employer in relation to a project which involves you, then they might provide us with your contact details;
- we use your data to improve our Site, conduct our operations, keep appropriate records and meet our legal obligations;
- we only provide your personal data to third parties for our limited purposes or as permitted by law. We don’t share your data with third party advertisers;
- we store data for specified periods for our limited purposes;
- you have certain rights, prescribed by law, in relation to the processing of your data, such as rights to request access, rectification or deletion of your personal data;
- you can contact us to enquire about any of the contents of this Policy.
Importantly, this Policy does not apply to our staff, or to students, pupils or parents. We have provided or will provide information to those individuals separately to explain how we handle and use their personal information.
Our use of personal data
The section of our Policy describes:
- the kinds of personal data that we may collect, use, store and transfer. We have grouped that data together into different categories based on its subject matter;
- our purposes in processing that data; and
- in each case, the legal basis of our processing. The legal basis means one of the permitted bases for processing set out in Article 6 of the General Data Protection Regulation (GDPR). We are required by law to identify this legal basis to you.
Personal data we obtain from you
If you correspond or communicate with us, whether through the Site, by email, by telephone or otherwise, then we may process personal data which is contained in the relevant communication (e.g. the contents of correspondence, or notes of the subject matter of telephone calls) or which relates to the communication (e.g. your contact details or job title). All of this together is communications data. We process communications data for the purposes of communicating with you. If you have indicated your interest in our educational services or in our operations, then we may also process communications data for the purposes of addressing your enquiry.
If we deal with you or your organisation, for example as a supplier, customer, collaborator or commercial partner, then we may process personal data such as your contact details for the purposes of setting up an account in our systems or otherwise administering our relationship with you. We may also process personal data within all related correspondence and documents such as proposals or contracts, whether created by us or provided to us. We call all of this account data, and we process it for the purposes of purchasing products and services and administering our dealings with others.
We may process personal data relating to transactions, such as bank account details, contact details or transaction data in relation to payments made by us to you or by you to us (transaction data). This may include your contact details, any bank account or sort code information provided for the purposes of making or receiving payment, and the transaction details (such as POs or invoices). We process transaction data for the purpose of making and receiving payments.
We may process personal data relating to any visit you make to our premises, such as your vehicle registration number, contact details, role, the purpose of your visit or your movements around our site. We might also ask you to sign certain waivers or acknowledgements in order to access certain areas of our premises. We call all of this visitor data and we will process it for the purposes of ensuring your visit is properly recorded and is safe.
We have installed CCTV systems in some of our premises. We may process stills or footage which contain images of individuals (CCTV data). CCTV data may be processed by us for the purposes of security, safety and the prevention and detection of crime.
We may process technical data about your use of the Site, such as your browser type and version, operating system, time zone setting and location, referral source, length of visit, or navigation around the Site (for instance, which pages are viewed and how long for). This data is aggregated and anonymised in such a way that it contains no information relating to any identifiable individual at all : it’s not actually personal data but we mention it in this Policy for the sake of completeness. We process technical data for the purpose of improving our Site.
Personal data we obtain from others
Your personal data may be provided to us by someone other than you: for example, by your employer, by an organisation with whom you and we are both dealing. Normally this data will be communications data or account data as described above and will be processed by us for the purposes described above.
Our other processing
We may also process any of the data described above:
- for the purposes of record-keeping and back-up and restoration of our systems;
- as required by law or in connection with legal claims.
Our legal basis of processing
We will process personal data only on lawful bases. In particular, we will process personal data on the following lawful bases identified in Article 6 GDPR:
for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing communications data, account data, transaction data or visitor data;
for our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
- correspondence, account and visitor data (as we have an interest in properly administering our business and communications, and in developing our relationships with interested parties);
- transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
- any personal data identified in this Policy where necessary in connection with legal claims (as we have an interest in being able to conduct and defend legal claims to preserve our rights); and
- CCTV data (as we have an interest in the security of our premises)
- any personal data identified in this Policy in connection with backups of any element of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).
in performing our public functions (Article 6(1)(e). This may be our basis for processing any of the personal data identified above if we do so in connection with carrying out specific tasks in the public interest (for example, in our teaching or governance activities). If we process personal data in carrying out activities unrelated to our public functions then we do so on one of the bases set out above.
Disclosures of your personal data
We may disclose your personal data to our suppliers or contractors in connection with the uses described above. For example, we may disclose:
- any personal data in our possession to suppliers which host the servers on which our data is stored;
- transaction data to our accountants; and
- account data to contractors who help us administer our operations.
We do not allow our suppliers or contractors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable law.
We may disclose your personal data as necessary to comply with law (e.g. to Government or law enforcement).
We may disclose your personal data to our legal or professional advisors in order to take advice, but will do so under obligations of confidentiality.
If any part of our operations is sold to, transferred to, or integrated with, another organisation (or if we enter into negotiations for those purposes), your personal data may be disclosed to that organisation.
Transfers outside the EEA
Some of the third parties to whom we may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then we will ensure that transfers by our appointed data processors will only be made lawfully (e.g. to countries in respect of which the European Commission has made an "adequacy decision”, or with appropriate safeguards such as the use of standard clauses approved by the European Commission or the use of the EU-US Privacy Shield[MW10] . You may contact us if you would like further information about these safeguards.
We take appropriate technical and organisational security measures to prevent your personal data from being lost, used, accessed, altered or disclosed by accident or without authorisation.
If we become aware of any personal data breach then we will notify you and the ICO as required by law.
Retention and deletion of your data
We will only process your personal data as long as is needed for the purposes for which we process it, and will be deleted afterwards. In particular:
- technical data which is anonymised (and therefore not personal data) may be retained by us indefinitely (but is typically deleted within a few months);
- communications data which relates only to enquiries and not to a business relationship will be retained for the period of the enquiry or chain of correspondence and then deleted after approximately twelve months;
- account and transaction data, and communications data relating to our business relationship with you, will be retained for approximately six years after the end of the relevant business relationship.
We may retain your personal data longer where necessary to comply with law.
Your legal rights under GDPR
We have summarized below the rights that you have under data protection law. You can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for more information. You have:
- the right to access: if requested, we must confirm what personal data of yours we process, and must provide you with access to that data and further information about our processing;
- the right to rectification: if requested, we must correct or complete any inaccurate or incomplete personal data of yours;
- the right to erasure: you can request that we erase your personal data in limited circumstances (for instance, if we use it for marketing or no longer need it for our other purposes). This is not an absolute right and we may be entitled to retain your data where necessary (e.g. to comply with law);
- the right to restrict processing: you can request that we restrict the processing of your personal data in limited cirucmstances. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except in the case of processing permitted by applicable law (for example, in connection with legal claims or for reasons of public interest);
- the right to object to processing: you can object to our processing of your personal data on the basis of our legitimate interests. We may be entitled to continue processing in certain circumstances (e.g. if we have compelling grounds to do so, or to comply with law);
- the right to data portability: you have a right to receive your data from us in an easily-portable format in limited circumstances: i.e. if we process that data on the basis of a contract with you and by automated means. This is unlikely to apply in most circumstances; and
- the right to complain: if you believe we are in breach of applicable law, you can complain to the Information Commissioner’s Office. For more information, see https://ico.org.uk/concerns/.
You may exercise any of your rights in relation to your personal data by written notice to us.
A cookie is a small file of letters and numbers stored on your browser or the hard drive of your computer, to distinguish you from other users of the Site.
- Strictly necessary cookies. These are cookies that are required for the operation of the Site, such as cookies that enable you to log into secure areas;
- Analytical/performance cookies. They allow us to collect usage data to analyse the use of our Site;
- Functionality cookies. These recognise users to enable us to remember user preferences (for example, your choice of language or region);
You can change your browser settings to refuse and delete cookies. Further information is available at www.aboutcookies.org or at the support pages made available by your browser operator.
You can contact us:
- by post at St John's C of E Primary School, Markfield Road, Caterham, Surrey CR3 6RN;
- by telephone at 01883 342009; or
- by email at email@example.com.
- Data Protection Officer firstname.lastname@example.org
Third Parties and Security
The Site may contains links to third party websites or refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then you should note that these third parties may have their own privacy and cookie policies, and that we are not responsible for their use of any personal data which you may provide to them. You should ensure that you have read and understood any relevant policies.
Although we do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.
Changes to this Policy
We may notify you of material changes to this Policy using the contact details you have given us, and otherwise may update this Policy from time to time on our Site. You should check this Policy from time to time.
Last updated: 24 May 2018