Ffôn: 01248 712287 • E-bost: email@example.com
(How we use pupil information)
In accordance with data protection legislation, this notice gives you information about the
data we hold about you/your child, how we use it, your rights in relation to it and the
safeguards that are in place to protect it.
The right to privacy is very important to us and we appreciate that you trust us to act in a
responsible manner when you give us personal information. Personal data, or personal
information, means any information about an individual from which that person can be
The school is registered as a data controller with the Information Commissioner’s Office
(ICO). Full details of the registration are available via the ICO register of data controllers.
The school as the data controller is responsible for the personal data of pupils.
We also have a ‘Privacy Notice- Schools- Children and Young People’ version that is
designed specifically for children and young people to read.
The categories of pupil information that we process:
- personal identifiers and contacts (such as name, date of birth, unique pupil number,
contact details and address)
- characteristics (such as ethnicity, language, nationality, country of birth and free school
- safeguarding information (such as court orders and professional involvement)
- special educational needs (including the needs and ranking)
- medical and administration (such as doctors information, child health, dental health,
allergies, medication, dietary requirements and Covid-19 test results and related
- disability status
- food allergies (for catering)
- attendance (such as sessions attended, number of absences, absence reasons and any
previous schools attended)
- assessment and attainment- information on performance in internal and national
assessments and examinations (such as post 16 courses enrolled for and any relevant
- behavioural information (such as exclusions and any relevant alternative provision put in
- information about attendance on school trips and activities (safety issues and risks for
keeping a pupil safe, emergency contact details, next of kin)
- personal information regarding pupil’s parents/guardians and/or other relatives (such as
name, contact details and relation to the child)
- photographic, visual and video images, audio recordings, on-line live streaming and recordings, and CCTV footage (for learning, assessment, safety and identity purposes
Why we collect and use pupil information
The personal data collected is essential in order for the school to fulfil our official functions
and meet legal requirements.
We collect and use pupil information, for the following purposes:
- to support pupil learning
- to safeguard pupils
- to monitor and report on pupil attainment and educational progress
- to provide appropriate welfare and pastoral care
- to assess the quality of our services
- to assess special educational needs and transport requirements
- to keep children safe (food allergies, or emergency contact details)
- to meet the statutory duties placed upon us by the Welsh Government and Public Health
Wales with regard to protecting public health
- to monitor attendance and absence data
- to communicate effectively and to provide support and guidance to pupils, parents and
- to enable pupils to move from one educational setting to another seamlessly or where
we have co-operation arrangements with other schools, for delivery of local curricular
- to meet the statutory duties placed upon us by the Welsh Government with regard to data collection
- to maintain our accounts and records
- to organise educational events and trips
- for planning and management of the school
- to record monetary payments to and from pupils and parents/guardians
- to comply with data protection legislation
- to share data for statutory audit and monitoring purposes
- for security monitoring and the prevention and detection of crime (CCTV)
The information will not be used for purposes that are not compatible with why it is gathered
in the first instance, unless we reasonably consider that we need to use it for another
reason and that reason is compatible with the original purpose. Please note that we may
process personal data without your knowledge or consent, where this is required or
permitted by law.
We collect and use personal information because we have one of the following legal bases for processing (Article 6 (GDPR)):
- to comply with a legal obligation
- to perform a public interest task
- for the performance of a contract
Less commonly, we may also use personal information where:
- you have given us consent to use it in a certain way (example- use of pupil photos on
websites, social media)
- we need to protect your vital interests (or someone else’s interests
Where you have provided us with consent to use personal data, you may withdraw this
consent at any time.
We are required to share information under specific legislation and regulations.
Some of the reasons listed above for collecting and using personal information overlap, and
there may be several grounds which justify the school’s use of your data.
If we process any special category data, in addition to one of the legal bases above,
processing will be necessary because one of the conditions under Article 9 (GDPR) applies.
We may collect and use the following special category information that reveals information
- racial or ethnic origin
- religious or philosophical beliefs
- biometric data (where used for identification purposes)
- physical or mental health
- offences or alleged offences
We apply the following principles where we use personal information
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes ('purpose limitation')
- adequate, relevant and limited to what is necessary
- accurate and, where necessary, kept up to date
- kept in a form which permits identification of data subjects for no longer than is
- processed in a manner that ensures appropriate security of the personal data.
How we collect pupil information
We collect pupil information via admission forms, registration forms and consent forms
usually completed at the start of each academic year, but we may also collect information at
other times during the school year. In addition, when a pupil joins us from another school,
we are sent a secure file containing relevant information.
We may also collect, store and share personal information including photographs, images
and audio recordings via technologies that are used for on-line learning purposes and for
communicating with pupils, parents and the wider community. This could be via
technologies, apps and social media accounts (such as Microsoft Teams, Zoom, Facebook
We have CCTV systems in key locations for the purposes of safety and the prevention and
detection of crime. Signs are prominently displayed notifying that CCTV is in operation and
providing you with details of who to contact for further information about them. We will only
disclose CCTV images to third parties for the purposes of public safety and the prevention
and detection of crime.
Pupil data is essential for the schools’ operational use. Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us (and if so, what the possible consequences are of not complying), or whether you have a choice.
How we keep information accurate and up to date
We want to make sure that personal information is accurate and up to date. We ask that
pupils, parents and carers take reasonable steps to ensure that the personal data that we
hold about you and your child/those in your care, is accurate and that you update us of any
changes. We will regularly confirm with you that the information held is correct, in particular
addresses and contact details. We will update the information as soon as possible both in
paper and in electronic records.
How we store pupil data
Personal data is stored in line with our Schools Data Protection Policy.
How long we keep the information before it is securely disposed of varies depending on the
type of information, legal requirements and school need. We will process pupil data
securely for the above purposes for no longer than necessary and in accordance to the set
amount of time contained in our Schools Data Retention Schedule. This document can be
obtained by contacting the Headteacher.
Who we share pupil information with
Where necessary and lawful, or when required by legal obligation, we may share relevant
- school staff and the Governing Body
- family, carers and associates
- other education and training bodies, including schools, when pupils are applying for
courses, training, school transfer or seeking guidance on opportunities
- our local authority, the Isle of Anglesey County Council, and other local authorities as
- Social services and other health and welfare organisations where there is a need to
share information to protect and support individual pupils
- Welsh Government
- Education and training inspectorate (Estyn) and other regulatory bodies
- GwE (School Effectiveness and Improvement Service for North Wales)
- youth support services
- education, training and examining bodies
- NHS/school nurse/other healthcare professionals- either directly or via the local
- Test, Trace and Protect Service (Public Health Wales) relating to Covid-19 matters
- bodies doing research for the Welsh Government, local authority and schools, so
long as steps are taken to keep the information secure
- Police forces
- the press and media
- agencies commissioned by us that provide services on our behalf.
We are also required by law to protect the public funds we administer and may share
information provided to us with other bodies responsible for auditing or administering public
funds in order to prevent and detect fraud and irregularity.
Why we routinely share pupil information
We do not share information about our pupils with anyone without consent unless the law
and our policies allow us to do so.
Where appropriate, we will commit to develop and implement formal data sharing
agreements based on the common set of principles and standards in accordance with the
Wales Accord on the Sharing of Personal Information (WASPI).
Welsh Government & Local Authority
We are required to share information about our pupils with the Welsh Government either directly or via our local authority, the Isle of Anglesey County Council, for the purpose of data collections, under the Pupil Information (Wales) Regulations 2011.
The Welsh Government collects personal data throughout a pupil’s school life from
educational settings and local authorities via various statutory data collections such as:
- Pupil Level Annual School Census (PLASC)
- Educated other than at school (EOTAS) pupil level collection
- National data collection (NDC)
- Attendance collection
- Welsh National Tests (WNT) data collection
- Post 16 data collection
In addition to the data collected as part of PLASC, the Welsh Government and local
authorities also receive information regarding National Curriculum assessments, public
examination results, and attendance data at individual pupil level, which comes from
schools and/or awarding bodies (e.g. WJEC).
The local authority also uses the personal information collected via PLASC to do research.
It uses the results of this research to make decisions on policy and the funding of schools to
calculate the performance of schools and help them to set targets. The research is carried
out in such a way that ensures individual pupils cannot be identified.
The pupil data that we lawfully share with the Welsh Government through data collections,
is used for the below purposes:
- statistical and research purposes which will help to inform, influence and improve
- monitor the performance and how well the education services are being provided so
that they can be improved
- help monitor and target funding effectively
- publication purposes
- production of school and local authority level analysis for schools, local authorities
- inform wider education and social policies
- research purposes wider than education (data is anonymised)
To find out more about the data collection requirements placed on us by the Welsh Government, including the data that we share with them, go to https://gov.wales/data-collection-and-information-management-for-schools
All data is transferred securely and held by the Welsh Government under a combination of
software and hardware controls, including HWB (digital platform for learning and teaching in
Test, Trace and Protect Service (Public Health Wales)
We may be required to share your personal information with the Test, Trace and Protect Service, and in some cases with the Isle of Anglesey County Council, in order to protect pupils, school staff and the wider community against the spread of Covid-19.
To find our more about the Test, Trace and Protect Service, go to https://gov.wales/test-trace-protect
Youth support services
We also pass pupil information to our local authority and/or providers of youth support services, under the Learning and Skills Act 2000 and the Learning and Skills (Wales) Measure 2009, as they have responsibilities in relation to education or training from age 11 to 19.
This enables them to provide services as follows:
- youth support services
- careers advisers
- post-16 education and training providers
The information shared is limited to the pupil’s name, address and date of birth. However
where a parent or guardian provides their consent, other information relevant to the
provision of youth support services will be shared. Under the Learning and Skills Act 2000,
this right is transferred to the child/pupil once he/she reaches the age of 16.
Data is securely transferred to the youth service.
For more information about services for young people, please visit our local authority
How we look after your information
Under data protection legislation, we must protect any information that we collect from you.
We have put in place appropriate security measures and applied security standards and
controls to prevent personal data from being accidentally lost, used or accessed in an
unauthorised way, altered or disclosed.
Information which you have provided will be stored securely. In addition, we limit access to
personal data to those employees, contractors and other third parties who need to have
access to it. They will only process your personal data on our instructions and they are
subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Your data protection rights
Under data protection law, you have rights including:
Your right to obtain confirmation that information about you is being used
Your right of access - you have the right to ask us for copies of your personal
information (please see ‘requesting access to your personal data’ below for more
Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing - you have the the right to object to the processing of your personal data in certain circumstances. You have the right to object to processing of personal data that is likely to cause, or is causing, damage or distress.
Your right to data portability - you have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
In certain circumstances, you also have the following rights to:
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- seek redress, either through the ICO, or through the courts.
Requesting access to your personal data
Under data protection legislation, parents and pupils have the right to request access to
information about them that we hold. This is commonly known as a “data subject access
request”. This enables you to receive a copy of the personal data we hold about you and to
check that we are processing it lawfully.
To make a request for your personal information, or be given access to your child’s
educational record, contact the school office directly.
You will be provided with copies of your personal data within the statutory period of one
month (or if providing your personal data is a complex matter, this will be done as soon as
is reasonable within 3 months).
We may need to request specific information from you to help us confirm your identity and
ensure your right to access your personal data (or to exercise any of your other rights). This
is a security measure to ensure that personal data is not disclosed to any person who has
no right to receive it. We may also contact you to ask you for further information in relation
to your request to speed up our response.
Your personal data will be provided to you free of charge, however, if your request is clearly unfounded, repetitive or excessive, a reasonable fee will be charged. Alternatively, we may refuse to comply with your request in these circumstances.
The following are details of the school as the data controller:
Name of School: Ysgol David Hughes
Telephone: 01248 712287
Address: Pentraeth Road, Menai Bridge, Anglesey, LL59 5SS
We have also appointed a Schools Data Protection Officer through the local authority. If you
have any questions about this Privacy Notice, including any requests to exercise your legal
rights, please contact the Schools Data Protection Officer using the details set out below:
Telephone: 01248 751 833
Address: Learning Service, Isle of Anglesey County Council, Council Offices, Llangefni,
Anglesey, LL77 7TW
You have the right to make a complaint at any time to the Information Commissioner’s
Office (ICO) who is the independent regulator for data protection. If you have a concern or
complaint about the way we are collecting or using your personal data, you should raise
your concern with us in the first instance, so that we can try to resolve any issues.
Information Commissioner’s Office (ICO):
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Advice and guidance is available via their website www.ico.org.uk
Changes to our Privacy Notice
We keep our Privacy Notice under regular review and will share any revisions.