Castle Rushen High School

Care, Quality, Opportunity

Fair Processing Notice

The Headteacher in the name of Castle Rushen High School as Data controller

The Headteacher, in the name of Castle Rushen High School, is a data controller for the purposes of the Data Protection Act 2002/General Data Protection Regulation (Isle of Man) Order 2018. The contact details for the Data Controller are Castle Rushen High School of Arbory Road, Castletown, Isle of Man IM9 1RE.

In addition to the information set out in the Isle of Man Privacy Notice, we may also collect the following information about your child as required by the Education Act 2001 and the Registration of Pupils Regulations 2016:

  1. full legal name and where known, any former name or names;
  2. gender;
  3. date of birth;
  4. unique pupil number;
  5. ethnic group and by whom that information was provided;
  6. first language;
  7. date of admission to the school;
  8. year group;
  9. the address and postcode of the pupil's usual residence and any other properties at which the pupil is also known to reside on occasion;
  10. the name and address of every person known to the school to be a parent of the pupil and at least one emergency contact telephone number;
  11. the name and address of any other schools the pupil is known to have attended, if any, and in the case of guest registration, any other schools at which the pupil is registered;
  12. full-time or part-time;
  13. day pupil or boarder;
  14. date of leaving the school;
  15. usual mode of transport to and from school;
  16. for any pupil who is known to the head teacher to be or to have been looked after by an appropriate organisation, the name of that organisation;
  17. (where applicable) that the pupil has been found eligible for free school meals;
  18. Attendance;
  19. Medical information for the vital interests of children where appropriate;
  20. Educational psychologists reports and supporting documents;
  21. Academic achievements;
  22. Skills and abilities;
  23. Educational progress;
  24. Special educational needs information;
  25. Suspension information;
  26. Course information;

The Data Protection Officer for the Department of Education, Sport and Culture is: Andrew Shipley, Department of Education, Sport and Culture, Hamilton House, Douglas. IM1 5EZ. Tel 01624 685828. Email: DPO-DESC@gov.im.

How we will use the information we collect about you

Castle Rushen High School may use your information to:

  • register your child at the school;
  • record attendance information;
  • produce an educational record containing:
    • Information about your child
    • Personal education plans
    • Educational psychologist's reports and accompanying documents
  • produce a curricular record containing:
    • Academic achievements;
    • Skills and abilities; and
    • Educational progress
  • produce a record of special educational needs and special needs provision, if appropriate detailing:
    • The type of special need;
    • A ranking of the special needs if there is more than one;
    • The special needs provision being made; and
    • Whether teaching is in a special education needs unit or elsewhere
  • record details of suspensions
  • produce a record of the studies undertaken;
  • help prevent and detect crime

Castle Rushen High School has a statutory obligation to check and verify the data you provide to us on registration documents and on consent forms. This may include checks of publicly available information but in some cases, where it is necessary and relevant, the information you provide may be disclosed or shared with other organisations.

How we will share the information we collect about you

App or Service Details Consent Required

BSquared

more information

Data Shared: Name, DOB, Medical, SEN data

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: Student record held for DOB +25years.


No

DESC Attendance

Data Shared: Name, School, Attendance data if less than 80%

Sharing Basis: Public interest + official authority of the DC

Security Protocols: Secure access or information sent by email password protected

Server/Data Location: EEA

Retention Period: As needed while resolving issues


No

DESC Department of Education, Sport and Culture

more information

Data Shared: 1. Attendance information 2. Exam information – pseudonymised so no person identified to DESC 3. Careers - Name, contact details, year group 4. Destination data - Year group, course being undertaken pseudonymised so no person identified to DESC. 5. Subject collaboration between schools - Name, DOB, teacher names, timetables, attendance, attainment and effort grades. 6. Youth Service - Name and contact details to participate in surveys.

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: 1. As needed if attendance falls below 80% 2. Public record of aggregated results 3. August after leaving school 4. January following leaving school. 5. DOB + 25 years unless subject to legal action 6. Within one month


No

DHA IOM Constabulary

Data Shared: Name, age, address, contact details.

Sharing Basis: Legal / carried out in public interest

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: As determined by legal proceedings.


Yes

DHSC

more information

Data Shared: To receive information about HPV Department of Health and Social Care -Girls name, DOB, contact data

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller. Vital interests of the data subject

Security Protocols: An appropriate level of network and account security are in place

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: August after information sent.


No

DHSC - CAMHS

Data Shared: Name, DOB, contact details, attendance data

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: DOB + 25 years


Yes

DHSC - Child Protection cases

Data Shared: Name, DOB, contact details, attendance data, pupil record, incident and accident reports, communications between school and parent

Sharing Basis: Vital interests of the data subjects

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: Deleted one year after coming off child protection.


No

DHSC Community nurses

more information

Data Shared: Name, DOB, contact details, Attendance data

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: August after reaching 16


Yes

DHSC Dental Survey

more information

Data Shared: Child’s name, date of birth

Security Protocols: Information sent password protected with the password sent via an alternative means of communication

Server/Data Location: EEA

Retention Period: Current year


Yes

DHSC Dental Survey

more information

Sharing Basis: For completion of the Dental Survey

Security Protocols: An appropriate level of network and account security are in place

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: August after the information supplied


Yes

DHSC School / Community Nurses

more information

Data Shared: Child's name, date of birth, current address, previous address, current school and previous school

Security Protocols: Information sent password protected with the password sent via an alternative means of communication

Server/Data Location: EEA

Retention Period: Current year


Yes

Drug & Alcohol Team (DTA)

more information

Data Shared: Name, DOB, contact details, attendance data

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: August after reaching 16 or until consent withdrawn.


Yes

Easytrace/Infinity to provide a student ID card

more information

Data Shared: Full Name, DOB, Year group

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: Deleted within 24 months of leaving date


No

employed.im

more information

Data Shared: Name, email, password. Information data subject supplies.

Sharing Basis: Public interest + official authority of the DC

Access Conditions: Supervised and unsupervised

Teacher Access: Limited access to enable placements

Server/Data Location: IOM

Retention Period: For as long as data subjects wish to use the services


No

Evolve

more information

Data Shared: Name, contact details, trip information and risk assessments

Sharing Basis: Public interest + official authority of the DC

Security Protocols: Advanced firewalls, enterprise-level virus protection on all servers, HTTPS encryption for all communication between our servers and users, regular data backup, username/password/PIN to control access, failed log-in attempt logging, automatic suspicious activity detection and logging

Server/Data Location: UK

Retention Period: Current year + 6 years


No

Examination Boards

Data Shared: Name, DOB, Examination number, Subject information, Examination results, Exam papers and course work CAMBRIDGE http://www.cambridgeinternational.org/privacy-and-legal/ PEARSON https://www.pearson.com/us/privacy-statement.html AQA http://www.aqa.org.uk/about-us/privacy-notice OCR http://www.ocr.org.uk/about/our-policies/website-policies/privacy-policy/ SQA https://www.sqa.org.uk/sqa/36588.html WJEC http://www.wjec.co.uk/home/privacy-policy.html ASDAN https://www.asdan.org.uk/terms-and-conditions

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller.

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: DOB + 25 years (to be confirmed by exam boards)


No

Examination Result Summaries

Data Shared: Name, number of examinations A*-G, or particular achievements

Sharing Basis: Examination results summaries for publication of results and awards

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: Into public domain


Yes

Facebook

more information

Data Shared: Photos, names

Security Protocols: Password protected,  Two-factor authentication.

Server/Data Location: Worldwide including the US

Retention Period: Current year


Yes

Google

Data Shared: No personal information should be stored on Google servers by staff apart from a name, class grouping, email address and information regarding work completed or to be completed

Sharing Basis: Public interest + official authority of the DC

Security Protocols: Google adheres to several self regulatory frameworks, including the EU-US Privacy Shield arrangement.

Access Conditions: No

Teacher Access: Limited to areas set up by staff such as Google Classrooms and shared areas

Server/Data Location: Worldwide including the US

Retention Period: DOB + 21 years or 3 years since the last log on


No

Information relating to student trips

Data Shared: Full name, DOB contact details, nationality. Medical and allergy information relevant to student and trip.

Sharing Basis: To provide trips to students we will need to share information with Ferry Companies, Airlines, Hotels, Tour operators in respect of trips.

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: Dependent upon source of request

Retention Period: As per privacy statement for those providers


Yes

ItsLearning

Data Shared: Name, class, school work

Sharing Basis: Public interest + official authority of the DC

Security Protocols: Username and password

Access Conditions: No

Teacher Access: Yes

Server/Data Location: EEA

Retention Period: End of Use + 12 months


No

Junior Achievement

more information

Data Shared: Name. class, year group

Security Protocols: Hold your information securely to maintain safety of your personal information. Your information whether public or private will never be sold, exchanged, transferred, or given to another company for any reason whatsoever, other than for the purpose of delivering purchased products or vetting of volunteers

Retention Period: Until after event


Yes

Junior Achievement IOM

more information

Data Shared: Forename and Surname

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: Until completion of Junior Achievement programme


Yes

Kahoot

Data Shared: Name, Email address, user name, google analytics identifiers

Security Protocols: Reasonable organizational, technical and administrative measures

Access Conditions: Supervised

Teacher Access: Yes

Server/Data Location: Worldwide

Retention Period: End of use + 12 months


Yes

Motiv8 (Alcohol Advisory Service)

more information

Data Shared: Name, DOB, contact details, attendance data

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: August after reaching 16 or until consent withdrawn.


Yes

MyMaths

more information

Data Shared: Name, email address

Security Protocols: Appropriate and suitable safeguards and technical measures are in place to protect your personal data

Access Conditions: Supervised

Teacher Access: Yes

Server/Data Location: Worldwide

Retention Period: End of use + 12 months


Yes

Parentpay

more information

Data Shared: Names, Contact details.

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: Until account closed by parent.


Yes

Quesmedia Sites

more information

Data Shared: Website activity, website form submissions and user content.

Sharing Basis: To provide public website services for our school

Security Protocols: Sites are served over HTTPS using TLS to provide both secure server–server and server–client communication. Accounts are protected from brute force attacks with rate limiting and automated account locking. Passwords are one-way encrypted using bcrypt before being stored and are required to satisfy strong password rules to ensure high-entropy.

Access Conditions: None

Teacher Access: Limited to data provided within the CMS

Server/Data Location: United Kingdom (EEA)

Retention Period: Please view the more information link for data retention policies.


No

Reference requests

Data Shared: Name, contact details, attainment, effort, exam results, comments as requested

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: Dependent upon source of request

Retention Period: Student record held for DOB +25years. Thereafter no information available to provide a full reference.


Yes

RIDDOR

more information

Data Shared: Name, age,gender, school, address, phone number, injury

Server/Data Location: IOM

Retention Period: DOB +25 years


No

SIMS

Data Shared: Pupil record

Sharing Basis: Public interest + official authority of the DC

Security Protocols: Secure servers hosted within Government data centre. Secure connections from within approved areas of Government. Teachers access via secure VPN from approved device only.

Server/Data Location: EEA

Retention Period: DOB + 25 years


No

SIMS (Student Information Management System)

more information

Data Shared: SIMS (Student Information Management System) Full name, DOB, full contact details of child and parents/carers, gender, medical information, religion, Nationality, ethnicity, transport information, assessment and exam results, behaviour management.

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller.

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: See Retention policy for full details.


No

SIMS Intouch

more information

Data Shared: Name, contact details – mobile phone number

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: Deleted within 24 months of leaving date


No

Social Media : Facebook, Twitter

Data Shared: Forename and photograph of activity or performance

Sharing Basis: Based upon consent by parent or carer from Data Collection Form.

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: Global

Retention Period: As per privacy statement for those applications


Yes

The Children's Centre

more information

Data Shared: Name, contact details & SEN information to participate in activities.

Sharing Basis: Carried out in the public interest /exercise of official authority vested in the controller

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: August after information sent.


No

UCM courses – examination results

Data Shared: Name, UPN, Examination results for courses undertaken at UCM

Sharing Basis: Carried out in the public interest / exercise of official authority vested in the controller

Security Protocols: An appropriate level of network and account security are in place

Access Conditions: NA

Teacher Access: NA

Server/Data Location: EEA

Retention Period: DOB + 25 years


No

Youth Justice

more information

Data Shared: Name, address, attendance, timetable.

Sharing Basis: Legal

Security Protocols: An appropriate level of network and account security are in place.

Access Conditions: NA

Teacher Access: NA

Server/Data Location: IOM

Retention Period: As determined by legal proceedings


No

Youtube

more information

Data Shared: Image or voice, Name

Access Conditions: Supervised and unsupervised

Server/Data Location: Worldwide


Yes

For more specific details about retention periods see the Department’s retention schedule

Information obtained or disclosed by third parties will not be used for any other purpose other than supporting the delivery of teaching and learning.

Failure to provide information may impact on support in school, the quality of teaching and learning and in achievement in examinations.

Protecting your information

Castle Rushen High School will:

  • keep your information safe and secure in compliance;
  • only use and disclose your information as detailed above where necessary
  • Retain the information for no longer than is necessary and your information wll be permanently deleted once the timeframes set out below have been reached (there will need to be an authorisation process, to dispose of this in line with our Records Management Policy and retention periods as outlined below (unless there is an over-riding reason to retain this information).

Transfer of Information outside the EEA

Apps and services that are used in school may require data to be stored on servers outside of the EEA. Information sent to these will be limited and are as detailed above.

More Information

You can find out more information including:

  • Looking at the Isle of Man Government Privacy Policy here https://www.gov.im/about-this-site/privacy-notice/ [Accessed 16/1/18]
  • Contacting our Data Protection Officer who is: Andrew Shipley, DPO. Hamilton House, Peel Road. Douglas. IM1 5EZ. Tel 685828. Email DPO-DESC@gov.im
  • Asking to see your information or making a complaint if you feel that your information is not being handled by contacting the Headteacher as Data Controller for Castle Rushen High School
  • Making a subject access request which is a request for all of the personal data we hold about you.
  • Obtaining this information in large print, braille, or in an alternative language.

Your rights

You have a right to access your personal data to ensure that it is accurate, and to request that it is rectified, blocked, erased or destroyed if it is inaccurate.

To make any request relating to your data held by us, please contact the Data Protection Officer for the Department of Education, Sport and Culture who is: Andrew Shipley, DPO. Hamilton House, Peel Road. Douglas. IM1 5EZ. Tel 685828. Email DPO-DESC@gov.im

If you are not satisfied with the response you receive, you may also complain to the Information Commissioner, whose details can be found on www.inforights.im, or the relevant supervisory authority. You may have a right to other remedies.