Education privacy notice
This notice explains what personal data (information) we hold about you, how we collect, how we use and may share information about you. We are required to give you this information under data protection law and this notice should be read in conjunction with the corporate privacy notice.
Who we are
London Borough Bromley Council (LBB) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.
The education team within children’s services provide advice and guidance to families whose children are enrolled within the school system and the Elective Home Education (EHE) team provide advice and guidance to families that are home educating their children, to ensure an appropriate standard of education is provided, and to support reintegration into school where this is requested by parents.
Personal information we collect and use
Information collected by us
In the course of supporting and monitoring elective home education as well as providing an Education Programme to those in the school system, we collect the following personal information when you provide it to us:
- personal details (such as name, gender, age, date of birth, address, contact details, language, nationality, country of birth).
- special category characteristics (such as ethnicity and special educational needs).
- educational history (such as schools previously attended and attendance, attainment and exclusion information).
- other professional involvement (such as attendance and Inclusion, Early Help, Social Care, SEN) NHS, other local authorities, and other LBB departments.
- EHE History (communication with families, visit reports and evidence of suitable education).
How we use your personal information for those providing Elective Home Education
We use your personal information to:
- maintain a record of children in the borough who are known to be home educated.
- provide advice and guidance to home educating families.
- inform families about how to access to services and facilities from other agencies that would generally be delivered via school.
- advise and support families who request support with returning children to school or identifying a school place.
- make arrangements to establish the identities of children who are not registered at a school and are not receiving a suitable education otherwise.
- analyse service provision and effectiveness and model patterns of service involvement to support future service delivery planning.
How we use your personal information for those attending School
We use your personal information to:
- maintain a record of children in the borough who are being offered a programme of tuition by the education programme.
- provide academic reports based on work completed whilst on the education programme.
- inform families about how to access to services and facilities from other agencies that would generally be delivered via school.
- advise and support families who request support with returning children to school or identifying a school place.
How long your personal data will be kept
We will hold your personal information securely and retain it from the child/young person’s date of birth until they reach the age of 25, after which the information is archived or securely destroyed.
Microsoft Teams recorded tuition sessions will be maintained until the child/ young person leaves the education programme, or the allocated member of staff is no longer employed by KCC. They will then be permanently deleted from the Microsoft system.
Reasons we can collect and use your personal information for those providing elective home education
We collect and use your personal information to carry out tasks as an official authority, specifically;
GDPR Article 6 (e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
GDPR Article 9 (g) - processing is necessary for reasons of substantial public interest … and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
On that basis it is specifically necessary for ‘the exercise of a function conferred on the authority by an enactment or rule of law’ and underpinned by one of, or a combination of, sections 436A and 437 of the Education Act 1996, section 175 of the Education Act 2002, section 47 of the Children Act 1989, and section 22 of the Children and Families Act 2014.
The law places a statutory duty (under s.436A of the Education Act 1996) upon the council to satisfy itself that a child’s right to a suitable education, as defined by the Education Act and others, is protected. The council is charged with a duty to ensure that the education provision will enable the child to develop the skills required to participate fully in contemporary society, as well as ensuring that general safeguarding requirements are met.
Reasons we can collect and use your personal information for those attending school
We collect and use your personal information to carry out tasks in the public interest. If we need to collect special category (sensitive) personal information, we rely upon reasons of substantial public interest (equality of opportunity or treatment) or for scientific or historical research purposes or statistical purposes.
Who we share your personal information with
We share your personal information with:
- teams within LBB, working to improve outcomes for children and young people.
- commissioned providers of local authority services (such as education services).
- schools.
- schools and In-Year Fair Access (IYFA) panels, when a school a place is required at the request of the parent or when a suitable education is not being provided and a school needs to be identified for the purpose of a School Attendance Order.
- post-16 education and training providers.
- partner organisations signed up to the Bromley Information Sharing Agreement, where necessary, which may include NHS, health visitors, midwives, police, doctors and mental health workers.
- Oxleas NHS Foundation who are responsible for the Child Health Information Service that facilitates the screening and immunisation programmes for the health and wellbeing of your child (if you do not wish your child to take part in these programmes, this will not affect your child being entitled to access any additional services offered such as Adolescent Health and Targeted Emotional Wellbeing Services).
- Children’s Executive Board (the borough’s Children’s Trust Board) who is a partnership of the following organisations in Bromley:
Bromley Healthcare
- Bromley Parent Voice
- Bromley Safeguarding Children Board
- London Borough of Bromley
- London South East Colleges
- Metropolitan Police Service (Bromley)
- NHS Bromley Clinical Commissioning Group
- Oxleas NHS Foundation Trust
- Primary and Special Schools Head Teachers’ Forum
- Secondary Schools Head Teachers’ Forum
- Ofsted
The Children’s Executive Board brings the organisations together so that they ‘co-operate’ at a strategic level to improve outcomes for children and young people.
- Department of Education, and other government departments, as required
- the gov.uk Notify Service, which sends out postal correspondence and text messages on our behalf (information is encrypted and only held for 7 days).
We will share personal information with law enforcement or other authorities if required by applicable law.
The Children and Young People (CYP) Integrated Data Set
The CYP Data Set is owned and managed by London Borough of Bromley Council (LBB) and contains personal data and special category information about children attending schools within the borough and matches additional personal data from multiple data sources within LBB to the pupils.
The aim of the dataset is to allow statistical analysis and research to;
- support and inform council transformation by ensuring the holistic characteristics and needs of the child population are fully understood.
- provide appropriate levels of insight, evidence and evaluation in order to embed knowledge and understanding of children and young people’s needs and issues into service programmes and projects, including the commissioning of new services.
- inform future service delivery planning and integrated working in order to improve outcomes for children and young people.
We have robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. The child-level data set is not shared outside of LBB. All personal data is stored in secured electronic files with restricted access. Only pseudonymised data is used for analysis. Outputs and analysis take the form of aggregated data and are for the purpose of LBB teams and partners working to improve outcomes for children and young people.
Your rights
Under GDPR you have rights which you can exercise free of charge which allow you to:
- know what we are doing with your information and why we are doing it.
- ask to see what information we hold about you (Subject Access Request).
- ask us to correct any inaccuracies in the information we hold about you.
- object to direct marketing.
- make a complaint to the Information Commissioners Office.
- withdraw consent at any time (if applicable).
Depending on our reason for using your information you may also be entitled to:
- ask us to delete information we hold about you (this right does not apply where processing is necessary within our legal obligations or where our performance tasks are required in the public interest or in the exercise of official authority vested in it.)
- have your information transferred electronically to yourself or to another organisation.
- object to decisions being made that significantly affect you.
- object to how we are using your information.
- stop us using your information in certain ways.
We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under GDPR.
If you would like to exercise a right, please contact the Data Protection Officer at Data.Protection@bromley.gov.uk.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Contact
You can contact our Data Protection Officer, at Data.Protection@bromley.gov.uk, or write to: Data Protection Officer, Chief Executive’s Department, Civic Centre, Stockwell Close, Bromley BR1 3UH to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
GDPR also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted on 0303 123 1113 or via their complaints process.