Search for...

Privacy Notice – General Data Protection Regulation – Data Protection Act

How we use Student Information

The UK General Data Protection Regulation (UK GDPR)

We, Holy Trinity School, take the protection of your personal data very seriously and strictly adhere to the rules laid out by data protection laws and the General Data Protection Regulation (GDPR-EU and GDPR-UK).

Data Controller

Holy Trinity Church of England Secondary School complies with the UK GDPR and is registered as a ‘Data Controller’ with the Information Commissioner’s Office (Reg. No. Z7244027). The Data Protection Officer (DPO) for the school is Bulletproof Ltd, an outsourced specialist in Data Protection and DPO service. We ensure that your personal data is processed fairly and lawfully, is accurate, is kept secure and is retained for no longer than is necessary.

The Legal Basis for Processing Personal Data

We process personal data only where at least one lawful basis under Article 6 UK GDPR applies. Depending on the activity, this will be:

  • Public task (Art. 6(1)(e)) – to perform our functions under education law (e.g., delivering teaching and learning, safeguarding, attendance, assessment, and the administration of school-owned devices and learning platforms).
  • Legal obligation (Art. 6(1)(c)) – where we must process data to comply with the law (e.g., statutory returns to the DfE, safeguarding).
  • Legitimate interests (Art. 6(1)(f)) – for limited activities that are not covered by public task but help us run an effective school (we complete a Legitimate Interests Assessment including purpose, necessity, and a balancing test).
  • Contract (Art. 6(1)(b)) – where needed to deliver services you have asked us to provide under an agreement.
  • Consent (Art. 6(1)(a)) – for non-essential activities (e.g., publicity photography) where we rely on your clear, opt-in permission. You can withdraw consent at any time.

If we process special category data, we rely on an additional condition under Article 9 UK GDPR (e.g., substantial public interest for safeguarding). We do not use solely automated decision-making (Article 22) to make decisions about students. Where platforms generate recommendations (profiling), teachers remain responsible for decisions about teaching and assessment.

How we use information

We collect and hold personal information relating to our students and those involved in their care; we may also receive information from previous schools, the local authority(ies) and/or the Department for Education (DfE). We use this personal data to:

  • support our students’ learning and welfare;
  • monitor and report on progress;
  • provide appropriate pastoral care;
  • assess the quality of our services;
  • process any complaints;
  • protect vulnerable individuals and support the prevention and detection of crime;
  • comply with the law regarding data sharing;
  • organise alumni events and provide relevant information to alumni.

This information includes (as relevant): Unique Pupil Number (UPN), name, address, contact details, carers’ details, assessment and exam results, internal assessment results, school reports, behavioural information, attendance and exclusion information, destinations, personal characteristics (e.g., ethnicity), special educational needs or disabilities, and relevant medical information. For sixth-form funding, we collect nationality and place of birth.

Where consent is held, high-grade/progress exam results may be published in local media, on the school website and social media. For post-14 qualifications, the Learning Records Service provides a unique learner number (ULN) and may share learning/qualification details.

Use of School-Managed Devices (iPads) and Homework-Related Data

What we collect
When students use school-managed iPads and approved learning platforms, systems may generate limited device and learning telemetry, for example:

  • device identifier, school user ID, class or group;
  • app/platform name, assignment ID/title;
  • technical timestamps (e.g., when a task/page/nugget was opened/submitted);
  • calculated duration of engagement with a task/lesson/page;
  • submission status and scores where relevant.

We do not record keystrokes, continuously capture screens, audio or video, track location, or access personal content outside approved apps.

When collection occurs
Telemetry can be generated in school and at home while using school-managed devices and approved platforms. It records device/app interactions only. The school does not observe students in their home environment.

Why we collect it

  • to deliver and support teaching and homework set on school platforms;
  • to help teachers check whether tasks were accessed or submitted;
  • to provide contextual indicators (e.g., unusually brief engagement) to prompt supportive conversations;
  • to troubleshoot and secure our systems.

How it is used
Engagement duration is one contextual indicator only. Staff must not use time-data in isolation to judge effort or attainment; the quality of work remains the primary measure.

Lawful basis

  • Public task (Art. 6(1)(e)): administering school devices and platforms to deliver education.
  • Legitimate interests (Art. 6(1)(f)): limited analytics to help improve learning and device performance where strictly necessary and balanced against students’ rights.

Where an activity is non-essential and not covered by these bases, we will seek consent or provide a clear opt-out (see Your choices).

Data minimisation and privacy at home
We collect the minimum telemetry needed to run learning platforms effectively. We do not monitor general personal device use. Teachers are reminded about appropriate use of analytics, particularly for activity outside school hours.

Access and sharing
Access is restricted to relevant staff (e.g., class teachers, subject leads, year/pastoral leads, and a small number of IT administrators) under role-based access controls. We do not share this data beyond our contracted data processors who host the platforms listed in Appendix B, acting on our instructions under data protection terms.

Retention
Homework telemetry is retained no longer than necessary for teaching and review. Our default retention is the current academic year plus up to one further term (maximum 15 months), unless a platform requires a shorter period. Platform-specific retention is listed in Appendix C.

Your choices (transparency and control)

  • You may object to processing based on legitimate interests where you believe your child’s rights override our purposes.
  • For non-essential analytics/features outside school hours, you may request opt-out or an alternative submission route (e.g., paper/photograph upload or a non-telemetry workflow).
  • To exercise these options or ask about platform settings, please contact the DPO (details below). We will explain any learning implications and agree a reasonable adjustment.

Risk assessment and governance
This processing is covered by a Data Protection Impact Assessment (DPIA). The ICO Children’s Code has been considered. The DPIA is reviewed at least annually or when systems change.

Use of Adaptive Learning Platforms (Century)

We use digital learning platforms, including Century, which provide personalised learning recommendations. Century uses Artificial Intelligence (AI) to analyse a student’s activity data (for example, scores, attempts and engagement within “nuggets” and diagnostics) and then recommends content on a personal learning pathway. Recommendations include:

  • nuggets to address areas for improvement;
  • stretch/challenge nuggets; and
  • memory-boost nuggets (previously completed content that resurfaces after a period to support retention).

Teachers remain actively involved. They can direct students to specific nuggets and set work via Assignments (and, where appropriate, the planner), which influences what students see. However, the adaptive pathway itself is generated by Century’s AI and continually updates based on each student’s performance.

From a data-protection perspective, this is profiling (UK GDPR Art. 4(4)) because student activity is analysed to make learning recommendations. It is not solely automated decision-making under Article 22: teachers review and oversee learning and remain responsible for pedagogical decisions and assessment.

Collecting student information

Whilst most of the student information you provide to us is mandatory, some is provided on a voluntary basis. We will inform you whether you are required to provide certain information or if you have a choice.

Who we share data with

We may pass data to:

  • third-party organisations, as allowed by law;
  • agencies that provide services on our behalf;
  • agencies with whom we have a duty to co-operate;
  • ongoing schools.

We do not share information about our students with anyone without consent unless the law and our policies allow us to do so. See Appendix A for further information. For systems where data is held by an external supplier, see Appendix B.

Retention Periods

Personal data will be retained in accordance with the Information and Records Management Society (IRMS) Toolkit for Schools. Electronic and paper student records (excluding contact information) are held until age 25 in accordance with the Limitation Act 1980 (Section 2) (or age 30 if statemented/with an EHCP). After this time we maintain a school roll (name, date of birth, dates attended) for reference checks. Alumni contact numbers/emails supplied to us are deleted after one year.

Transfers outside of the EEA/UK

Where personal data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place (e.g., EU Standard Contractual Clauses + UK Addendum, International Data Transfer Agreement, or an Article 49 exception where applicable). For details, contact us using the details in this notice.

Photographs

As part of our recording of events, celebrations and achievements, we may take photographs of activities that involve students for displays, publications and website(s) by the school, the Local Authority (LA), local newspapers and approved partners. Photography/filming will only take place with the permission of the Headteacher and under appropriate supervision. Images that might cause embarrassment or distress will not be used. Parental preferences are collected at admission. All students have a photograph stored internally for safeguarding and for their student ID card.

CCTV

The school operates CCTV on site where necessary to protect students’ safety and/or the school’s property.

Remote Learning

Our Remote Learning Guide (on the school website) explains delivery via approved platforms (e.g., Microsoft Teams) and safe-participation expectations. Sessions must not be recorded by students or parents. Any processing of participation data follows the principles in Use of School-Managed Devices above.

Biometrics

The school operates biometric recognition systems for purchasing food in the refectory. Data is processed in accordance with UK GDPR and the Protection of Freedoms Act 2012. Written consent of at least one parent is obtained before biometric data is used; if one parent objects in writing, biometric data will not be used. See: https://www.gov.uk/government/publications/protection-of-biometric-information-of-children-in-schools

Rights

You have the right to:

  1. be informed (this notice);
  2. access your information (Subject Access Request);
  3. rectification (have inaccuracies corrected);
  4. erasure;
  5. restriction of processing;
  6. data portability (unlikely to be relevant to schools);
  7. object;
  8. safeguards relating to automated decision-making and profiling (we do not make solely automated decisions);
  9. withdraw consent (where consent is the lawful basis);
  10. complain to the Information Commissioner’s Office (ICO).

To exercise these rights please email office@holytrinitycrawley.org.uk and mark for the attention of the Data Protection Officer.

Withdrawal of Consent

Where we process personal data solely on the basis of consent, you have the right to withdraw that consent by writing to the school office.

Complaints to ICO

If you are unhappy with the way your request has been handled, you may request a review by contacting the DPO. You can also complain to the ICO:

By Post:
The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Phone: 0303 123 1113

Please use the links below to read the Appendixes

APPENDIX A – Who we share data with & why

APPENDIX B – Systems used by the School where data is not held in School

APPENDIX C – Learning Platforms: Data items & retention (Summary)