Sheffield Catholic Schools Partnership
Privacy Notice for Hallam Teaching School
Hallmark: We honour the dignity and sacredness of each person.
This statement should be read in conjunction the following documents
This statement is intended to provide information as to how we will collect, use or process personal data collected through the operation of Hallam Teaching School. For the purposes of clarity this document does not apply to personal data collected through the activities of the Sheffield SCITT or the South Yorkshire Maths Hub. For the avoidance of doubt, this document also applies to personal data collected via the Hallam Teaching School website.
Responsibility for Data Protection
The legal entity for Hallam Teaching School is Notre Dame High School. Notre Dame High School is registered with the Information Commissioner’s Office. The registration number is Z8538235.
The Data Protection Officer (DPO) for the school is John Coats. The DPO can be contacted on email@example.com or 0114 2302536.
All persons engaging with Hallam Teaching School have a responsibility to abide by the law relating to data protection.
Hallam Teaching School’s Role as a Data Controller and a Data Processor
Unless stated below Hallam Teaching School acts as a Data Controller. Where Hallam Teaching School acts as a data processor the schedules at the end of this document detail the nature of our processing and the details of the Data Controller in each instance.
Schedule 1: Processing Data for the STEM International Recruitment Programme.
The Data Protection Act 1998: Why does Hallam Teaching School collect personal data.
We collect and use personal data under the following Articles of the General Data Protection Regulations (GDPR)
6 (1) e. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
For the avoidance of doubt, throughout this document we are using and applying the GDPR definition of consent, namely “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative actions, signifies agreement to the processing of personal data relating to him or her.”
We use Hallam Teaching School website visitor data to:
The collection of this information will benefit both national and local users by:
The categories of personal data that Hallam Teaching School collects, holds and shares includes:
Collecting personal data from persons that engage with Hallam Teaching School
All personal data collected by Hallam Teaching School is provided to us on a voluntary basis.
Storing personal data
Hallam Teaching School stores personal data until the later of the two dates below:
Who do we share school visitor information with?
We will share personal data provided to us with individuals or organisations contracted by Hallam Teaching School to organise or deliver any support, training or follow up work resulting from the contact.
Internet cookies are used by our website for the purposes of creating a better user experience (ie remembering any preferences you may choose) and for anonymous statistical tracking. Our web site will still work if cookies are declined by your web browser.
Requesting access to your personal information
Under data protection legislation, visitors to the Hallam Teaching School website have the right to request access to information about them that we hold. This is referred to as a Subject Access Request (SAR). The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the data processing. To make a request for your personal information, contact the Data Protection Officer.
You also have the right to:
To make a SAR, or to exercise any of your rights under data protection regulation, you should contact the Data Protection Officer at Notre Dame High School at firstname.lastname@example.org
On receipt of a request to exercise any of your rights under data protection regulation, the school will:
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you want to see a copy of information about you that we hold, please contact the Data Protection Officer at Notre Dame High School at email@example.com
Schedule 1 Processing, Personal Data and Data Subjects for the STEM International Recruitment Programme
Identity of the Controller and Processor
The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor in accordance with Clause 1.1.
Subject matter of the processing
The processing is needed in order to ensure that the Processor can effectively deliver the contract to provide an acclimatisation service to international STEM teachers sourced from either New Zealand, Australia, USA or Canada in academic year 2018/19.
Duration of the processing
17 April 2018 – 1 July 2019
Nature and purposes of the processing
The nature of the processing means any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc.
The purpose might include but is not limited to:
· Employment processing
· Statutory obligation
· Recruitment assessment
· Acclimatisation and further CPD training
· Audit and assurance
· Exit surveys
All personal data processed in connection with this exercise must be in accordance with the GDPR 2018 and the Parties acknowledge that the DfE is the Data Controller and that the Supplier is the Data Processor. The GDPR regulates the processing of information relating to individuals. The Processor must: -
· Process the personal data only on the documented instructions of the Controller;
· Comply with security obligations equivalent to those imposed on the Controller (implementing a level of security for the personal data appropriate to the risk);
· Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
· Only appoint Sub-processors with the Controller’s prior specific or general written authorisation, and impose the same minimum terms imposed on it on the Sub-processor; and the original Processor will remain liable to the Controller for the Sub-processor’s compliance. The Sub-processor must provide sufficient guarantees to implement appropriate technical and organisational measures to demonstrate compliance. In the case of general written authorisation, Processors must inform Controllers of intended changes in their Sub-processor arrangements;
· Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller - and the Processor shall immediately inform the controller if, in its opinion, an instruction infringes GDPR or other EU or member state data protection provisions;
· Assist the Controller in carrying out its obligations with regard to requests by data subjects to exercise their rights under chapter III of the GDPR, noting different rights may apply depending on the specific legal basis for the processing activity (and should be clarified by the Controller up-front);
· Assist the Controller in ensuring compliance with the obligations to implementing a level of security for the personal data appropriate to the risk, taking into account the nature of processing and the information available to the Processor;
· Assist the Controller in ensuring compliance with the obligations to carry out Data Protection Impact Assessments, taking into account the nature of processing and the information available to the Processor; and
Notify the Controller without undue delay after becoming aware of a personal data breach.
Type of Personal Data
· Number of years of teaching experience
· School phase qualified to teach
· Subject(s) qualified to teach
· Country where teaching qualification was awarded
· Confirmation that you are fully qualified to teach the selected subject(s) in your country
· Employer’s details
· Date of birth
· Current country of residence
· Email address
· Telephone number
· National Insurance Number
· DBS and overseas checks
· QTS Award
· Teacher Reference Number (TRN)
Categories of Data Subject
· Staff details
· International candidates (teachers)
· Hiring Schools/Academies
· Users of gov.uk (Overseas qualified teachers registration and STEM international pages)
· Users of school-led network websites.
· Customers/ Clients
Plan for return and destruction of the data
once the processing is complete UNLESS requirement under union or member state law to preserve that type of data
Will only keep personal data for as long as required for the purpose(s) of this contract, after which point it will be securely destroyed unless the Data Subject specifically opts in and positively acknowledges the personal information stored is not passed onto third parties without prior consent. To have in place processes to destroy all personal data if the Data Subject withdraws consent to retaining the aforementioned Data.