Student Privacy Notice

Introduction

You have a legal right to be informed about how our school uses any personal information that we hold about you. To comply with this, we provide a ‘privacy notice’ to you where we are processing your personal data.

This notice explains how we collect, store and use personal data about students at our school, like you.

We, Weobley Schools’, are the ‘data controller’ for the purposes of UK data protection law.

Our data protection officer is Mrs J Shock

The personal data we hold

We hold some personal information about you to make sure we can help you learn and look after you at school.

For the same reasons, we get information about you from some other places too – like other schools, the local council and the government.

Personal information that we may collect, use, store and share (when appropriate) about you includes, but is not restricted to:

Your contact details
Your test results
Your attendance records
Details of any behaviour issues or exclusions
Information about how you use school computers and other IT and communications systems

We may also collect, use, store and share (when appropriate) information about you that falls into “special categories” of more sensitive personal data. This includes, but is not restricted to:

Information about your characteristics, like your ethnic background or any special educational needs
Information about any medical conditions you have
Photographs and CCTV images

Why we use this data

We use the data listed above to:

a. Get in touch with you and your parents when we need to

b. Check how you’re doing in exams and work out whether you or your teachers need any extra help

c. Track how well the school as a whole is performing

d. Look after your wellbeing and keep you safe

e. Make sure our computers and other school systems and equipment are used appropriately, legally and safely

f. Answer your questions and complaints

h. Publish statistics, for example, about the number of pupils or learners in schools

i. Meet legal requirements placed upon us

We will only use your personal information for the purposes for which we have collected it, unless we reasonably consider that we need to use it for any other reason and that reason is incompatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

Please note that we may process your personal information without your knowledge or consent in compliance with the above rules where this is required or permitted by law.

Use of your personal data for marketing purposes

Where you have given us consent to do so, we may send you messages by email promoting school events, campaigns, charitable causes or services that you might be interested in.

You can take back this consent or ‘opt out’ of receiving these emails and/or texts at any time by selecting the ‘Unsubscribe’ link at the bottom of any such communication, or by contacting us (see ‘Contact us’ below).

Use of your personal data in automated decision making and profiling

We don’t currently put your personal information through any automated decision making or profiling process. This means we don’t make decisions about you using only computers without any human involvement.

If this changes in the future, we will update this notice in order to explain the processing to you, including your right to object to it.

Use of your personal data for filtering and monitoring purposes

While you’re in school, we may monitor what material you access on our computers and other IT and communication systems. We do this so that we can:

Comply with health and safety law and other laws
Comply with our policies
Keep our network(s) and devices safe from people who aren’t allowed to access them, and prevent harmful software from damaging our network(s)
Protect your welfare

Our lawful basis for using this data

We will only collect and use your information when the law allows us to. We need to establish a ‘lawful basis’ to do this.Our lawful bases for processing your personal information for the reasons listed in section 3 above are:

For the purposes of 3a,3v, 3c, 3d in accordance with the ‘public task’ basis – we need to process data to fulfil our official duties as a school as set out here:
For the purposes of 3c in accordance with the ‘legal obligation’ basis – we need to process data to meet our responsibilities under law as set out here:
For the purposes of 3a, 3d in accordance with the ‘consent’ basis – we will obtain consent from you to use your personal data
For the purposes of 3a in accordance with the ‘vital interests’ basis – we will use this personal data in a life-or-death situation
For the purposes of 3a, 3c, 3d, in accordance with the ‘contract’ basis – we need to process personal data to fulfil a contract with you or to help you enter into a contract with us
For the purposes of 3b, 3c, in accordance with the ‘legitimate interests’ basis – where there’s a minimal privacy impact and we have a compelling reason, including:

Where you’ve provided us with consent to use your information, you may take back this consent at any time. We’ll make this clear when requesting your consent, and explain how you’d go about withdrawing consent if you want to.

Our basis for using special category data

For ‘special category’ data (more sensitive personal information), we only collect and use it when we have both a lawful basis, as set out above, and one of the following conditions for processing as set out in UK data protection law:

We have obtained your explicit consent to use your information in a certain way
We need to use your information under employment, social security or social protection law
We need to protect an individual’s vital interests (i.e. protect your life or someone else’s life), in situations where you’re physically or legally incapable of giving consent
The information has already been made obviously public by you
We need to use it to make or defend against legal claims
We need to use it for reasons of substantial public interest as defined in legislation
We need to use it for health or social care purposes, and it’s used by, or under the direction of, a professional obliged to confidentiality under law
We need to use it for public health reasons, and it’s used by, or under the direction of, a professional obliged to confidentiality under law
We need to use it for archiving purposes, scientific or historical research purposes, or for statistical purposes, and the use is in the public interest

For criminal offence data, we will only collect and use it when we have both a lawful basis, as set out above, and a condition for processing as set out in UK data protection law. Conditions include:

We have obtained your consent to use it in a specific way
We need to protect an individual’s vital interests (i.e. protect your life or someone else’s life), in situations where you’re physically or legally incapable of giving consent
The data concerned has already been made obviously public by you
We need to use it as part of legal proceedings, to obtain legal advice, or to make or defend against legal claims
We need to use it for reasons of substantial public interest as defined in legislation

Collecting this data

While most of the information we collect about you is mandatory, there is some information that can be provided voluntarily.

Whenever we want to collect information from you, we make it clear if you have to give us this information (and if so, what the possible consequences are of not doing that), or if you have a choice.

Most of the data we hold about you will come from you, but we may also hold data about you from:

Local councils
Government departments or agencies
Police forces, courts, tribunals
Other schools or trusts
Department for Education (DfE)

How we store this data

We keep personal information about you while you’re attending our school. We may also keep it beyond your attendance at our school if this is necessary. Our record retention schedule sets out how long we keep information about students.

We have security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We’ll dispose of your personal data securely when we no longer need it.

Who we share data with

We don’t share information about you with any third party without your consent unless the law and our policies allow us to do so.

Where it’s legally required, or necessary (and it complies with UK data protection law), we may share personal information about you with:

Our local authority, Herefordshire Council – to meet our legal obligations to share certain information with it, such as safeguarding concerns and information about exclusions
Schools that you may attend after leaving us
Government departments or agencies
Our youth support services provider
Our regulator, Ofsted
Suppliers and service providers:
Financial organisations
Department for Education
Our auditors
Survey and research organisations
Health authorities
Security organisations
Health and social welfare organisations
Professional advisers and consultants
Charities and voluntary organisations
Police forces, courts, tribunals

Sharing data with the Department for Education (DfE)

We have to share information about you with the Department for Education (a government department) either directly or via our local authority, via various statutory data collections.

The data shared will be in line with the following legislation:

Section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013 [For use by mainstream schools only]

The data is transferred securely and held by the Department for Education under a combination of software and hardware controls that meet the current government security policy framework.

The data we share about you with the Department for Education is used for a number of different purposes, including to:

Help decide the amount of money that our school receives
Monitor how well the education system is working and how well our school is doing in terms of educating our pupils
Support research

The information shared with the Department for Education about you could include:

Your name and address
Your unique pupil number
Pupil matching reference numbers
Details of your gender or ethnicity
Details of any special educational needs (SEN)
Details of schools attended
Absence and exclusion information
Information relating to exam results
Information relating to any contact with children’s services
What you have done since finishing school

Please note: this list is not exhaustive.

Once pupils in our school reach the age of 13, we are legally required to pass on certain information to the local authority or youth services provider, which has responsibilities regarding the education or training of 13 to19 year olds under section 507B of the Education Act 1996. Parents/carers, or pupils if aged 16 or over, can request that only their name, address and date of birth be passed to these agencies by informing the data protection officer (DPO).

National Student Database (NPD)

We have to provide information about you to the Department for Education (a government department) as part of data collections such as the school census.

Some of this information is then stored in the National Student Database, which is managed by the Department for Education and provides evidence on how schools are performing. This, in turn, supports research.

The database is held electronically so it can easily be turned into statistics. The information it holds is collected securely from schools, local authorities, exam boards and others.

The Department for Education may share information from the database with other organisations, such as organisations that promote children’s education or wellbeing in England. These organisations must agree to strict terms and conditions about how they will use your data.

You can find more information about this on the Department for Education’s webpage on how it collects and shares research data.

You can also contact the Department for Education if you have any questions about the database.

Your rights

How to access personal information that we hold about you

You have a right to make a ‘subject access request’ to gain access to personal information that we hold about you.

If you make a subject access request, and if we do hold information about you, we will (unless there’s a really good reason why we shouldn’t):

Give you a description of it
Tell you why we are holding and using it, and how long we will keep it for
Explain where we got it from, if not from you
Tell you who it has been, or will be, shared with
Let you know whether any automated decision-making is being applied to the data (decisions made by a computer or machine, rather than by a person), and any consequences of this
Give you a copy of the information in an understandable form

You may also have the right for your personal information to be shared with another organisation in certain circumstances.

If you would like to make a request, please contact us (see ‘Contact us’ below).

Your other rights regarding your data

Under UK data protection law, you have certain rights regarding how your personal information is used and kept safe. For example, you have the right to:

Say that you don’t want your personal information to be used
Stop it being used to send you marketing materials
Say that you don’t want it to be used for automated decisions (decisions made by a computer or machine, rather than by a person)
In some cases, have it corrected if it’s inaccurate
In some cases, have it deleted or destroyed, or restrict its use
Withdraw your consent, where you previously provided consent for your personal information to be collected, processed and transferred for a particular reason
In some cases, be notified of a data breach
Make a complaint to the Information Commissioner’s Office
Claim compensation if the data protection rules are broken and this harms you in some way

We may refuse your information rights request for legitimate reasons, which depend on why we’re processing it. Some rights may not apply in these circumstances:

Your right to have all personal data deleted or destroyed doesn’t apply when the lawful basis for processing is legal obligation or public task

Your right to receive a copy of your personal data, or have your personal data transmitted to another controller, does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests
Right to object to the use of your private data doesn’t apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t have the right to object, but you have the right to withdraw consent

See information on types of lawful basis in section 4 of this privacy notice.

To exercise any of these rights, please contact us (see ‘Contact us’ below).

Complaints

We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concerns about our data processing, please let us know first.

Alternatively, you can make a complaint to the Information Commissioner’s Office:

Report a concern online at https://ico.org.uk/make-a-complaint/

Call 0303 123 1113

Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact the data protection officer:

Mrs J Shock – email admin@weobleyhigh.hereford.sch.uk

Approved and reviewed

Revised: December 2025

By: Jo Shock

To be approved by Governors: December 2025

To be revised: December 2026

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.