Privacy Notice
At Inspiring Futures through Learning (IFtL), our schools and Initial Teacher Training provision, we collect and process information relating to pupils, parents, staff, visitors and our trainees (including CPD delegates) across the IFtL group.
This notice sets out how we collect your information, why we collect it, who we share it with and how we keep it safe.
We may need to update this privacy notice periodically so we recommend that you revisit this information from time to time. This version was last updated in September 2025.
Please click on the relevant section to expand the information.
Why do we collect and use pupil information?
We collect and use pupil information to fulfil our statutory obligations in providing education and ensuring pupil welfare. The primary legislation that governs this includes:
- The Education Acts (various years)
- The Education (Pupil Registration) (England) Regulations
- The School Standards and Framework Act 1998
- The School Admissions Regulations 2012
- The Children and Families Act 2014
- The Special Educational Needs and Disability Regulations 2014
These and other applicable laws are subject to amendment, and we will always act in accordance with current legal requirements.
What do we need this data for?
We process pupil information for the following purposes:
- To support teaching and learning
- To monitor and report on pupil progress and attainment
- To provide appropriate pastoral and safeguarding support
- To protect pupil health and welfare
- To administer admissions waiting lists
- To assess and improve the quality of our services
- To comply with legal obligations and statutory data collections (e.g. to the Department for Education (DfE))
- To enable statutory inspections and audits
- To comply with the law regarding data sharing
- To ensure pupil safety (e.g. managing allergies or emergency contacts)
- To support educational research, where appropriate and compliant with data protection laws
What type of data do we collect and use?
The types of data we collect and process include:
- Personal identifiers (e.g. name, unique pupil number, contact details)
- Demographic and background information (e.g. ethnicity, language, country of birth, free school meal eligibility)
- Safeguarding information (e.g. court orders, involvement of external professionals)
- Special Educational Needs (SEN) data
- Medical and health information (e.g. allergies, medication, mental/physical health, dietary needs)
- Attendance data (e.g. absences, sessions attended, previous schools)
- Assessment and attainment data (e.g. test results, progress tracking)
- Behavioural data (e.g. exclusions, interventions, alternative provision)
- Parent/carer contact information
- Photographs (used for identification and educational purposes)
- Biometric data (only in secondary settings and with explicit consent, used for catering or access control)
- CCTV footage (for safeguarding and site security)
- Information about support received (e.g. Education, Health and Care Plans, external support agencies)
How do we collect data and ensure that we are using this information legally?
We collect data:
- Directly from parents/carers during enrolment
- Through secure file transfers (e.g. CTF, ATF)
- From previous schools or educational settings
Our lawful bases under the UK GDPR and Data Protection Act 2018 include:
- Legal obligation – compliance with the law
- Public task – necessary for our function as an educational provider
- Vital interests – to protect pupils where necessary
- Consent – where required (e.g. for use of biometric data)
- Legitimate interests – in limited cases, outside of core education provision. Should legitimate interest apply, this will be made clear when collecting the data.
For special category data (e.g. health or SEN information), we typically rely on:
- Article 9(2)(g) – substantial public interest
- Schedule 1, Paragraph 2 of the Data Protection Act 2018 – functions of a public authority
- Where appropriate, explicit consent
We always ensure that data is collected and processed securely and transparently.
Where we process your data based on consent, you have the right to withdraw this consent at any time. In order to exercise this right, please contact the data protection lead at the school that holds your data.
How long do we keep your data for?
We retain pupil data only for as long as is necessary to fulfil our obligations and in line with our Records Management Policy. Retention periods vary depending on the category of data and are compliant with legal and regulatory requirements. Data is securely disposed of or transferred when no longer required.
A copy of our retention schedule is available from our website, within our records management policy, at https://www.iftl.co.uk/policies/
Who do we share pupil information with?
We may share pupil data where it is lawful and necessary, including with:
- Schools pupils attend after leaving us
- The pupil’s family and representatives
- Local authorities
- The Department for Education (DfE)
- Ofsted
- Examination boards
- Other schools or departments within our Multi-Academy Trust (MAT)
- NHS services (e.g. school nurses, speech and language therapists)
- Commissioned third-party service providers (e.g. ParentPay, catering services)
- School photographers
- Educational software providers
- Our insurers or financial institutions (travel insurance etc)
- Our auditors
- Security organisations
- Professional advisers and consultants, professional bodies
- Police forces, courts, tribunals
- Charities and voluntary organisations
- IT support providers
- Youth support services (ages 13+)
- Secure 3rd-party applications such as:
- Microsoft
- Bromcom
- CPOMS
- Apple School Manager
We ensure all third-party processors comply with UK data protection laws through appropriate contracts and due diligence.
Data Sharing Without Consent
We may share data without consent where legally required or where permitted under exemptions, such as:
- Prevention/detection of crime or fraud
- Safeguarding concerns
- Legal proceedings or statutory duties
In such cases, we may not inform you of the data sharing if doing so would prejudice an investigation or pose a risk to an individual.
Data Transferred to a Third Country or International Organisation
The majority of data stored, is hosted in UK data centres. The location of data is assessed as part of our due diligence of suppliers and if data is found to be stored outside of the UK, we ensure that one or more of the following applies:
- Adequacy status
- Standard Contractual Clauses as described in the UK GDPR
- Binding Corporate Rules
Why do we share pupil information?
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring. Attendance data is also shared with the local authority to support this purpose.
We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.
Where data is processed on our behalf by another provider (a data processor), we comply with the UK GDPR by ensuring that they have sufficient measures in place to provide appropriate protection for your data.
We share data with 3rd party apps and educational software providers to support the provision of high quality education.
The Department for Education
The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our pupils with the Department for Education (DfE) either directly or via our local authority for the purpose of those data collections, under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.
All data is transferred securely and held by the Department for Education (DfE) under a combination of software and hardware controls, which meet the current government security policy framework.
For more information, please see ‘How Government uses your data’ section. For privacy information on the data the Department for Education collects and uses, please see: https://www.gov.uk/government/publications/privacy-information-early-years-foundation-stage-to-key-stage-3
and
https://www.gov.uk/government/publications/privacy-information-key-stage-4-and-5-and-adult-education
The pupil data that we lawfully share with the Department for Education (DfE) through data collections:
- underpins school funding, which is calculated based upon the numbers of children and their characteristics in each school.
- informs ‘short term’ education policy monitoring and school accountability and intervention (for example, school GCSE results or Pupil Progress measures).
- supports ‘longer term’ research and monitoring of educational policy (for example how certain subject choices go on to affect education or earnings beyond school)
To find out more about the data collection requirements placed on us by the Department for Education (DfE) (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education (DfE) and contains information about pupils in schools in England. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
The data in the NPD is provided as part of the operation of the education system and is used for research and statistical purposes to improve, and promote, the education and well-being of children in England.
The evidence and data provide DfE, education providers, Parliament and the wider public with a clear picture of how the education and children’s services sectors are working in order to better target, and evaluate, policy interventions to help ensure all children are kept safe from harm and receive the best possible education.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-pupil-database-npd-privacy-notice/national-pupil-database-npd-privacy-notice
Sharing by the Department for Education (DfE)
DfE will only share pupils’ personal data where it is lawful, secure and ethical to do so. Where these conditions are met, the law allows the Department for Education (DfE) to share pupils’ personal data with certain third parties, including:
- schools and local authorities
- researchers
- organisations connected with promoting the education or wellbeing of children in England
- other government departments and agencies
- organisations fighting or identifying crime
For more information about the Department for Education’s (DfE) NPD data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
Organisations fighting or identifying crime may use their legal powers to contact the Department for Education (DfE) to request access to individual level information relevant to detecting that crime.
For information about which organisations the Department for Education (DfE) has provided pupil information, (and for which project) or to access a monthly breakdown of data share volumes with Home Office and the Police please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares
Under the terms of the GDPR and Data Protection Act 2018, you are entitled to ask the Department for Education (DfE):
- if they are processing your personal data
- for a description of the data they hold about you
- the reasons they’re holding it and any recipient it may be disclosed to
- for a copy of your personal data and any details of its source
If you want to see the personal data held about you by the Department for Education (DfE), you should make a ‘subject access request’. Further information on how to do this can be found within the Department for Education’s (DfE) personal information charter that is published at the address below: https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter or https://www.gov.uk/government/publications/requesting-your-personal-information/requesting-your-personal-information#your-rights
To contact the Department for Education (DfE): https://www.gov.uk/contact-dfe
Data Sharing relating to Secondary Age Pupils
Once our pupils reach the age of 13, we also pass pupil information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
- youth support services
- careers advisers
The information shared is limited to the child’s name, address and date of birth. However where a parent or guardian provides their consent, other information relevant to the provision of youth support services will be shared. This right is transferred to the child / pupil once they reach the age 16
We will also share certain information about pupils aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.
This enables them to provide services as follows:
- post-16 education and training providers
- youth support services
- careers advisers
For more information about services for young people, please visit our local authority website.
Your rights under the UK GDPR
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, please make a request to the relevant school office, or you can contact the Trust’s Data Protection Officer at DPO@iftl.co.uk
Under exemptions within the Data Protection Act 2018, the school may refuse a subject access request in certain circumstances, including:
- You make a request but then offer to withdraw it in return for some other benefit.
- You have made an accusation of wrong doing against a member of staff or the school.
- Your request has been defined as malicious in intent, designed to harass the school for no other reason than to cause disruption.
- The information, if disclosed, would cause possible harm to an individual.
- Your request is deemed to target a particular member of staff.
- The information requested is processed with the understanding it is confidential.
- The information was provided as part of an educational, work or volunteering reference.
- The information requested is defined as management records and disclosing them would prejudice the operations of the school.
- The information requested has been provided to a 3rd party and to fulfil the request would prejudice the case or investigation.
If the school makes the decision to refuse your request, you will be informed within 30 days of receipt of the request as well as your right to complain to the Information Commissioners Office.
You also have the following rights:
- the right to be informed about the collection and use of your personal data – this is called ’right to be informed’.
- the right to ask us for copies of your personal information we have about you – this is called ’right of access’, this is also known as a subject access request (SAR), data subject access request or right of access request.
- the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’.
- the right to ask us to delete your personal information – this is called ‘right to erasure’
- the right to ask us to stop using your information – this is called ‘right to restriction of processing’.
- the ‘right to object to processing’ of your information, in certain circumstances
- rights in relation to automated decision making and profiling.
- the right to withdraw consent at any time (where relevant).
- the right to complain to the Information Commissioner if you feel we have not used your information in the right way.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.
There are legitimate reasons why we may refuse your information rights request, which depends on why we are processing it. For example, some rights will not apply:
- right to erasure does not apply when the lawful basis for processing is legal obligation or public task.
- right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests.
- right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t haven’t the right to object, but you have the right to withdraw consent.
How to complain
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by contacting dpo@iftl.co.uk
You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
For further information on how to request access to personal information held centrally by the Department for Education (DfE), please see the ‘How Government uses your data’ section of this notice.
Contact us
If you would like to discuss anything in this privacy notice, please contact the Data Protection Officer, Jason Smith at dpo@iftl.co.uk
Why do we collect and use parent information?
We are required by law to provide education. The main pieces of legislation that govern this are:
- The Education Act (various years)
- The Education (Pupil Registration) (England) Regulations
- The School Standards and Framework Act 1998
- The School Admissions Regulations 2012
- Children and Families Act 2014
- The Special Educational Needs and Disability Regulations 2014
While providing education, we are tasked with the welfare of the children within our care. Part of this is ensuring that we have appropriate contact information for the adults with responsibility for those children.
What do we need this data for?
We use parent information to let you know if there is anything that you need to be aware of in relation to your child’s education. We also use your information to contact you about parent evenings or other events held by the school where your child’s education may be discussed with you.
Your contact details are also kept on record in case we need to speak to you in an emergency situation.
What type of data do we collect and use?
Generally, we will collect personal data such as your name, address, telephone numbers and whether you have parental responsibility.
We may also ask whether you are in receipt of certain benefits so that you can apply for pupil premium funding for your child or for free school meals.
How do we ensure that we are using this information legally?
We collect and use parents’ information under the UK GDPR article 6 under the following legal bases;
- We have a legal obligation to do so
- The information is necessary in the performance of our public task
- The processing is necessary to protect the vital interest of the child
- For some categories, we will ask for your consent
- For some categories, outside of our core obligations of providing education, we process data on the basis that we have a legitimate interest to do so. Should legitimate interest apply, this will be made clear when collecting the data.
Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you when we require your consent for the information for which we are asking.
Where we are processing special category data, we generally do so under paragraph 2(d) of the GDPR, where processing is carried out by a not for profit body in the course of its legitimate activities. Under this basis, special category data cannot be disclosed to any external bodies without the consent of the data subject.
In some circumstances, we may process special category data, including sharing with third parties, if processing is necessary for reasons of substantial public interest.
Where we process your data based on consent, you have the right to withdraw this consent at any time. In order to exercise this right, please contact the data protection lead at the school that holds your data.
How long do we keep your data for?
The length of time that we retain information for is set out within our Records Management Policy. Generally speaking, we will retain parental information for the length of time that your child is enrolled at our school unless we are required by law to retain it for longer.
A copy of our retention schedule is available from our website, within our records management policy, at https://www.iftl.co.uk/policies/
Who do we share your information with?
Parent information is rarely shared but, in certain circumstances, we may share your data with;
- Insurers, in relation to insurance claims
- HSE or external organisations where accident reporting or investigation is required
- Local Authority partners, Child Protection Teams and other third parties in event of a safeguarding incident
- The police
- Other agencies that have a legal interest, for example, those associated with housing or benefit fraud
Data Sharing Without Consent
We may share data without consent where legally required or where permitted under exemptions, such as:
- Prevention/detection of crime or fraud
- Safeguarding concerns
- Legal proceedings or statutory duties
In such cases, we may not inform you of the data sharing if doing so would prejudice an investigation or pose a risk to an individual.
Data Transferred to a Third Country or International Organisation
The majority of data stored, is hosted in UK data centres. The location of data is assessed as part of our due diligence of suppliers and if data is found to be stored outside of the UK, we ensure that one or more of the following applies:
- Adequacy status
- Standard Contractual Clauses as described in the UK GDPR
- Binding Corporate Rules
Why do we share your information?
We only share your information without your consent where the law or our policies allow us to do so.
Your rights under GDPR
Under data protection legislation, parents have the right to request access to information about them that we hold. To make a request for your personal information, please contact the relevant school office. You can also contact Jason Smith, IFtL’s Data Protection Officer, via DPO@iftl.co.uk
Under exemptions within the Data Protection Act 2018, the school may refuse a subject access request in certain circumstances, including:
- You make a request but then offer to withdraw it in return for some other benefit.
- You have made an accusation of wrong doing against a member of staff or the school.
- Your request has been defined as malicious in intent, designed to harass the school for no other reason than to cause disruption.
- The information, if disclosed, would cause possible harm to an individual.
- Your request is deemed to target a particular member of staff.
- The information requested is processed with the understanding it is confidential.
- The information was provided as part of an educational, work or volunteering reference.
- The information requested is defined as management records and disclosing them would prejudice the operations of the school.
- The information requested has been provided to a 3rd party and to fulfil the request would prejudice the case or investigation.
If the school makes the decision to refuse your request, you will be informed within 30 days of receipt of the request as well as your right to complain to the Information Commissioners Office
You also have the right:
- to have your personal data rectified, if it is inaccurate or incomplete
- to request the deletion or removal of personal data where there is no compelling reason for its continued processing
- to restrict our processing of your personal data (i.e. permitting its storage but no further processing)
- to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
- not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you
How to complain
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by contacting dpo@iftl.co.uk
You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Contact us
If you would like to discuss anything in this privacy notice, please contact the Data Protection Officer, Jason Smith at dpo@iftl.co.uk
Why do we collect and use staff information?
As an employer, we are required to collect and process certain information relating to the people that work for us.
Some of this is collected in line with our obligations under employment law, some is collected in order to comply with safeguarding legislation and some is provided to allow us to ensure that you are paid and that your pension contributions are collected.
What do we need this data for?
We use school workforce data to:
- enable the development of a comprehensive picture of the workforce and how it is deployed
- facilitate safe recruitment, as part of our safeguarding obligations towards pupils
- inform the development of recruitment and retention policies
- enable individuals to be paid
- administer wellbeing benefits to our employees
- fulfil our obligations with regard to safeguarding of the children in our care
- fulfil our obligations with regard to the wellbeing and welfare of our employees including the need for contacts in case of emergency
What type of data do we collect and use?
We process data relating to those we employ, or otherwise engage, to work at our school. Personal data that we may collect, use, store and share (when appropriate) about you includes, but is not restricted to:
- Contact details
- Date of birth, marital status and gender
- Next of kin and emergency contact numbers
- Salary, annual leave, pension and benefits information
- Bank account details, payroll records, National Insurance number and tax status information
- Recruitment information, including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process
- Qualifications and employment records, including work history, job titles, working hours, training records and professional memberships
- Performance information
- Outcomes of any disciplinary and/or grievance procedures
- Absence data
- Copy of driving licence
- Photographs
- CCTV footage
- Data about your use of the school’s information and communications system
- Interview details for all applicants, whether successful or not
We may also collect, store and use information about you that falls into "special categories" of more sensitive personal data. This includes information about (where applicable):
- Race, ethnicity, religious beliefs, sexual orientation and political opinions
- Trade union membership
- Health, including any medical conditions, and sickness records
How do we ensure that we are using this information legally?
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:
- Fulfil a contract we have entered into with you
- Comply with a legal obligation
- Carry out a task in the public interest
Less commonly, we may also use personal information about you where:
- You have given us consent to use it in a certain way
- We need to protect your vital interests (or someone else’s interests)
- We have legitimate interests in processing the data – for example, where:
Subscribing to school-based websites and applications to support you with your job role, such as School Email, occupational health and payroll systems.
Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and explain how you go about withdrawing consent if you wish to do so.
Should legitimate interest apply, this will be made clear when collecting the data.
Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds which justify the school’s use of your data.
How long do we keep your data for?
We keep records in line with the provisions set out in our Records Management Policy and the legal requirements of employment law and the Limitation Act.
A copy of our retention schedule is available from our website, within our records management policy, at https://www.iftl.co.uk/policies/
Who do we share your information with?
We routinely share this information with:
- our local authority
- the Department for Education (DfE)
- Ofsted
- our payroll and HR provider, and other service providers
- pension providers
- The Office for National Statistics (although this data is generally anonymised)
- our employee benefits platform and employee assistance program operators
- our agreed tuition provider (with regard to apprentices)
- our auditors
- Survey and research organisations
- Trade unions and associations
- Health authorities
- Security organisations
- Health and social welfare organisations
- Professional advisers and consultants
- Charities and voluntary organisations
- Police forces, courts, tribunals
- Professional bodies
- Software providers, to facilitate access to systems to support your work
- One-off events/activities (e.g. school trips) – school curriculum activities
- School support services e.g. Head’s support services
References supplies by other parties, or provided by us to other parties, are received/supplied in confidence and are therefore exempt from the scope of a subject access request in accordance with the Data Protection Act 1998.
Data Sharing Without Consent
We may share data without consent where legally required or where permitted under exemptions, such as:
- Prevention/detection of crime or fraud
- Safeguarding concerns
- Legal proceedings or statutory duties
In such cases, we may not inform you of the data sharing if doing so would prejudice an investigation or pose a risk to an individual.
Data Transferred to a Third Country or International Organisation
The majority of data stored, is hosted in UK data centres. The location of data is assessed as part of our due diligence of suppliers and if data is found to be stored outside of the UK, we ensure that one or more of the following applies:
- Adequacy status
- Standard Contractual Clauses as described in the UK GDPR
- Binding Corporate Rules
Why do we share your information?
We do not share information about workforce members with anyone without consent unless the law and our policies allow us to do so.
Local authority
We are required to share information about our workforce members with our local authority (LA) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments. We also have a legal obligation to share certain information, such as safeguarding concerns, with our local authority partners.
Department for Education (DfE)
The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections.
We are required to share information about our school employees with the Department for Education (DfE) under section 5 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 and amendments.
For more information, please see ‘How Government uses your data’ section.
For privacy information on the data the Department for Education (DfE) collects and uses, please see: https://www.gov.uk/government/publications/privacy-information-education-providers-workforce-including-teachers.
Our Payroll and HR Provider
We share information with our payroll and HR provider in order to administer contracts between ourselves and our employees and to enable our employees to be paid.
Pension Providers
We share information with support staff pension service and teachers’ pension service providers in order for them to administer the pension schemes set up for our employees.
ONS
We share statistical data, which is anonymised. Data is not attributable to any specific individuals.
Employee Benefits and EAP
We share data with scheme operators to allow them to administer a benefits platform and an employee assistance program for our employees. Data that is required to administer this is shared and is limited to employee name and email address. Any further information that is provided to the companies directly by our employees becomes the responsibility of the company as they then become the data controller.
Our Agreed Tuition Provider
We share data with our agreed tuition provider on any apprentices that are employed through their apprenticeship scheme in order to provide the information required under the terms of the apprenticeship.
How Government uses your data
The workforce data that we lawfully share with the Department for Education (DfE) through data collections:
- informs the Department for Education (DfE) policy on pay and the monitoring of the effectiveness and diversity of the school workforce
- links to school funding and expenditure
- supports ‘longer term’ research and monitoring of educational policy
To find out more about the data collection requirements placed on us by the Department for Education including the data that we share with them, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The department may share information about school employees with third parties who promote the education or well-being of children or the effective deployment of school staff in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department for Education (DfE) will only share your personal data where it is lawful, secure and ethical to do so and has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether the Department for Education (DfE) releases personal data to third parties are subject to a strict approval process and based on a detailed assessment of public benefit, proportionality, legal underpinning and strict information security standards.
For more information about the Department for Education’s (DfE) data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the Department for Education (DfE) has provided information, (and for which project) please visit the following website: https://www.gov.uk/government/publications/dfe-external-data-shares
How to find out what personal information the Department for Education (DfE) hold about you
Under the terms of UK GDPR, you’re entitled to ask the Department for Education (DfE):
- if they are processing your personal data
- for a description of the data they hold about you
- the reasons they’re holding it and any recipient it may be disclosed to
- for a copy of your personal data and any details of its source
If you want to see the personal data held about you by the Department for Education (DfE), you should make a ‘subject access request’. Further information on how to do this can be found within the Department for Education’s (DfE) personal information charter that is published at the address below:
or
To contact the Department for Education (DfE): https://www.gov.uk/contact-dfe
Your rights under the UK GDPR
Under data protection legislation, staff have the right to request access to information about them that we hold. To make a request for your personal information contact the relevant school office. You may also contact Jason Smith, IFtL’s Data Protection Officer, via DPO@iftl.co.uk
You also have the following rights:
- the right to be informed about the collection and use of your personal data – this is called ’right to be informed’.
- the right to ask us for copies of personal information we have about you – this is called ’right of access’, this is also known as a subject access request, data subject access request or right of access request.
- the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’.
- the right to ask us to delete your personal information – this is called ‘right to erasure’
- the right to ask us to stop using your information – this is called ‘right to restriction of processing’.
- the ‘right to object to processing’ of your information, in certain circumstances
- rights in relation to automated decision making and profiling.
- the right to withdraw consent at any time (where relevant). · the right to complain to the Information Commissioner if you feel we have not used your information in the right way.
There are legitimate reasons why we may refuse your information rights request, which depends on why we are processing it. For example, some rights will not apply:
- right to erasure does not apply when the lawful basis for processing is legal obligation or public task.
- right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests.
- right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t haven’t the right to object, but you have the right to withdraw consent.
Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the relevant school office or dpo@iftl.co.uk
For further information on how to request access to personal information held centrally by the Department for Education (DfE), please see the ‘How Government uses your data’ section of this notice.
How to complain
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by contacting dpo@iftl.co.uk
You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Contact us
If you would like to discuss anything in this privacy notice, please contact the Data Protection Officer, Jason Smith at dpo@iftl.co.uk
Why do we collect and use visitor information?
We collect and use information on visitors to ensure that we run a safe and effective school and to fulfil our legal duty to safeguard the children in our care and the staff in our employ.
What do we need this data for?
We collect and use visitor data;
- To safeguard pupils
- To meet the requirements of Health and Safety Legislation
- To meet the requirements of Fire Safety Legislation
- To ensure that we keep a safe and secure site
- To ensure that events and meetings are appropriately organised
What type of data do we collect and use?
We collect and use;
- Personal information, such as name and photograph
- CCTV images
How do we ensure that we are using this information legally?
We have a legal obligation under safeguarding legislation, to ensure that our site is safe and secure. We also have a legal obligation under fire safety law, to ensure that we can account for the people in our buildings. This includes visitors.
Under article 6 of the UK GDPR, Legal Obligation is a valid reason for collecting and processing personal data.
How long do we keep your data for?
We keep visitor data for 6 years plus the current year, in line with our Records Management Policy.
Visitor data may be stored on;
- Electronic visitor management systems such as Inventry
- Signing in books
- Fire registers
- CCTV systems
- Visitor badges
- Office 365 or Google Cloud based systems
- Room booking software or systems
Who do we share your information with?
Visitor information is rarely shared but, in certain circumstances, we may share your data with;
- The police
- Insurers, in relation to insurance claims
- HSE or external organisations where accident reporting or investigation is required
- Other third parties in event of a safeguarding incident
Data Sharing Without Consent
We may share data without consent where legally required or where permitted under exemptions, such as:
- Prevention/detection of crime or fraud
- Safeguarding concerns
- Legal proceedings or statutory duties
In such cases, we may not inform you of the data sharing if doing so would prejudice an investigation or pose a risk to an individual.
Data Transferred to a Third Country or International Organisation
The majority of data stored, is hosted in UK data centres. The location of data is assessed as part of our due diligence of suppliers and if data is found to be stored outside of the UK, we ensure that one or more of the following applies:
- Adequacy status
- Standard Contractual Clauses as described in the UK GDPR
- Binding Corporate Rules
Why do we share your information?
We only share your information without your consent where the law or our policies allow us to do so.
Your rights under GDPR
Under data protection legislation, visitors have the right to request access to information about them that we hold. To make a request for your personal information contact the relevant school office. You can also contact Jason Smith, IFtL’s Data Protection Officer, via DPO@iftl.co.uk
You also have the following rights:
- the right to be informed about the collection and use of your personal data – this is called ’right to be informed’.
- the right to ask us for copies of personal information we have about you – this is called ’right of access’, this is also known as a subject access request, data subject access request or right of access request.
- the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’.
- the right to ask us to delete your personal information – this is called ‘right to erasure’
- the right to ask us to stop using your information – this is called ‘right to restriction of processing’.
- the ‘right to object to processing’ of your information, in certain circumstances
- rights in relation to automated decision making and profiling.
- the right to withdraw consent at any time (where relevant). · the right to complain to the Information Commissioner if you feel we have not used your information in the right way.
There are legitimate reasons why we may refuse your information rights request, which depends on why we are processing it. For example, some rights will not apply:
- right to erasure does not apply when the lawful basis for processing is legal obligation or public task.
- right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests.
- right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t haven’t the right to object, but you have the right to withdraw consent.
How to complain
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by contacting dpo@iftl.co.uk
You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Contact us
If you would like to discuss anything in this privacy notice, please contact the Data Protection Officer, Jason Smith at dpo@iftl.co.uk
Why do we collect and use trainee information?
We collect and use data to:
- Deliver and manage our ITT and CPD programmes
- Support professional development and student learning
- Monitor progress and provide feedback
- Offer pastoral support and advice
- Evaluate and improve the quality of our training services
- Fulfil legal and regulatory obligations
- Provide updates about relevant courses and training opportunities
- Recommend appropriate career pathways
What do we need this data for?
We use this data;
- To support student learning
- To monitor and report on student progress
- To provide appropriate pastoral care
- To assess the quality of our services
- To comply with the law regarding data sharing
- To recommend appropriate career pathways
- To provide updates on the availability of courses and learning opportunities
What type of data do we collect and use?
We collect the following categories of personal data:
- Personal identifiers (e.g. name, unique ID, address)
- Demographic details (e.g. ethnicity, language, country of birth)
- Attendance records (e.g. session attendance, absences)
- Medical and SEN (Special Educational Needs) information relevant to your support and safety
- Training progress and performance data, including student portfolios
How do we ensure that we are using this information legally?
Under the UK General Data Protection Regulation (UK GDPR), we process your data using the following lawful bases:
- Contract – Processing is necessary to deliver our ITT or CPD services as agreed with you.
- Legitimate Interests – For managing training operations, programme development, and security.
- Vital Interests – Where necessary to protect your life or health, especially regarding safeguarding or SEN.
- Public Task – Where we are required to report data to public bodies (e.g. DfE, NCTL).
- Consent – Where we process data not covered by the above bases. You have the right to withdraw consent at any time.
How long do we keep your data for?
ITT Trainees: We retain your data for 7 years after course completion.
CPD Participants: We retain your data for 3 years after the course ends.
Who do we share your information with?
We routinely share your data with the following, where necessary:
- Placement schools and partner institutions
- BlueSky (our tracking and evidence system)
- Our local authority partners
- Department for Education (DfE)
- National College for Teaching and Leadership (NCTL)
- Ofsted
- UCAS
- Birmingham City University (for BA Hons trainees)
- IFtL Multi-Academy Trust and affiliated schools
- IFtL Head Office
We do not share your data with other third parties without your consent unless legally required or permitted.
Data Sharing Without Consent
We may share data without consent where legally required or where permitted under exemptions, such as:
- Prevention/detection of crime or fraud
- Safeguarding concerns
- Legal proceedings or statutory duties
In such cases, we may not inform you of the data sharing if doing so would prejudice an investigation or pose a risk to an individual.
Data Transferred to a Third Country or International Organisation
The majority of data stored, is hosted in UK data centres. The location of data is assessed as part of our due diligence of suppliers and if data is found to be stored outside of the UK, we ensure that one or more of the following applies:
- Adequacy status
- Standard Contractual Clauses as described in the UK GDPR
- Binding Corporate Rules
Why do we share your information?
We do not share information about our students with anyone without consent unless the law and our policies allow us to do so.
We share students’ data with the (NCTL) National College of Teaching and Learning on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are legally required to share trainee data with the DfE under Regulation 5 of The Education (Information About Individual Students) (England) Regulations 2013. This ensures appropriate funding, policy development, and educational monitoring.
Data collection requirements:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
The National Pupil Database (NPD)
The NPD is owned and managed by the Department for Education and contains information about students in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.
We are required by law, to provide information about our students to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Students) (England) Regulations 2013.
To find out more about the NPD, go to https://www.gov.uk/government/publications/national-student-database-user-guide-and-supporting-information.
The department may share information about our students from the NPD with third parties who promote the education or well-being of children in England by:
- conducting research or analysis
- producing statistics
- providing information, advice or guidance
The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data
- the purpose for which it is required
- the level and sensitivity of data requested: and
- the arrangements in place to store and handle the data
To be granted access to student information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
For information about which organisations the department has provided student information, (and for which project), please visit the following website: https://www.gov.uk/government/publications/national-student-database-requests-received
To contact DfE: https://www.gov.uk/contact-dfe
Your rights under the UK GDPR
Under data protection legislation, students have the right to request access to information about them that we hold. To make a request for your personal information contact Jason Smith, IFtL’s Head of Operations and Data Protection Officer, via DPO@iftl.co.uk
You also have the right:
- to have your personal data rectified, if it is inaccurate or incomplete
- to request the deletion or removal of personal data where there is no compelling reason for its continued processing
- to restrict our processing of your personal data (i.e. permitting its storage but no further processing)
- to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
- not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you
How to complain
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by contacting dpo@iftl.co.uk
You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Contact us
If you would like to discuss anything in this privacy notice, please contact the Data Protection Officer, Jason Smith at dpo@iftl.co.uk
Trustee and Governance Data
Why, and how, do we collect and use Trustee and Governance information?
Trustees and Governors play a critical role in the effective leadership and accountability of our schools. We collect personal data to enable the Trust to fulfil its legal obligations and support governance functions across our organisation.
We process this data to:
- Fulfil statutory duties and responsibilities
- Maintain a transparent and effective governance structure
- Support strategic leadership and accountability
We collect governance data:
- Directly from you, during recruitment, onboarding, and ongoing service
- From third parties, such as the Disclosure and Barring Service (DBS), referees, or regulatory bodies (where applicable)
Where information is collected voluntarily, we will clearly indicate whether the provision of data is mandatory or optional.
What do we need this data for?
Trustees and Governors play a critical role in the effective leadership and accountability of our schools. We collect personal data to enable the Trust to fulfil its legal obligations and support governance functions across our organisation.
We process this data to:
- Fulfil statutory duties and responsibilities
- Maintain a transparent and effective governance structure
- Support strategic leadership and accountability
What type of data do we collect and use?
We may collect and process the following categories of personal data:
- Personal identifiers: Name, contact details, address
- Demographic information: Ethnicity, language, country of birth
- Attendance data: Record of meetings attended
- Governance details: Role/title, term of office, start and end dates, governor ID, relevant declarations (e.g. pecuniary interests)
How do we ensure that we are using this information legally?
The legal basis for processing personal data of individuals in governance roles is:
- Legal Obligation (UK GDPR Article 6(1)(c)) – We are legally required to collect and process this data under:
- Section 538 of the Education Act 1996
- The Academy Trust Handbook
- Substantial Public Interest (UK GDPR Article 9(2)(g)) – For special category data (e.g. ethnicity), where relevant conditions under Schedule 1, Part 2 of the Data Protection Act 2018 apply.
- Consent – Where data does not fall under the above lawful bases, we will seek explicit consent.
Where we process your data based on consent, you have the right to withdraw this consent at any time. In order to exercise this right, please contact the data protection lead at the school that holds your data.
How long do we keep your data for?
We hold data on Trustees and Governors for varying periods from 3 years to indefinitely. Full details are shown in our Records Management Policy.
A copy of our retention schedule is available from our website, within our records management policy, at https://www.iftl.co.uk/policies/
Who do we share your information with?
We may share your data with:
- Department for Education (DfE) via the Get Information About Schools (GIAS) system
- Government services, such as Edubase
- Local authority partners, where applicable
- Companies House (where governance intersects with registered company requirements)
- The Charity Commission (for charitable governance roles)
- GovernorHub (governance support and communication platform)
We are also required, under the Academy Trust Handbook, to publish certain information on our school or Trust websites, including:
- Names of Trustees and Governors
- Term of office
- Meeting attendance
- Declarations of pecuniary interest
We do not share your data with any third party without your consent unless the law permits or requires it.
The Department for Education (DfE) collects personal data from educational providers and local authorities. We are required to share information about individuals in governance roles with the Department for Education (DfE) under the requirements set out in the academy trust handbook.
All data is entered manually on the GIAS service and held by the Department for Education (DfE) under a combination of software and hardware controls which meet the current government security policy framework.
For more information, please see the ‘How Government uses your data’ section.
How government uses your data
The governance data that we lawfully share with the Department for Education (DfE) via GIAS will:
- increase the transparency of governance arrangements
- enable local authority maintained schools, academies, academy trusts and the Department for Education (DfE) to identify more quickly and accurately individuals who are involved in governance and who govern in more than one context
- allow the Department for Education (DfE) to be able to uniquely identify an individual and in a small number of cases conduct checks to confirm their suitability for this important and influential role
Data collection requirements
To find out more about the requirements placed on us by the Department for Education (DfE) including the data that we share with them, go to https://www.gov.uk/government/news/national-database-of-governors
Some of these personal data items are not publicly available and are encrypted within the GIAS system. Access is restricted to authorised Department for Education (DfE) and education establishment users with a Department for Education (DfE) Sign-in (DSI) account who need to see it in order to fulfil their official duties. The information is for internal purposes only and not shared beyond the Department for Education (DfE) unless the law allows it.
How to find out what personal information the Department for Education (DfE) hold about you
Under the terms of the Data Protection Act 2018, you’re entitled to ask the Department for Education (DfE):
- if they are processing your personal data
- for a description of the data they hold about you
- the reasons they’re holding it and any recipient it may be disclosed to
- for a copy of your personal data and any details of its source
If you want to see the personal data held about you by the Department for Education (DfE), you should make a subject access request (SAR). Further information on how to do this can be found within the Department for Education’s (DfE) personal information charter that is published at the address below:
To contact DfE: https://www.gov.uk/contact-dfe
Data Sharing Without Consent
We may share data without consent where legally required or where permitted under exemptions, such as:
- Prevention/detection of crime or fraud
- Safeguarding concerns
- Legal proceedings or statutory duties
In such cases, we may not inform you of the data sharing if doing so would prejudice an investigation or pose a risk to an individual.
Data Transferred to a Third Country or International Organisation
The majority of data stored, is hosted in UK data centres. The location of data is assessed as part of our due diligence of suppliers and if data is found to be stored outside of the UK, we ensure that one or more of the following applies:
- Adequacy status
- Standard Contractual Clauses as described in the UK GDPR
- Binding Corporate Rules
Why do we share your information?
We do not share information about our Trustees or Governors with anyone without consent unless the law and our policies allow us to do so.
We are required to share information about individuals in governance roles with the Department for Education (DfE) under the requirements set out in the Academy Trust Handbook. This extends to the publication of certain details relating to Trustees and Governors on our Trust and School websites.
All data is entered manually on the GIAS service and held by the Department for Education (DfE) under a combination of software and hardware controls which meet the current government security policy framework.
For more information, please see the ‘How Government uses your data’ section.
Your rights under the UK GDPR
Under data protection legislation, Trustees and Governors have the right to request access to information about them that we hold. To make a request for your personal information contact Jason Smith, IFtL’s Data Protection Officer, via DPO@iftl.co.uk
Your rights include:
- the right to be informed about the collection and use of your personal data – this is called ’right to be informed’.
- the right to ask us for copies of personal information we have about you – this is called ’right of access’, this is also known as a subject access request (SAR), data subject access request or right of access request.
- the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’.
- the right to ask us to delete your personal information – this is called ‘right to erasure’.
- the right to ask us to stop using your information – this is called ‘right to restriction of processing’.
- the ‘right to object to processing’ of your information, in certain circumstances.
- rights in relation to automated decision making and profiling.
- the right to withdraw consent at any time (where relevant).
- the right to complain to the Information Commissioner if you feel we have not used your information in the right way.
There are legitimate reasons why your information rights request may be refused. For example, some rights will not apply:
- right to erasure does not apply when the lawful basis for processing is legal obligation or public task.
- right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests.
- right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t have the right to object, but you have the right to withdraw consent.
Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting DPO@iftl.co.uk
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at raise a concern with ICO
For further information on how to request access to personal information held centrally by the Department for Education (DfE), please see the How Government uses your data section of this notice.
How to complain
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance by contacting dpo@iftl.co.uk
You can also complain directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Contact us
If you would like to discuss anything in this privacy notice, please contact the Data Protection Officer, Jason Smith at dpo@iftl.co.uk