GDPR & Data Protection

Rutland Adult Learning and Skills (RALSS) collect and use personal information about staff, learners and other individuals who come into contact with the service. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the service complies with its statutory obligations. Colleges and services have a duty to be registered, as Data Controllers, with the Information Commissioner’s Office (ICO) detailing the information held and its use. These details are then available on the ICO’s website.

Colleges and services also have a duty to issue a Fair Processing Notice (Privacy Statement) to all learners, this summarises the information held on learners, why it is held and the other parties to whom it may be passed on.


This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 1998, and other related legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically. It also takes into account the provisions of the General Data Protection Regulation, which is new legislation due to come into force in May 2018. This policy complies with our funding agreement and articles of association.

All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines.

What is Personal Information?

Personal information or data is defined as data which relates to a living individual who can be identified from that data, or other information held.

Data Protection Principles

The Data Protection Act 1998 establishes eight enforceable principles that must be adhered to at all times:

1. Personal data shall be processed fairly and lawfully;
2. Personal data shall be obtained only for one or more specified and lawful purposes;
3. Personal data shall be adequate, relevant and not excessive;
4. Personal data shall be accurate and where necessary, kept up to date;
5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes;
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998;
7. Personal data shall be kept secure i.e. protected by an appropriate degree of security;
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.

General Statement

The service is committed to maintaining the above principles at all times. Therefore the service will:

  • Inform individuals why the information is being collected when it is collected
  • Check the quality and the accuracy of the information it holds
  • Ensure that information is not retained for longer than is necessary
  • Ensure that when obsolete information is destroyed that it is done so appropriately and securely
  • Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded
  • Share information with others only when it is legally appropriate to do so
  • Set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as Subject Access Requests
  • Ensure our staff are aware of and understand our policies and procedures


Complaints will be dealt with in accordance with the services complaints policy. Complaints relating to information handling may be referred to the Information Commissioner (the statutory regulator).


This policy will be reviewed as it is deemed appropriate, but no less frequently than every two years.

The policy review will be undertaken by the Service Manager, or nominated representative.


If you have any enquires in relation to this policy, please contact the Service Manager who will also act as the contact point for any subject access requests.

Further advice and information is available from the Information Commissioner’s Office, or telephone 0303 123 1113

Date Reason for Review Next Scheduled Review
Aug 16 Scheduled Review Aug 18
Mar 18 Replacement to meet GDPR and scheduled review Sept 19

Appendix 1


Procedures for responding to subject access requests made under the Data Protection Act 1998

Rights of access to information

There are two distinct rights of access to information held by the service about learners.

  1. Under the Data Protection Act 1998 any individual has the right to make a request to access the personal information held about them.

These procedures relate to subject access requests made under the Data Protection Act 1998.

Actioning a subject access request

  1. Requests for information must be made in writing; which includes email, and be addressed to the Service Manager. If the initial request does not clearly identify the information required, then further enquiries will be made.
  2. The identity of the requestor must be established before the disclosure of any information, and checks should also be carried out regarding proof of identity. Evidence of identity can be established by requesting production of:
    • passport
    • driving licence
    • utility bills with the current address
    • birth/ marriage certificate
    • P45/P60
    • credit card or mortgage statementThis list is not exhaustive
  3. Any individual has the right of access to information held about them. The service will decide on a case-by-case basis whether to grant such requests, bearing in mind guidance issued from time to time from the Information Commissioner’s Office.
  4. The service may make a charge for the provision of information, dependent upon the following:
    • Should the information requested contain the educational record then the amount charged will be dependent upon the number of pages provided.
    • Should the information requested be personal information that does not include any information contained within educational records schools can charge up to £10 to provide it.
    • If the information requested is only the educational record viewing will be free, but a charge not exceeding the cost of copying the information can be made by the Service Manager.
  5. The response time for subject access requests for all or part of the learners educational record, once officially received, is 15 working days. If the subject access request does not relate to the educational record, we will respond within 40 days calendar days. However the 40 days will not commence until after receipt of fees or clarification of information sought.
  6. The Data Protection Act 1998 allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure.
  7. Third party information is that which has been provided by another, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party information consent should normally be obtained. There is still a need to adhere to the 40 day statutory timescale.
  8. Any information which may cause serious harm to the physical or mental health or emotional condition of the learner or another should not be disclosed, nor should information that would reveal that the learner is at risk of abuse, or information relating to court proceedings.
  9. If there are concerns over the disclosure of information then additional advice should be sought.
  10. Where redaction (information blacked out/removed) has taken place then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and why.
  11. Information disclosed should be clear, thus any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped.
  12. Information can be provided at the service with a member of staff on hand to help and explain matters if requested, or provided at face to face handover. The views of the applicant should be taken into account when considering the method of delivery. If postal systems have to be used then registered/recorded mail must be used.


Complaints about the above procedures should be made to the Chair of RALSS Performance Board who will decide whether it is appropriate for the complaint to be dealt with in accordance with the service’s complaint procedure.

Complaints which are not appropriate to be dealt with through the service’s complaint procedure can be dealt with by the Information Commissioner. Contact details of both will be provided with the disclosure information.


If you have any queries or concerns regarding these policies /procedures then please contact the Service Manager.

Further advice and information can be obtained from the Information Commissioner’s Office, or telephone 0303 123 1113.

Appendix 2


Privacy Notice (How we use learner information)

Why do we collect and use learner information?

We collect and use learner information to comply with DfE and Examining body rules and regulations as well as a range of funding partners in line with the Education Act 1996.

We use the learner data:

  • To meet funding requirements
  • to support learning
  • to monitor and report on learner progress
  • to provide appropriate pastoral care
  • to assess the quality of our services
  • to comply with the law regarding data sharing

The categories of learner information that we collect, hold and share include:

  • Personal information (such as name, national insurance number, unique learner number and address)
  • Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
  • Attendance information (such as sessions attended, number of absence, absence reasons)
  • Assessment information
  • Special educational needs information
  • Destinations

Collecting learner information

Whilst the majority of learner information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.

Storing learner data

We hold pupil data for the length of time designated by funding bodies for audit purposes.

Who do we share learner information with?

We routinely share learner information with:

  • our local authority
  • the Department for Education (DfE)
  • Funding Bodies
  • MIS systems
  • Examination Bodies

We also provide learner level personal data to third party organisations which supply services to us for which the provision of the data is essential for the service to be provided. Decisions on whether to release this data are subject to a robust approval process, including the arrangements in place to store and handle the data. We currently provide learner level data for the following purposes:

  • Systems integral to the delivery of core business services, MIS systems
  • Systems integral to the operation of IT Services systems
  • Curriculum products

Service staff and invited representatives of the press do take photographs of students, in school or on school trips, for internal purposes. We may use these photographs for publication, for school publicity, but we will not name the learners without their consent.

Why we share learner information

We do not share information about our learners with anyone without consent unless the law and our policies allow us to do so.

We share learner data with the Department for Education (DfES) on a statutory basis. This data sharing underpins service funding and educational attainment policy and monitoring.

We are required to share information about our learners with the (DfES) under regulation 5 of The Education (Information about Individual Learners) (England) Regulations 2013.

The Learner Records Service Database (NPD)

The LRS is owned and managed by the Department for Education and contains information about learners in colleges and services in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our learners to the DfES as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the LRS.

The department may share information about our learners from the LRS with third parties who promote education in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested: and the arrangements in place to store and handle the data

To be granted access to learner information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

To contact DfES:

Requesting access to your personal data

Under data protection legislation, learners have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your educational record, contact the service manager.

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at


If you would like to discuss anything in this privacy notice, please contact:

  • Robert Shore Service Manager for RALSS on

Appendix 3


The Data Protection Act 1998: How we use your information

We process personal data relating to those we employ to work at, or otherwise engage to work at our service. This is for employment purposes to assist in the running of the service and/or to enable individuals to be paid. The collection of this information will benefit both national and local users by:

  • improving the management of workforce data across the sector
  • enabling development of a comprehensive picture of the workforce and how it is deployed
  • informing the development of recruitment and retention policies
  • allowing better financial modelling and planning
  • enabling ethnicity and disability monitoring;

This personal data includes identifiers such as names and National Insurance numbers and characteristics such as ethnic group, employment contracts and remuneration details, qualifications and absence information.

We also provide personal data to third party organisations which supply services to us for which the provision of the data is essential for the service to be provided. Decisions on whether to release this data are subject to a robust approval process, including the arrangements in place to store and handle the data. We currently provide learner level data for the following purposes:

  • Systems integral to the delivery of core business services,
  • Systems integral to the operation of IT Services systems

We will not share information about you with third parties without your consent unless the law allows us to. We are required, by law, to pass on some of this personal data to:

  • our local authority
  • the Department for Education (DfES)

If you want to see a copy of information about you that we hold, please contact:

  • Robert Shore , Service Manager RALSS ,

Appendix 4

Rutland County Council Data Sharing Agreement


1.1 This Data Sharing Agreement between the service and Rutland County Council is in relation to the sharing of data relating to individual learners and data transfers that enable the LA to fulfil its statutory duties. Paramount amongst these duties is the need to meet the Council’s safeguarding requirements, and to enhance the ability of partner organisations to support the learning and welfare of learners through the exchange of data and the use of information. This exchange of information will also enable the Council to fulfil its statutory duties.

1.2 In addition this agreement provides the consent that the Department of Education (DfE) requires in order for them to share service data.

2. Benefits of the agreement:

This agreement will:

  • Enable the LA to carry out and conduct its core services for all learners
  • Reduce administrative burden on the service – data will only be input once but used many times for the benefit of improving outcomes for learners
  • Ensuring appropriate access to information to provide better services to learners
  • Provide complete county wide key stage outcome data for comparison purposes
  • Maintain demographically relevant benchmarking information

3. Specific Requirements

This agreement covers the following:

3.1 B2B (business to business) Data Transfer.

This is the secure transfer of learner level information, including attendance and exclusion marks from the services management information system to the LA’s system.

The service agrees to:

  • Continue to transfer scheduled updates of learner level personal data (including exclusions and attendance marks) via B2B

4. Handling protocol

The LA will commit to use the data only for purposes commensurate with its statutory duties and will not pass on any individual’s data to a third party without obtaining specific agreement from the Academy. All handling of data will be carried out under the guiding principles of the Data Protection Act.

5. Consent

The service and the LA agree that they will make reasonable efforts to notify learners of their intentions to the sharing of information.

  • The service publishes its Privacy Notices to Learners making them aware of such data collections.

6. Review.

This agreement will be reviewed annually by the service and reissued each September at the start of the academic year to reflect any changes in legislation or practice