Why do we collect and use this information?
Hampshire County Council is the organisation responsible for processing your information (the Data Controller). Our Participation & Lifelong Learning Outdoor Education, PE and Duke of Edinburgh (DofE) Service collects and uses information from your school/academy in order to provide advice, guidance, regulation and training on all aspects of good practice and safety management when off-site and engaged in educational visits and outdoor learning.
We collect information about your pupils and your school/academy. We hold this personal data and wider information securely and use it to deliver this sold service to:
- provide a checking and approval service for all off-site visits which involve adventurous activity, are residential or include travel abroad, via the web-based Evolve system
- supply the facility to use this system for recording and tracking all off-site visits, including those which are internally approved by the Head of Establishment
- offer advice and guidance documentation for all aspects of outdoor education and learning
- provide a monthly e-newsletters informing you of any local or national updates
- provide access to specific advice via phone or email, and the potential for arranging bespoke consultation or training
- deliver the promotion and development of all aspects of outdoor learning, within the school grounds and beyond
- provide access to the Trailblazer outdoor learning scheme, with potential accreditation for your young people; and
- ensure compliance with our obligations under the accuracy principle of the UK General Data Protection Regulation (Article (5)(1)(d)), making sure our records about you and your family are up to date
eduFOCUS Limited is a data processor for this information acting on our instructions for the purpose of delivering a contract to the County Council around the hosting and supporting of the EVOLVE system, which the County Council makes available to schools/academies to use in support of the activities covered by this sold service. This includes accessing the EVOLVE system to fix any technical issues to ensure the system is fit for use. Schools will be the Data Controller for any information they put into the EVOLVE system.
The following sections provide further detail around the information we process setting out what allows us to do this (lawful basis), who we may share it with, how long we keep it for (the retention period), alongside identifying any rights you may have and who to contact if you think we’re not handling your information in the right way.
The categories of information that we collect, hold and share
The following personal and special category information is processed:
- your pupil’s personal information (name, address, date of birth)
- information about your pupil’s characteristics (such as sex, ethnicity, SEN status, looked after status); and
- your staff’s personal information (name and address, contact number, email address)
The lawful basis on which we use this information
We collect and use the information ensuring that we comply with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018) requirements for processing through:
- Article 6(1)(a) Consent – the individual has given clear consent for you to process their personal data for a specific purpose
- Article 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law; and
- Sch.1, Pt.4, 1 – Appropriate policy document and additional safeguards condition, for processing under the DPA2018
Please note that no automated decision making (decisions taken without a person involved) occurs for any parts of these activities controlled by the County Council. The County Council does not use profiling as part of the service.
Storing and securing data
The information provided to us will be held within the EVOLVE system. The information held will be kept in line with our retention schedule and then disposed of as appropriate. The EVOLVE system is hosted by eduFOCUS Limited in secure data centres based in the UK. No information leaves the European Economic Area (EEA) and the information is encrypted when in transit between County Council users of the system and the data centre the information is hosted within.
The County Council takes its data security responsibilities seriously and has policies and procedures in place to ensure the personal data held is:
- prevented from being accidentally or deliberately compromised
- accessed, altered, disclosed or deleted only by those authorised to do so
- accurate and complete in relation to why we are processing it
- continually accessible and usable with daily backups; and
- protected by levels of security ‘appropriate’ to the risks presented by our processing.
The County Council also ensures its IT Department is certified to the internationally recognised standard for information security management, ISO27001.
Who do we share information with?
We do not share information with anyone unless there is a lawful basis that allows us to do so.
Depending on the individual circumstances of each situation, we may have to share this information with other teams within the County Council to fulfil other duties and powers to support our work. These might include our Children Missing Education (for ensuring the provision of full time education); Virtual School (for support of children looked after); and/or Social Care teams (supporting welfare, safeguarding and corporate parent functions). We may also share information through the County Council’s role in the Hampshire Safeguarding Children Partnership (HSCP) to comply with their statutory duties.
Requesting access to your personal data and your rights
Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information, or someone you have responsibility for, please contact the Children’s Services Department’s Subject Access Request (SAR) Team.
You also have the right to:
- withdraw your consent
- prevent processing for the purpose of direct marketing
- object to decisions being taken by solely automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you would like more information about these services visit our Participation & Lifelong Learning page.
The above information is the specific privacy notice for this service. For more information about your rights in relation to your personal data, see the County Council’s general privacy notice.
You have some legal rights in respect of the personal information we collect from you. See our Data Protection page for further details.
You can contact the County Council’s Data Protection Officer by email [email protected].
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office.