Privacy Notice for Staff – How we use your information

Who are we?
Exhall Grange Specialist School & Science College is the ‘data controller’. This means we are responsible for how your personal information is processed and for what purposes. Exhall Grange Specialist School & Science College is registered as the Data Controller with the Information Commissioner’s Office (ICO); Registration Number: Z7827115. You can contact the School as the Data Controller in writing at: Exhall Grange Specialist School and Science College, Easter Way, Ash Green, Coventry, CV7 9HP or

What is a Privacy Notice?
A Privacy Notice sets out to individuals how we use any personal information that we hold about them. We are required to publish this information by data protection legislation. This Privacy Notice explains how we process (collect, store, use and share) personal information about our staff.

What is Personal Information?
Personal information relates to a living individual who can be identified from that information. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. ‘Special category’ personal information reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

What personal information do we process about staff?

The categories of staff information that we collect, hold and share include:

  • Personal information such as name, employee or teacher number and national insurance number
  • Special categories of data including characteristics information such as gender, age, ethnic group
  • Contract information such as start dates, hours worked, post, roles and salary information)
  • Work absence information such as number of absences and reasons
  • Occupational health reports
  • Qualifications and, where relevant, subjects taught

For what purposes do we use personal information?
We use staff data to:

  • Develop a comprehensive picture of the workforce and how it is deployed
  • Inform the development of recruitment and retention policies
  • Enable individuals to be paid and receive other staff benefits
  • Ensure that we can act in an emergency


Collecting staff information
Whilst the majority of staff information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain staff information to us or if you have a choice in this.

What are the legal reasons for us to process your personal information?
We are required to process personal information in accordance with data protection legislation and only do so when the law allows us to. Data Protection law sets out the lawful reasons we have to process your personal information and these are as follows:

1) To comply with the law
We collect and use general purpose staff information in order to meet certain legal requirements and legal obligations placed upon the School by UK law. We therefore have the right to process your personal information for such purposes without the need to obtain your consent. Details of the type of processing that we must undertake, the personal data that is processed, the legislation which requires us to do so and who we may share this information with is set out in Table 1.

2) To protect someone’s vital interests
We are able to process personal information when there is an emergency and/or where a person’s life is in danger. Details of the type of processing that we may undertake on this basis and who we may share that information is set out in Table 2.

3) With the consent of the individual to whom that information ‘belongs’
Whilst much of the personal information is processed in accordance with a legal requirement, there is some personal information that we can only process when we have your consent to do so. In these circumstances, we will provide you with specific and explicit information regarding the reasons the data is being collected and how the data will be used. Details of the type of processing that we may undertake on this basis and who we may share that information is set out in Table 3.

4) To perform a public task
It is a day-to-day function of the School to ensure that staff members receive the training and support they require. Much of this work is not set out directly in any legislation but it is deemed to be necessary in order to ensure that staff are properly supported and able to do their job. Details of the type of processing that we may undertake on this basis and who we may share that information is set out in Table 4.

5) To comply with a contract we have with you or because you have asked us to take specific steps before entering into a contract
We are able to process personal information in order to comply with the contract that we have with you. Details of the type of processing that we may undertake on this basis and who we may share that information is set out in Table 5.

Special category personal information
In order to process ‘special category’ data, we must be able to demonstrate how the law allows us to do so. In additional to the lawful reasons above, we must also be satisfied that ONE of the following additional lawful reasons applies:

  1. Explicit consent of the data subject
  2. Necessary for carrying out obligations and exercising specific rights in relation to employment and social security and social protection law
  3. Processing relates to personal data which is manifestly made public by the data subject
  4. Necessary for establishing, exercising or defending legal claims
  5. Necessary for reasons of substantial public interest
  6. Necessary for preventive or occupational medicine, or for reasons of public interest in the area of public health
  7. Necessary for archiving, historical research or statistical purposes in the public interest

The lawful reasons for each type of sensitive category personal information that we process is set out in the tables attached.

Who might we share your information with?
We routinely share staff information with:

  • Our local authority
  • The Department for Education (DfE)

We do not share information about our staff unless the law and our policies allow us to do so.

Please refer to the tables for information about what personal information is shared with which specific third parties.

What do we do with your information?
All personal information is held in a manner which is compliant with data protection legislation. Personal information is only processed for the purpose it was collected The School monitors the personal information it processes and will only share personal information with a third party if it has a legal basis to do so (as set out above).

How long do we keep your information for?
In retaining personal information, the School complies with the Retention Schedules provided by the Information Record Management Society. The schedules set out the Statutory Provisions under which the School are required to retain the information.

A copy of those schedules can be located using the following link:

Transferring data internationally
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.

What are your rights with respect of your personal information?
Under data protection law, staff members have the right to request access to information about them that we hold. To make a request for your personal information contact the School Data Protection Officer at Warwickshire Legal Services via email at or alternatively;

School Data Protection Officer
Warwickshire Legal Services
Warwickshire County Council
Shire Hall
Market Square
CV34 4RL

**Please ensure you specify which school your request relates to.

You also have the right to:

  • Object to processing of personal data that is likely to cause, or is causing, damage or distress
  • Prevent processing for the purpose of direct marketing
  • Object to decisions being taken by automated means
  • In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • Claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at

The content of this Privacy Notice will be reviewed May 2019.

You can read our CCTV code of practice here