Team Up Privacy Notice - Schools, pupils, parents and guardians
1. About Team Up
Team Up (we, us, our) is a registered charity (1151739) with a vision to raise the aspirations of children from low income backgrounds. Our mission is to improve the educational attainment of children from low income backgrounds by delivering tuition using inspirational volunteers.
2. Purpose of this privacy notice
The current version of this notice is effective from 1st September 2023. This policy follows the regulations set out in the GDPR and the Data Protection Act 2018.
This policy intends to make the following points clear to schools, pupils, parents and guardians about the information (data) we ask partner schools and organisations to share with us about pupils taking part in our programmes and the information we collect independently:
why we ask our partner schools to share information with us and why we collect some additional information independently (Section 3)
what information we ask partner schools to share with us and what information we collect independently (Section 4)
where we store the information and who can access it (Section 5)
how long we keep the information (Section 6)
what information we share with other parties (Section 7)
our legal basis for processing the information (Section 8)
security of personal information (Section 9)
transfers outside of the EEA (Section 10)
how to control your information and rights (Section 11)
how to contact us (Section 12)
We have also produced a Team Up Parent/Guardian Letter for schools who may wish to distribute this to the parents/guardians of participating pupils, introducing what the Team Up sessions involve, and directing them to this privacy notice. This letter nevertheless provides parents an opportunity to inform their child’s school if they do not wish for them to take part in the Team Up sessions, or to inform us if they do not wish for their child’s sensitive information (eg ethnicity, EAL status) to be used for evaluation purposes.
3. Data Purpose – why we ask our partner schools to share information with us and why we collect some additional information independently
Team Up asks our partner schools to provide information about the pupils they put forward for participation in our tutoring programme, and we collect some additional information independently, for the following reasons:
to effectively coordinate the delivery of our programme both in-school and online;
to meet safeguarding responsibilities;
to enable the evaluation of our impact and improve future programme delivery;
to demonstrate how our programme reaches the pupils who need it as defined by our charity’s mission.
4. Data Collection – what information we ask partner schools to share with us and what information we collect independently
Before a pupil officially joins our programme, we ask our partner schools to provide us with the following information about all pupils selected to take part, via a password-protected spreadsheet or email encryption software: full name, school, school year, gender, date of birth, unique pupil number, subject ability, pupil premium status, SEN status, EAL status.
From September 2023, for any pupils who do not have pupil premium status, we will ask for information regarding: household income (general identifier), single parent household, care status, availability of public funding for family.
This additional information will not be used on an individual basis and aggregated data may be used for particular areas or schools to secure funding for the programme.
Optionally, the school may also choose to provide additional engagement-related guidance for our consideration.
During the programme, we will independently record: pupil attendance and engagement, pupil assessment results, pupil survey responses.
For pupils who are accessing the tutoring sessions online, video recordings of tutoring sessions are made.
We may also request parent or guardian contact details from our partner schools in order to introduce ourselves to the parents/guardians of Team Up pupils, and to keep them updated on their child’s attendance where this is requested or deemed appropriate.
5. Data Storage and Access – where we store the information and who can access it
We operate a central database, Salesforce, to help us securely store pupil and parent/guardian information. The database is password-protected and access to the database is limited to Team Up staff, with ‘staff’ referring to employees and/or interns of Team Up who have undergone internal Data Protection and Privacy training, as well as a rigorous screening process. This does not include our volunteer tutors.
For pupils who are accessing the tutoring sessions online, video recordings of tutoring sessions are stored on the online tutoring platform, Vedamo. Access to the platform is password-protected and only Team Up staff can view/download session video recordings in order to quality assure programme delivery and/or investigate potential safeguarding disclosures.
For pupils who complete assessments or surveys online, their names, results and responses may be stored on the webform platform, a specifically designed website hosted by WordPress. The platform is password-protected and access is limited to specific Team Up staff.
Information about pupils and their parents/guardian may also be briefly recorded in other formats, such as in emails, word processing and spreadsheet applications. Information in these formats may be temporarily stored on Team Up devices or in Google Workspace applications such as our Google Drive cloud storage until it has been uploaded to Salesforce, at which point all other copies will be deleted. Access to these devices and cloud applications is password-protected and restricted to Team Up staff. Team Up Google Workspace is routinely reviewed to ensure that no sensitive or identifiable data is stored beyond its usage.
6. Retention – how long we keep the information
We work to ensure that your personal data is only retained for the period that Team Up needs it for, or in accordance with laws, regulations and professional obligations that we are subject to set out in GDPR and the Data Protection Act 2018.
Pupil and parent/guardian records on our central database, Salesforce, containing information provided by our partner schools, alongside additional information we have captured independently, are anonymised two years after the data was first uploaded onto Salesforce. This involves removal of all information from a record which could be used to identify an individual pupil and/or their parent/guardian. This process can only be reversed by specific members of the Team Up team and only under reasonable circumstances, such as to facilitate a safeguarding enquiry.
Video recordings of online tutoring sessions completed on Vedamo are kept for approximately 1 month from the time of sessions, after which they are deleted. In cases of safeguarding incidents, we will download the video and store it within a restricted access folder (that only the Designated and Deputy Designated Safeguarding Leads can access) on the Google drive in order to support with investigations. After which, we may keep the recording for up to 10 years, depending on the severity of the incident.
The names, results and responses of pupils who completed assessments or surveys using the websites, are anonymised two years after the data was first uploaded onto Salesforce.
Our best practice for any pupil and parent/guardian information temporarily stored in other formats, such as word processing or spreadsheet applications, is to delete this information as soon as the purpose for processing the information in the alternative format is complete.
Anonymised pupil records on our central database and any related parent/guardian information are deleted 10 years after the data was first uploaded. This deletion cannot be reversed.
Pupil records on our central database may be stored for longer if they relate to a reported safeguarding concern.
If you would like to find out how long any other information is being retained, please contact us via the details provided in section 12 of this policy.
7. Data sharing – what information we share with other parties
The following information about pupils may be shared with specific tutors before and during the programme to help them tailor their tutoring sessions: full name, school, school year, gender, subject ability, assessment results, attendance and engagement notes, and any other information the pupil’s school has voluntarily provided to us which is deemed relevant for the tutor to be made aware of.
After a pupil has completed the programme, the following information may be shared with tutors, but only in relation to those pupils they directly supported: assessment results from final assessment, survey responses.
On certain programmes, pupil data may be shared with third parties who are involved in the evaluation or delivery of the programme in the form of reports, such as other charity and widening participation partners. In these cases, identifying pupil data such as surnames will be removed. Each partner has a specific data sharing agreement drawn up in our contract (including with school partners). Where third party data sharing is necessary, further information will be shared with stakeholders regarding the data protection and privacy policies of each partner and the sharing agreement in place with specific reference to what data is collected, how it is stored/shared, and for how long it will be retained. In addition, data sharing consent will be sought from the parents/guardians and school partners before any pupil/parent data is shared.
Anonymous and aggregated data relating to pupils may be published on the Team Up website and used in published materials, such as Team Up’s reports for funders.
8. Legal basis – our legal basis for processing the information
To lawfully process the information outlined in this notice, we may rely on:
Legitimate interests: where information we request or collect independently about pupils or their parents/guardians is used to effectively coordinate the delivery of our programme in partnership with schools, enable the evaluation of our impact, improve the future delivery of our programme, and demonstrate that our programme reaches the pupils who need it as defined by our charity’s mission.
Examples: pupil full name, subject ability, pupil premium status, unique pupil number, exam results, survey responses
Legal obligation: where we may need to use or share information we hold about pupils or their parents/guardians in order to comply with a legal obligation, such as to facilitate the investigation of a safeguarding concern with a local authority.
Consent: in order to facilitate any additional processing of information beyond that which is outlined in this privacy notice e.g. photographs, we will seek consent from the relevant individuals in order to do so.
9. Security of personal information
We take the responsibility for protecting your privacy very seriously and we will ensure your data is secured in accordance with our obligations under the Data Protection laws. We have in place technical and organisational measures to ensure personal information is secured and to prevent your personal data from being accessed in an unauthorised way, altered or disclosed. We have in place a robust access control policy which limits access to your personal data to those employees, contractors and other third parties who only have a business need to know. The processing of your personal data will only take place subject to our instruction.
We have procedures to handle any potential data security breaches. Data subjects, third parties and any applicable regulators will be notified where we are legally required to do so. If you become aware of a potential data breach involving your personal data, please contact us immediately using the details provided at the end of this notice.
10. Transfers outside of the EEA
In this section, we provide information about the circumstances in which your personal data may be transferred and stored in countries outside the European Economic Area (EEA).
We may share personal information to third parties outside of the European Economic Area (EEA). Any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws.
Where personal data is transferred outside of the EEA to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include Standard Contractual Clauses.
For more information about transfers and safeguarding measures, please contact us using the information in section 12.
11. How to control your information and your rights
Team Up is committed to accommodating your rights under the General Data Protection Regulation, which include:
Your right to be fully informed on how the information we ask you to share with us and the information we collect independently is processed by Team Up. If you have any questions about the guidance provided in this policy notice, or would like further detail on specific sections, then please address your query to the contact details provided below.
Your right to access the information we have asked you to share with us and the information we collected independently. If you require a copy of this information, please make this request using the contact details provided in this notice and the information will be provided to you in an electronic format as soon as possible, within one month at the latest. We will need to confirm your identity to provide this information.
Your right to rectify the information we have asked you to share with us and the information we collected independently if it is inaccurate or incomplete. If you believe that any of the information is inaccurate or incomplete, please contact us as soon as possible using the contact details provided below. We will promptly correct any information found to be incorrect.
Your right to erase the information we have asked you to share with us and the information we collected independently. You may request that this information be placed under restricted access, anonymised or deleted where there is no compelling reason for it to be kept. However, we may need to retain some information as stated in Section 6. Retention – how long we keep the information.
Your right to restrict or object to the further processing of the information we have asked you to share with us and the information we collected independently. Please use the contact details provided to inform us of any wish to restrict or object to the further processing of this information. Note that we may need to retain some key information in order to respect your restriction or objection in future.
Your personal data is not used in any automated decision making (a decision made solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain conditions about an individual).
Where we make an automated decision which has a legal or substantially similar effect, you have the right to speak to us and we may then review the decision, provide a more detailed explanation and assess if the automated decision was made correctly.
12. How to contact us
To contact us in relation to any of the information contained in this policy notice, to make a complaint, to pursue any rights under the General Data Protection Regulation and to contact our DPO, please email: firstname.lastname@example.org
Telephone: 07547 666523
If you are unhappy with the way that we have handled your Personal Information, you can make a complaint to the Information Commissioner’s Office (ICO) which is the UK authority responsible for data protection.