Skip to content
School logo watermark

    • Privacy Notice

    How we use your information

    Who Processes Your Information?

    Cowbridge School is the data controller of the personal information you provide to us. This means that the School determines the purposes for which, and the manner in which, any personal data relating to students and their families is processed.

    In some cases, your data may be shared with a third-party processor. This will only occur where there is a lawful basis for sharing, either with your consent or where the law permits it. Any third-party processors must comply with the same data protection standards as the School. We do not share information about our pupils with anyone without consent unless required by law or our policies.

    The School’s Data Protection Officer (DPO) is Mr Ling, and the Deputy DPO is Mr Stagg. They oversee and monitor the School’s data protection procedures to ensure compliance with UK GDPR. They can be contacted on 01446 772311 or via email at enquiries@cowbridgeschool.co.uk.

    Why Do We Collect and Use Your Information?

    Pupil data is essential for the School’s operational purposes. Some information is mandatory, while other information may be provided voluntarily. At the point of collection, we will inform you whether specific information is required or optional.

    We collect and use pupil information under Article 6(1)(e) of UK GDPR:

    "Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller."

    For special category data, we rely on Article 9(2)(g) of UK GDPR, which permits processing for reasons of substantial public interest, subject to a legal basis under the Data Protection Act 2018.

    However, for certain types of data processing, we rely on Article 6(1)(a) (consent). This applies to:

    • the use of images or photographs for marketing and publicity;
    • the use of biometric data for catering services (e.g., Vericool);
    • participation in educational research not required by law;
    • any optional third-party services requiring consent.

    Where processing is based on consent, you have the right to withdraw consent at any time.

    The School collects and uses personal data in compliance with relevant laws, including the:

    • Education Act 1996
    • UK GDPR and Data Protection Act 2018

    We process personal data for the following purposes:

    • to support student learning;
    • to monitor and report on student progress;
    • to provide appropriate pastoral care;
    • to assess the quality of our services;
    • to comply with legal requirements regarding data sharing;
    • to safeguard students (e.g., allergy or child protection information);
    • as part of our admissions process;
    • to support pupils with post-school career decisions;
    • to manage school meals, payments, and communication systems;
    • to publicise and market the School (including images/photographs);
    • for educational research purposes.

    Categories of Information We Process

    We process the following categories of pupil information:

    • personal identifiers and contacts (e.g., name, date of birth, unique pupil number, contact details, address);
    • characteristics (e.g., gender, ethnicity, language, nationality, country of birth, free school meal eligibility);
    • safeguarding information (e.g., court orders, professional involvement);
    • special educational needs (SEN) and additional learning needs (ALN);
    • medical and administration records (e.g., GP details, allergies, medication, dietary requirements);
    • attendance records (e.g., sessions attended, absence details, previous schools attended);
    • assessment and attainment records (e.g., exam results, progress tracking);
    • behavioural information (e.g., exclusions, alternative provision);
    • destination data (pupil post-school pathways);
    • educational visits data;
    • catering and free school meals arrangements, including biometric data (with parental consent);
    • ParentMail communication system data.

    How We Collect Your Information

    We collect pupil and contact information through:

    • Paper and electronic registration forms at the start of the school year
    • Common Transfer Files (CTF) or secure file transfers from previous schools

    Data Retention

    The School retains personal data only for as long as necessary to fulfil its purpose, in accordance with our Data Protection Policy and relevant legal requirements. Specific retention periods are outlined in the School’s Data Retention Schedule (available on request).

    Automated Decision-Making & Profiling

    Cowbridge School does not use personal data for automated decision-making (where decisions are made solely by automated means without human involvement) or profiling (where personal data is used to analyse or predict aspects of an individual’s behaviour, performance, or preferences).

    Data Sharing and Third Parties

    We share pupil data only where legally required or where it is necessary to fulfil our obligations. Examples of data sharing include:

    • Welsh Government (WG) (e.g., Pupil Level Annual School Census, educational research);
    • Local Authority (Vale of Glamorgan) and Central South Consortium (CSC);
    • Destination schools through the use of Common Transfer Files (CTFs) via the School-to-School (S2S) data transfer system.
    • Estyn (school inspections);
    • NHS (health and wellbeing services);
    • Exam Authorities;
    • Police and courts (where legally required);
    • Social Services and support agencies;
    • Arbor Education (Management Information System - MIS);
    • GO 4 Schools;
    • Vericool (Canteen and school meal system);
    • ParentMail (school communication system);
    • Wonde (secure data transfer platform for third-party educational services);
    • Google Workspace for Education (cloud-based collaboration, learning tools and email);
    • InVentry (sign-in system for staff, pupils, and visitors);
    • School Cloud Systems Ltd;
    • Learning Records Service (LRS) (Unique Learner Numbers and Personal Learning Records);
    • The Governor Support Unit (GSU) of the local authority for the parent governor election process;
    • Careers Wales;
    • Researchers from reputable institutions.

    Where data is transferred outside the UK, we ensure appropriate safeguards, such as UK adequacy decisions or Standard Contractual Clauses (SCCs), are in place.

    Your Rights

    Under UK GDPR, parents and pupils have the following rights:

    • right to be informed (about how data is used);
    • right of access (to personal data held about them);
    • right to rectification (to correct inaccurate data);
    • right to erasure (in certain circumstances);
    • right to restrict processing (in specific cases);
    • right to data portability (where applicable);
    • right to object (to certain types of processing).

    Where processing is based on consent, you have the right to withdraw consent at any time.

    Requesting Access to Personal Data

    Parents and pupils can request access to personal information held by the School. Requests should be directed to the Data Protection Officer. The School will respond within one month of receiving a valid request.

    Concerns or Complaints

    If you have concerns about how your data is being used, please contact the School’s Data Protection Officer in the first instance. You also have the right to raise concerns with the Information Commissioner’s Office (ICO):

    Information Commissioner’s Office (Wales)
     2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH
     Tel: 029 2067 8400
     Email: wales@ico.org.uk

    symbol watermark symbol watermark

    Cookie Policy