Transparency data

Privacy information: local authority employees

Updated 28 March 2025

Applies to England

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/privacy-information-local-authority-employees/privacy-information-local-authority-employees

This document provides details of what personal data the Department for Education (DfE) processes about the workforce in local authorities. This includes social work professionals that have responsibility for social work-related services.

The data processed is not database or census specific, this privacy notice applies to all data processed.

When we collect and use your personal information, we follow the relevant laws including the:

We must have a valid reason to collect your personal data. These reasons are called lawful basis in UK GDPR. You have rights under UK GDPR about how your personal data is collected and used. Your rights change based on the lawful basis for collecting the data.

Further information on the standards you can expect when we collect, hold or use your personal information is available on the personal information charter.

1. Using your data to protect learners and children

1.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can protect learners.

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

When we use your special category data it is because we have a substantial public interest under article 9(2)(g) of UK GDPR.

1.2 Data we collect

DfE collects information from educational settings, local authorities, your employer and other government departments to safeguard children and adults.

We collect and use the name and contact details of the person reporting or involved in the safeguarding case.

1.3 What we do with your data

We use your personal information to support these children, young people and adults, and to monitor their progress.

We’ll use your personal information to:

  • keep pupils or learners safe from potential harm
  • identify issues and provide support for mental and physical health issues
  • prevent extremism in the education system - DfE works to ensure children and young people are not exposed to extremists and extremist messages

The Teaching Regulation Agency (TRA) regulates the teaching profession in England and investigates cases of serious misconduct. If you are a witness or potential witness within a teacher misconduct investigation, TRA processes your information to investigate allegations of serious misconduct.

1.4 Who we share your data with

We may share your personal data with other organisations where DfE and its executive agencies are notified of an issue regarding safeguarding of children and young people.

Other people and organisations may also share personal data with DfE and its executive agencies, for example, when they make a complaint or raise a concern with us.

This can include information shared in accordance with the guidance:

The information will be used to:

  • investigate complaints
  • ensure trusts and academies comply with the regulations (including Independent schools (Education (Independent School Standards) Regulations 2014)

The privacy information for the education providers’ workforce, including teachers, has more information about when we share your personal information.

1.5 How long we keep your data

For safeguarding cases, we keep your personal information for 10 years after the date of the allegation and then it is reviewed.

1.6 Your information rights under UK GDPR

Find out about your rights when we process your personal data under the lawful basis of public task.

1.7 Data processors

We do not use any data processors for this processing activity.

2. Using your data when a child is looked after by local authorities

Local authorities have a legal duty to provide DfE with information each year about the children they look after.

The children’s privacy notice has more information on using your data when a child is looked after by local authorities.

3. Using your data when a child is in need

Local authorities have a legal duty to provide DfE with information each year about the children in need.

A child in need is defined under theChildren Act 1989 as a child:

  • who is unlikely to reach or maintain a satisfactory level of health or development
  • whose health or development will be significantly impaired without the provision of services
  • who is disabled

The children’s privacy notice has more information on using your data when a child is in need.

4. Using your data when we receive a Serious Incident Notification (SIN)

DfE has established the Child Safeguarding Practice Review Panel (the Panel). The Panel commissions national reviews of child safeguarding cases that raise issues that are complex or of national importance.

Local authorities in England have to notify the Panel where they know or suspect that a child has been abused or neglected and:

  • the child has died or has been seriously harmed in the local authority’s area
  • the child has died or been seriously harmed outside England, when they are normally resident in the local authority’s area

The local authority must notify the Panel if a child who is being looked after by a local authority dies, whether or not neglect is known or suspected.

Once a notification is submitted, no local authority will have access to it, including the one that made the notification.

The children’s privacy notice has more information on using your data when we receive a Serious Incident Notification (SIN).

5. Using your data to support learner assessments

5.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can develop and deliver assessments for children in education between reception and the end of key stage 2.

The learner assessments include national curriculum assessments, which are supported by our national curriculum assessment contracted partner, the Primary Assessment Gateway. This system has a number of users who all have different reasons for logging into the system. Users include:

  • headteachers
  • school staff
  • local authorities
  • multi academy trusts and key stage 2 (KS2) markers

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

5.2 Data we collect

DfE collects and uses your personal information, including your:

  • name
  • email address
  • phone number

5.3 What we do with your data

For the Primary Assessment Gateway, we use your personal information to set up a user account.

For the teacher assessment and moderation process, we use your data to:

  • keep you informed about developments within teacher assessment and moderation
  • recruit for future projects and events run by STA or contracted suppliers
  • contact you regarding any external moderation visits we may undertake at your local authority

  • send assessment update and reminder emails

  • contact and invite you to attend standardisation training events
  • select you for an external moderation visit
  • make you aware of possible job opportunities

5.4 How long we keep your data

We keep your personal information for 7 years.

5.5 Your information rights under UK GDPR

Find out about  your rights when we process your personal data under the lawful basis of public task.

5.6 Data processors

Capita is the data processor and processes your data for the Primary Assessment Gateway.

6. Using your data to fund learning, including apprenticeships

6.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can fund learning in the following educational settings:

  • schools – for example, when the local authority completes statutory data collections on behalf of maintained schools
  • apprenticeships

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

When we use your special category data it is because we have a substantial public interest under article 9(2)(g) of UK GDPR.

6.2 Data we collect

We need enough information to work out how much funding is required. Funding is calculated based upon the numbers of learners in each educational setting and if they have needs which need additional funding.

To do this, we require information from educational settings or local authorities about learners. Find out more from:

We also need the following information about the workforce in schools, academies, colleges or training providers:

  • personal contact details of employees and staff members - name, address, email address and phone numbers
  • IP address
  • Teacher Pension (TPS) number (for Music Hub organisations only)

We collect special category data, including information about:

  • ethnicity and gender
  • disability, if applicable

6.3 What we do with your data

We use the data to work out how much funding is required and to publish statistics on funding.

We use your personal information to determine whether a provider is entitled to claim funding from DfE. For example, some learning will not be eligible for state funding because the programme of learning, or perhaps an element of it, has already been achieved by the learner.

For security purposes, we collect the IP addresses of people visiting the DfE data collection forms on our websites. This enables users to use the service and receive updates. If we were receiving continuous direct denial of service attacks from an IP address range, we could block the IP address. We will not share the IP address with any other parties.

6.4 Who we share your data with

We sometimes need to make personal data available to other organisations. These might include contracted partners or other organisations with which we need to share your personal data for specific purposes.

Where we need to share your personal data with others, we ensure that this data sharing complies with data protection legislation. For example, in order to assess funding applications, we may need to share your personal data with:

  • the National Schools Commissioner (NSC)
  • Regional Schools Commissioners (RSC)
  • DfE-funded educational experts and their teams
  • DfE-contracted external assessors, if appropriate

Using your data when we share your personal information in the education providers’ workforce privacy notice has more details.

6.5 How long we keep your data

We keep your personal information:

  • for 7 years for funding or financial purposes
  • until 31 December 2034, if the learning is funded by the European Social Fund

If your personal information is included in any legal agreement classified as a Deed, we will retain it for 12 years from the point of the Deed’s expiry.

6.6 Your information rights under UK GDPR

Find out about your rights when we process your personal data under the lawful basis of public task.

6.7 Data processors

Training providers are data processors for the adult education and apprenticeship data that they send to DfE.

7. Using your data to ensure the protection of public funds by preventing and detecting fraud

7.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can protect public funds by preventing and detecting fraud.

The lawful basis we rely on we rely on for processing your personal data is public task, under article 6(1)(e) of the UK GDPR.

When we use your special category data it is because we have a substantial public interest under article 9(2)(g) of UK GDPR.

7.2 Data we collect

We use your personal data to ensure schools, academies, colleges, sixth forms, adult education training providers and apprenticeships have received the correct funding.

To do this we collect the following information from your educational setting or local authority about you:

  • personal contact details
  • date of birth
  • data and information about your learning, including your courses and assessments

We collect special category data including details about your:

  • equality, diversity and inclusion information
  • health

Full details about how we process special category data are given in the DfE appropriate policy document.

7.3 What we do with your data

We use your data to investigate suspected fraud or financial irregularity.

Find out more on how to report fraud or financial irregularity.

7.4 Who we share your data with

When fraud is identified, your personal data will be shared by us as necessary for the purposes of preventing and detecting fraud. It will be shared with fraud prevention and law enforcement agencies, such as the Police and the National Crime Agency.

7.5 How long we keep your data

We keep your personal information for 7 years after legal proceedings have been completed.

7.6 Your information rights under UK GDPR

Find out about your rights  when we process your personal data under the lawful basis of public task.

7.7 Data processors

The National Audit Office (NAO) audits the DfE accounts, to analyse public spending and to improve our services. The NAO is a controller for your personal data that they process.

8. Using your data to contact you for research or feedback  on services we provide to you

8.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can:

  • undertake research to learn how you interact with our services and to support our operational development and delivery
  • measure the impact and effectiveness of each of our services, our programmes or our events
  • make improvements to the services we offer you

We do this through surveys, public consultations and feedback about our help desks. 

We will always seek your permission to take part in any research.  

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

8.2 Data we collect

We collect and use the information you provide directly to us when you contact us, attend one of our programmes or events or use our digital services or helpdesk. We collect your:

  • full name
  • email address
  • phone number

8.3 What we do with your data

We use your data to:

  • make improvements to the services we offer to you
  • develop policy
  • develop new services
  • contact you to invite you to participate in research that is relevant to you

You are under no obligation to participate in any research we invite you to. We will not contact you about research using your data if you tell us not to.

Using your data to gather evidence for policy development and delivery has more information on how we process your personal information during research.

8.4 How long we keep your data

We keep your personal information until 2 years after the end of the survey or research. We keep a record of you being contacted for feedback for 5 years.

8.5 Your information rights under UK GDPR

Find out about  your rights when we process your personal data under the lawful basis of public task.

8.6 Data processors 

DfE uses a data processor to:

  • provide our service desk
  • contact you for feedback
  • contact you to take part in research

9. Using your data to gather evidence for policy development, evaluation and delivery

9.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can undertake research and surveys to gather evidence to support our policy development and delivery. Having this evidence is important when improving outcomes for children, young people, families and adults.  

The lawful basis we rely on for processing your personal data is public task, under article 6(1)(e) of the UK GDPR. When we use your special category data it is because we have a substantial public interest under article 9(2)(g) of UK GDPR

Sometimes we link your survey responses to other government-held data. The lawful basis for this processing is ‘consent’ under article 6(1)(a) of the UK GDPR. If you have agreed that we can link your survey responses to other government-held data, we are undertaking this processing with your consent.

9.2 Data we collect

We collect and use personal information directly from you or your education provider, including your:

  • full name
  • email address
  • phone number
  • date of birth
  • address

When we use your special category data it is because we have a substantial public interest and you have given your ethical consent to participate in the research. As part of our research we may need to collect information about your:

  • heath or disability
  • racial or ethnic origin
  • gender

We also collect sensitive information about your:

  • socioeconomic classification
  • caring responsibilities

Full details about how we process special category data are given in the:

9.3 What we do with your data

We will use your personal information for research that DfE undertakes to provide high-quality evidence to inform policy development and delivery.

Sometimes we link your survey responses to other government-held data. The lawful basis for this processing is ‘consent’. At any time, you can tell us you no longer want us to link your data to other data. You can do this by using our contact form.

We will publish a summary of the research and the full research report. Your responses may be attributed to an organisation where this information has been provided but our publications will not contain any personal data. DfE will anonymise or desensitise the data where possible.

Research reports published since May 2010 are available on GOV.UK.

Research published before May 2010 is available from The National Archives.

Research at DfE and parent, pupil and learner panel omnibus surveys have more information.

9.4 How long we keep your data

We keep your personal information until 12 months after the end of the survey or research.

9.5 Your information rights under UK GDPR 

Find out about your rights  when we process your personal data under the lawful basis of public task or consent.

If you have agreed that we can link your survey responses to other government-held data, we are undertaking this processing with your consent. You have the right to withdraw that consent up until the data is analysed for the publication.

If you change your mind, or you are unhappy with our use of your personal data,  contact DfE  and state the project or initiative name. Further information on rights and the ways in which your data may be used are contained in the research consent form.

9.6 Data processors

DfE uses a data processor to undertake the research by using contractors. Our contractors will get your personal data directly from you and DfE during the activity or initiative.

10. Using your data to take part in our consultations

10.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can hold public consultations to develop our policies, programmes and guidance.

The lawful basis we rely on for processing your personal data is public task, under article 6(1)(e) of the UK GDPR.

10.2 Data we collect

We collect and use the following personal information, including your:

  • full name
  • job role
  • address
  • email address
  • phone number
  • IP address

10.3 What we do with your data

We’ll use your personal information when gathering feedback from our public consultations.

Information provided in response to consultations, including personal information, may be subject to publication or disclosure under the:

If you want all or any part of a response to be treated as confidential, explain why in the relevant section of the consultation response.

10.4 How long we keep your data

We keep your personal data for 10 years, as it supports our policy making.

10.5 Your information rights under UK GDPR

Find out about your rights when we process your personal data under the lawful basis of public task.

10.6 Data processors

DfE uses Delib to manage our public consultations. Delib’s website enables you to provide feedback on the documents’

11. Using your data to maintain lists of contact details

11.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can maintain lists of:

  • contact details for schools, academies, colleges, training providers, apprenticeship employers, higher education, secure units, online providers, independent schools, British schools overseas, children’s centres and children’s centres linked sites, local authority nurseries, non-maintained special schools, service children’s education and special post 16 and children’s homes
  • contacts in local authorities
  • contacts for DfE programmes and services - for example, the staff wellbeing charter
  • safeguarding partner contacts
  • stakeholders, including unions, advisory boards and external bodies, such as Ofqual and Ofsted
  • teachers – using your data to maintain a list of teachers has more information
  • school governors, trustees or proprietors
  • chief financial officer and the accounting officer for single-academy trusts, multi-academy trusts and secure single-academy trusts
  • honours nominations – the privacy information relating to honours nominations has more details

DfE publishes contact details for schools on:

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

11.2 Data we collect

We collect and use the following personal information:

  • name and address
  • job role
  • personal email address
  • phone number
  • date of birth, where applicable

In the case of contacts for budget forecast return, accounts return and land and buildings collection tool, we also collect individuals’ IP addresses. This is to:

  • monitor use of the service
  • produce anonymised statistics to help us understand how easy our services are to use and how we can improve them

We use AppInsights software to collect information about how you use the academy trust data collections.

AppInsights processes information about:

  • the pages you visit on academy trust data collections
  • how long you spend on each academy trust data collections page
  • how you got to the site
  • what you click on while you’re visiting the site

11.3 What we do with your data

We use your personal information to ensure we have up-to-date contacts for the whole education sector in England. We use these contacts for our data collections and education sector governance.

11.4 How long we keep your data

We keep your personal information for 10 years, as it supports our policy making.

For data collected in relation to the budget forecast return, accounts return, and land and buildings collection tool, we retain these details for 12 months

11.5 Your information rights under UK GDPR

Find out about your rights  when we process your personal data under the lawful basis of public task.

11.6 Data processors

We do not use any data processors for this processing activity.

12. Using your data when you contact us

12.1 Purpose and lawful basis for processing

We collect, process and store your personal data when you contact the Department by DfE contact us form, telephone, email, message us or live chat. 

Telephone calls to our helplines may be recorded for training and monitoring purposes. If provided, we will also use your email address to send a customer satisfaction survey. 

We use this information to: 

  • resolve your enquiry 
  • progress a follow up enquiry 
  • action a request as appropriate 

It is also used to ensure our call agents are appropriately trained and to enable us to continually improve the quality of the service provided. 

Find out more from the privacy notice for stakeholders which has a section on using your data when you make a complaint about education providers, children’s social care or the DfE.

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

12.2 Data we collect

DfE collect and use the following personal information directly from you, including your:

  • full name
  • email address
  • phone number
  • enquiry or complaint details
  • IP address

12.3 What we do with your data

We need information from you to investigate your complaint or enquiry properly.

We use the IP address to detect and block malicious visitors to our websites.

12.4 How long we keep your data

We keep your personal information for 5 years from the date of the enquiry or complaint.

12.5 Your information rights under UK GDPR

Find out about  your rights  when we process your personal data under the lawful basis of public task.

12.6 Data processors

We do not use any data processors for this processing activity.

13. Using your data when you make a complaint about education providers, children’s social care or DfE

13.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can process your data when you make a complaint about:

  • a school
  • a college
  • an early year’s provider
  • children’s social care service
  • a teacher
  • DfE

Find out more from:

The lawful basis we rely on for processing your personal data is public task, under article 6(1)(e) of the UK GDPR.

13.2 Data we collect

DfE collect and use the following personal information including:

  • your full name
  • email or postal address
  • phone number
  • your enquiry or complaint details
  • information held by third parties, like schools, colleges and local authorities

We collect and use sensitive data. This includes details about:

  • safeguarding and child protection matters
  • special educational needs assessments
  • medical details

Full details about how we process special category data and sensitive data are given in the DfE appropriate policy document.

13.3 What we do with your data

We need information from you and potentially other third parties to consider your complaint.

13.4 Who we share your data with

Before we consider a complaint, we may need documentary evidence that the complaints procedure has been completed in full. We usually ask the complainant to provide this.

Depending on the nature of the complaint, we may need additional documentation, such as CPOMS records or statements from staff and other pupils. CPOMS  is an online system, used by over 16,500 schools across the globe.

We may contact the school, an early year’s provider, a children’s social care service or other local authority department to provide this information.

Schools have a legal duty to provide this information to the Secretary of State for Education under section 538 of the Education Act 1996.

Local authorities have a legal duty to provide this information to the Secretary of State for Education under section 29(1) of the Education Act 1996.

DfE may also share your data under public task with Ofsted, local authorities or police and criminal investigation authorities, through court orders - to safeguard and promote welfare of children in the UK.

13.5 How long we keep your data

We keep your personal information for 10 years from closure of the case.

Where a complaint is made to TRA but it is not accepted as a referral, it will be treated as correspondence and kept for a period of 5 years from the closure of the complaint.

The education providers’ workforce privacy notice has more information on using your data when you make a referral of serious teacher misconduct to the Teaching Regulation Agency (TRA).

13.6 Your information rights under UK GDPR

Find out about  your rights when we process your personal data under the lawful basis of public task.

13.7 Data processors

We do not use any data processors for this processing activity.

14. Using your data when you make a referral of serious teacher misconduct to the TRA

14.1 Purpose and lawful basis for processing

DfE has processes in place that enable anyone to:

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

14.2 Data collected

When you make a referral, DfE collects and uses your personal information, including your:

  • name
  • contact details

The section on using your data to investigate teacher misconduct in the education providers’ workforce privacy notice has more information on:

  • how we investigate a referral
  • the data we collect about the teacher

14.3 What we do with your data

As a witness, potential witness or a person making an allegation within a teacher misconduct investigation, we receive your personal data from you and third parties including:

  • employers
  • supply agencies
  • police forces
  • the DBS
  • members of the public

We process this information to regulate the teaching profession by investigating allegations of serious misconduct.

14.4 Sharing your data

We sometimes need to make personal data available to other organisations. This also includes contracted partners. Where we need to share your personal data with others, we comply with data protection legislation.

Teachers who are subject to an investigation and their employer

If there is an investigation, we tell them the name of the person who made the referral and details of their allegation. If there is no investigation, we tell the teacher that there has been an allegation, but we do not share your personal data. If the teacher makes a subject access request, we give details of the allegation but not the name of the referrer. If the referral came from an organisation, then we give the name of the referring organisation. This is compliant with Education Acts 2002 and 2011.

If there is an investigation, legal firms we hold contracts with will process your personal data on our behalf. They process the data we provide to gather information to support misconduct investigations and hearings. Some legal firms will also review this data to provide impartial legal advice during misconduct hearings. This is compliant with Education Acts 2002 and 2011.

Professional conduct panels

We appoint independent panel members who sit on professional conduct panels to consider cases of serious misconduct and they may make recommendations on prohibition to the Secretary of State. They need this information to fulfil this role. This is compliant with Education Acts 2002 and 2011.

Published decisions

We will publish the teacher’s personal data within a decision document on GOV.UK if a    finding of serious misconduct is made. We will not publish the referrer’s data. This is accessible by members of the public. This is compliant with Regulations 8 and 15 of the Teachers’ Disciplinary (England) Regulations 2012 and section 141C of the Education Act 2002 (updated).

DBS and other organisations

We may need to share your personal data with DBS and other organisations (including, but not limited to, local authority organisations and employers) to safeguard children, young people and adults. This is compliant with Section 45 of the Safeguarding and Vulnerable Groups Act 2006.

Police

We may need to share your personal data with the police and the police share information with DfE so we can fulfil our statutory roles. This is compliant with section 31 of the Data Protection Act 2018.

If applicable, we may need to share your financial details with our finance team to pay any expense claims you make.

14.5 How long we keep your data

We keep your personal information for 10 years from closure of the case.

Your financial information for expense purposes, if applicable, is retained for 7 years, then securely destroyed.

Where a complaint is made to TRA but it is not accepted as a referral, it will be treated as correspondence and kept for a period of 5 years from the closure of the complaint.

The section on Using your data when you make a complaint about education providers, children’s social care or DfE has more details.

14.6 Your information rights under GDPR 

Find out about  your rights  when we process your personal data under the lawful basis of public task.

14.7 Data processors

We do not use any data processors for this processing activity.

15. Using your data when you use DfE Sign-In

15.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can enable schools and other education organisations to access online services using DfE sign-In. The DfE sign-In page has details of the services that use it.

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

15.2 Data we collect

DfE collect and use the following personal information directly from you including:

  • your first name and last name
  • the email address you provide
  • the organisation details the account is linked to

15.3 What we do with your data

We use the data to allow you access to DfE online services.

Occasionally, DfE will contact users on the email address provided with essential information about DfE Sign-in.

15.4 Who we share your data with

We may share your information where the law allows, or where we have a legal obligation to do so.

For Ofsted users, we regularly share your details with Ofsted for monitoring purposes.

15.5 How long we keep your data

We keep your personal information for 6 years from the date on which an individual deactivates or deletes their account.

15.6 Your information rights under UK GDPR

Find out about  your rights  when we process your personal data under the lawful basis of public task. 

15.7 Data processors

We do not use any data processors for this processing activity.

16. Using your data when you use our websites

16.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can improve our website and search functionality. 

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

16.2 Data we collect

DfE websites use cookies to collect information from you about how you use this website. The section on cookies has more details.

DfE websites use Google Analytics, Hotjar or Microsoft Clarity. We do not collect or store your personal information through these tools, so it cannot be used to identify who you are.

You can find out which cookies are used in the footer section of each website.

16.3 What we do with your data

We use your personal information to:

  • ensure we present our website content in the best way for you
  • allow you to take part in interactive features of our service, when you choose to do so

Using your data when you sign up to our notifications about learning opportunities or events has more information on when we use your data to:

  • notify you about changes to our website or services
  • provide you with information or services that you request from us or which may interest you

16.4 How long we keep your data

Your personal information is retained for up to 2 years. Details about cookies on GOV.UK has more information.

If you create an account on our websites or sign up for an alert your personal information is kept as long as you have an account. If you delete your account or cancel your alert, your data will also be deleted.

Using your data when you sign up to our notifications about learning opportunities or events has more information.

16.5 Your information rights under UK GDPR

Find out about  your rights  when we process your personal data under the lawful basis of public task.

16.6 Data processors

DfE uses a data processor for collecting information about how you use GOV.UK. We use Google Analytics cookies and a Real User Monitoring (RUM) cookie from SpeedCurve.

17. Using your data to use our social media channels

17.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can use social media to share news and views with people working in:

  • schools
  • colleges
  • local authorities
  • children’s services

We also use social media to communicate with parents, children and young people.

Our social media use policy has more details.

The lawful basis we rely on for this processing of your personal data is consent under article 6(1)(a) of the UK GDPR.

At any time, you can tell us you no longer want us to use your data, see the your rights section for more information.

17.2 Data we collect

When you interact with our social media channels we collect and use your name.

17.3 What we do with your data

When you use our websites and social media channels, we use your personal information to:

  • allow you to take part in interactive features of our service, when you choose to do so
  • ensure we present our website content in the best way for you
  • provide you with information or services that you request from us or which may interest you - we always get your consent when you request these DfE services
  • notify you about changes to our website or services

The DfE cookies policy has more information.

17.4 How long we keep your data

The DfE social media channels are captured by The National Archives as a permanent record of DfE’s social media communication.

Your personal information is retained for up to 2 years. Details about cookies on GOV.UK has more information.

17.5 Your information rights under UK GDPR

Find out about  your rights when we process your personal data under the lawful basis of consent. 

As we are processing your personal data with your consent, you have the right to: 

  • withdraw consent at any time, by using our contact form 
  • ask DfE to cease publication of your image, words or voice on its social media channels 

If you do so, DfE will not publish further social media posts featuring this content, but it is not obligated to remove or delete existing posts. DfE social media channels are captured by The National Archives  as a permanent record of DfE’s social media communication. 

If you change your mind, or you are unhappy with our use of your personal data,  contact DfE  and state the project or initiative name.

17.6 Data processors

We use a data processor for collecting information about how you use GOV.UK. We use Google Analytics cookies and a Real User Monitoring (RUM) cookie from SpeedCurve.

18. Using your data when you sign up to our notifications about learning opportunities

18.1 Purpose and lawful basis for processing

Our purpose for processing this information is so you can sign up for notifications, such as about teaching as a career, our events or our services and work. 

The lawful basis we rely on for this processing of your personal data is consent under article 6(1)(a) of the UK GDPR.

At any time, you can tell us you no longer want us to use your data. The section on your rights has more information.

18.2 Data we collect

DfE collect and use the following personal information directly from you, including your:

  • name
  • email address

18.3 What we do with your data

We will use your personal information to enable you to sign up to specific messages, like when promoting apprenticeships or our careers service, or to invite you to events.

18.4 How long we keep your data

We keep your personal information for as long as you are signed-up to our notifications or alerts. You can  unsubscribe from our emails  at any time. You can also use the ‘unsubscribe’ or ‘change your email preferences’ links in the emails you get from GOV.UK.

18.5 Your information rights under UK GDPR

Find out about  your rights when we process your personal data under the lawful basis of consent. 

As we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data,  contact us  and state which notification you are signed up to.

18.6 Data processors

We use data processors to send the email and text notifications.

19. Using your data for the RPA Risk Management Services

19.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can operate the DfE risk protection arrangement (RPA). This is an alternative to commercial insurance for schools, it seeks to help public sector schools achieve savings on their non-staff spend. 

The RPA Risk Management Service provides resources and opportunities for RPA Members to improve their risk management knowledge and practices, with a view to reducing risk exposure and the number of RPA claims raised.

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR.

19.2 Data collected

DfE collect and use the following personal information:

  • your name and job title
  • your email address and phone number
  • your internet protocol (IP) address.
  • your organisation’s details, including postal address, phone number and email address
  • any other necessary personal data required to be able to effectively deliver the RPA Risk Management Services

19.3 What we do with your data

We collect and process your personal information to support the effective management and delivery of the DfE Risk Protection Arrangement, for the benefit of RPA Members. This may be, for example, to:

  • provide resources and opportunities for RPA Members to improve their risk management knowledge and practices, with a view to reducing risk exposure and the number of RPA claims raised
  • gather information about the risks you, or your RPA Member school, face or require more support on
  • help inform where RPA Risk Management Services resources should be focused
  • monitor customer satisfaction, identify best practice and gain insight to help inform the strategic direction of the RPA

19.4 Who we share your data with

If the law allows it, we might share your personal information with other parts of DfE and with other government departments.

We will share your personal information with organisations that:

  • work for DfE under contract
  • request information to help prevent and detect crime or fraud

19.5 How long we keep your data

We keep your personal information for 10 years then we review the data. DfE will identify if we are required by law to retain the data for longer periods, for example for crime or fraud cases. If we no longer need the data, we will delete it.

19.6 Your information rights under UK GDPR

Find out about your rights when we process your personal data under the lawful basis of public task.

19.7 Data processors

DfE uses a data processor to:

  • issue communications and information relating to risks or risk management
  • conduct risk surveys and track and follow up on queries, concerns identified
  • arrange and conduct risk audits, and track and follow up on risks, issues, concerns identified
  • provide risk help, advice and support through services such as the RPA Helpdesk, and the provision of RPA Risk Workshops, RPA Risk Management Tools, Resources and Learning Modules
  • provide support and advice to DfE to inform and contribute to the strategic management of RPA

20. Using your data for RPA claims handling services

20.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can process claims under the DfErisk protection arrangement (RPA). The RPA is an alternative to commercial insurance for schools, and an initiative that seeks to help public sector schools achieve savings on their non-staff spend. 

The aim of the RPA claims handling services is to support the effective management of the DfE risk protection arrangement for the benefit of RPA members. This includes processing RPA member claims to an appropriate conclusion. 

The lawful basis we rely on for this processing of your personal data is legitimate interest under article 6(1)(f) of the UK GDPR. When we use your special category data it is because we have a substantial public interest under article 9(2)(g) of UK GDPR.

20.2 Data we collect

We receive your personal data from RPA claims that you raise as a RPA member, or RPA claims that you make against a RPA member.

We also receive personal data of yours due to your involvement in the investigation and resolution of RPA claims, for example as a witness or from:

  • third parties acting on behalf of a claimant
  • legal representatives
  • loss adjusters
  • valuation experts or supplier involved in processing the claim on our behalf via our claims handling supplier

DfE collect and use the following personal information:

  • names of people involved in the claim, which can include children
  • personal addresses
  • telephone numbers
  • date of birth
  • bank account details
  • the extent of damage, which could include injury to children or adults and medical reports
  • car registration numbers
  • solicitor names, telephone numbers, addresses
  • names and contact numbers of others involved in helping bring the claim to a resolution such as:
    • loss adjusters
    • school project managers
    • suppliers involved in property reinstatement
  • any other necessary personal data required to be able to process the claims to resolution

We collect and use special category data, this includes details about the extent of damage. This could include injury to children or adults and medical reports.

Full details about how we process special category data are given in the DfE appropriate policy document.

20.3 What we do with your data

The RPA claims handling service uses your personal data to ensure claims that fall within the RPA membership rules are professionally processed and resolved for RPA members.

20.4 Who we share your data with

We sometimes need to make personal data available to other organisations. These might include:

  • contracted partners who we have employed to process your personal data on our behalf
  • other organisations with whom we need to share your personal data for specific purposes

Where we need to share your personal data with others, we ensure that this data sharing complies with data protection legislation. For this project, we will share personal data with:

  • our claims handling supplier
  • the supply chain involved in the investigation or resolution of the RPA claim
  • supporting delivery partners of the RPA service as required, which include but not limited to risk management, actuarial and research support services

20.5 How long we keep your data

We keep your personal information for 10 years, then we review the data. DfE will identify if we are required by law to retain the data for longer periods, for example for crime or fraud cases. If we no longer need the data, we will delete it.

20.6 Your information rights under UK GDPR

Find out about your rights  when we process your personal data under the lawful basis of legitimate interest.

20.7 Data processors

DfE uses a data processor for RPA claims handling services.

21. Using your data when we are testing or checking our IT systems

21.1 Purpose and lawful basis for processing

Our purpose for processing this information is so we can test or check our IT systems.

The lawful basis we rely on for this processing of your personal data is legitimate interest, under article 6(1)(f) of the UK GDPR. When we use your special category data it is because we have a substantial public interest under article 9(2)(g) of UK GDPR.

21.2 Data we collect

DfE collects information from educational settings, local authorities, your employer and other government departments. We will process the following information about you:

  • personal contact details
  • date of birth
  • ethnicity
  • data and information about your learning, including your courses and assessments

If the IT system or database contains special category data, we would be processing details about:

  • your equality, diversity and inclusion information
  • your health

If the IT system or database contains sensitive information about you, we would be processing details about children that are looked after or are in care.

21.3 What we do with your data

When we are designing a new system or database. It is sometimes necessary to use live personal data to test the design in a secure environment. This is because dummy data is not capable of replicating the complexity of the data that is actually collected.

We may also invite users to try out our services, which can involve the collection of personal data. This helps us understand how users engage with our services, so we can keep improving them.

Similarly, it is necessary to extract copies and run quality checks so that we can identify unnecessary duplication or conflicting data about the same data subject.

To maintain the accuracy of our data, if we identify duplicate records we might:

  • merge the duplicate records under one Unique Learner Number
  • keep the existing records but include cross referencing so that all the records are linked and are retrieved when searching for the one data subject

21.4 How long we keep your data

This processing activity is for the length of time it takes to test or check the data, any copies of the data created would be deleted as soon as the text or check is complete.

21.5 Your information rights under UK GDPR

Find out about  your rights when we process your personal data under the lawful basis of legitimate interest.

21.6 Data processors

DfE uses a data processor for our IT Health Checks (ITHC). An ITHC is a series of controlled tests and actions that check the security of our IT systems.

22. Using your data when we share your personal information

We will only share your personal data with others where it is lawful, secure and ethical to do so. Where these conditions are met, we can share your personal information with:

  • schools and other education providers
  • local authorities
  • researchers like universities, think tanks and research organisations
  • organisations connected with promoting the education or wellbeing of children in England
  • organisations fighting or identifying crime like police, courts and Home Office
  • other crown and public bodies like Ofqual, Ofsted, UCAS and Office for Students
  • organisations working for DfE under contract like DfE commissioned research or training providers
  • organisations who provide careers and other guidance
  • organisations who provide statistics and research about education, training, employment and well-being, including Jisc (formerly the Higher Education Statistics Agency or ‘HESA’) as detailed in Jisc’s collection notices

Your data is also submitted to Jisc so that you can take part in the graduate outcomes survey.

DfE shares personal data where this is a benefit to:

  • education
  • the children’s services sector
  • the interests of the wider public or society such as sharing data to fight crime or for policy development

How DfE shares personal data gives details of the protections DfE has in place when sharing your data and the relevant legislation.

The DfE Data Sharing Approval Panel (DSAP) must approve all data share requests. The panel of experts assesses each application for:

  • public benefit
  • proportionality
  • legal underpinning
  • strict information security standards

The DSAP panel has external members who analyse decisions to increase public trust in the data share process.

22.1 Purpose and lawful basis for processing

DfE will only share data with a third party where we have a lawful basis for the data share under article 6(1) of the UK GDPR.

In most cases, DfE relies on article 6(1)(e) ‘public task’ as the lawful basis where the task or function has a clear basis in law or 6(1)(f) ‘legitimate interest’ where the sharing of your data does not override your rights or when you expect us to share your data.

When we share special category data, we have a lawful basis to data share under article 9(2) of the UK GDPR. Full details about how we process special category data are given in the:

DfE will review each data share request on a case-by-case basis to ensure the right lawful basis is used. The ICO guide to lawful basis for processing has more details.

For example, we share data under public task with:

  • awarding organisations to allow exam outcomes to be accurately predicted
  • Children’s Commissioner’s Office (CCO) to protect and promote the rights and interests of children in England, especially the most vulnerable
  • fraud prevention and law enforcement agencies such as the police and the National Crime Agency to prevent and detect fraud in the funding of education and learning.
  • Home Office (HO) to prevent abuse of immigration control
  • police and criminal investigation authorities, through court orders to safeguard and promote welfare of children in the UK

We share data under legitimate interest with the:

  • Education Policy Institute (EPI) to identify if government policies are delivering a high-quality education system
  • National Foundation for Educational Research (NFER) and Scottish Qualifications Authority (SQA) to investigate developments to the national curriculum

Full details of who we share data with are available from DfE external data shares.

23. How to contact us and how to make a complaint

Requesting your personal information from DfE has information on how you can:

  • ask questions about how we use your information
  • make a complaint to the Data Protection Officer and the Information Commissioner’s Office (ICO) if you have concerns about how we use your personal information

You can make a request to access your personal information verbally or in writing.

23.1 How to whistleblow

The DfE’s contact us form includes an option to make a ‘disclosure in the public interest’ including whistleblowing.

If you request anonymity, the form will be logged as ‘anonymous’, however we will not be able to suggest other sources of information or confirm if we referred your report to another public body to consider.

Back to top