Transparency data

Privacy information: local authority employees

Updated 5 January 2024

Applies to England

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/privacy-information-local-authority-employees/privacy-information-local-authority-employees

This document provides details of what personal data DfE processes about the workforce in local authorities, including social work professionals that have responsibility for social work-related services.

When we collect and use your personal information, we need to follow the law. The main laws are the Data Protection Act (DPA) and the UK General Data Protection Regulation (UK GDPR).

See DfE is the data controller for the personal information we process. This includes when the information is collected or processed by third parties on our behalf.

We must have a valid reason to collect your personal data. These reasons are called ‘lawful basis’ in UK GDPR.

When we process your information, we maintain your information’s confidentiality, integrity and availability:

  • confidentiality means only authorised users can view access, change or use your information
  • integrity means we ensure your information is correct and accurate
  • availability means we ensure your information is available, in a secure system, when required

Further information on the standards you can expect when we collect, hold or use your personal information is available on the personal information charter.

1. Using your data to provide money for learning

1.1 Using your data to fund learning, including apprenticeships

This includes funding learning in the following educational settings:

  • adult education training providers
  • teacher training
  • apprenticeships

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. This is done under section 11 of the Education Act 1996, providing funding for education.

When we use your sensitive information, this is ‘special category’ data. The reasons we use it because we have a substantial public interest under article 9(2)(g) of UK GDPR, the Education Acts 1996 and 2005 and the Children Act 1989 allow this. Full details about how we process special category data are given in the DfE appropriate policy document.

Data we collect

We need enough information to work out how much funding is required. Funding is calculated based upon the numbers of learners in each educational setting and if they have needs which need additional funding.

To do this we require information from educational settings or local authorities about learners – see the Learners: Early Years Foundation Stage to Key Stage 3 and Learners: Key Stage 4 and 5 and adult education privacy notices for details.

We also require the following information about the workforce in schools, academies, colleges or training providers:

  • personal contact details of employees and staff members
  • IP address

What we do with your data

We use the data to work out how funding is required and to publish statistics on funding.

We use your personal information to determine whether a provider is entitled to claim funding from DfE. For example, some learning will not be eligible for state funding because the programme of learning (or perhaps an element of it) has already been achieved by the learner.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for 7 years for funding and financial purposes.

If the learning is funded by European Social Fund (ESF), we must retain the data until 31 December 2034.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf.

Training providers are data processors for the adult education and apprenticeship data that they send to DfE.

1.2 Using your data to ensure the protection of public funds by preventing and detecting fraud

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. This is done under section 11 of the Education Act 1996, providing funding for primary, secondary or further education.

Data we collect

We use your personal data to ensure schools, academies, colleges, sixth forms, adult education training providers and apprenticeships have received the correct funding.

To do this we require information from educational settings or local authorities about learners – see the Learners: Early Years Foundation Stage to Key Stage 3 and Learners: Key Stage 4 and 5 and adult education privacy notices for details.

We also require the following information about the workforce in schools, academies, colleges or training providers:

  • personal contact details of employees and staff members

What we do with your data

We use your data to investigate suspected fraud or financial irregularity.

More details on how ESFA handles allegations of suspected fraud or financial irregularity are available.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for 7 years for funding and financial purposes.

If the learning is funded by European Social Fund (ESF), we must retain the data until 31 December 2034.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. We do not use any data processors for this processing activity.

2. Using your data to protect learners and children

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. Section 11 of the Children Act 2004, section 175 of the Education Act 2002 and the Education and Inspections Act 2006 allows us to do this.

Special categories of personal data need to also be processed for reasons of substantial public interest under section 10 (3) of the DPA 2018 (Special categories of personal data) and 18 (Safeguarding of children and individuals at risk). We use it because we have a substantial public interest, the Education Act 2002 allows this. Full details about how we process special category data are given in the DfE appropriate policy document.

Data we collect

DfE collects information from educational settings, local authorities, your employer and other government departments to safeguard children and adults. We collect and use the following personal information:

  • name and address

We also collect and use special category data and sensitive information about the learner or child. See the Learners: Early Years Foundation Stage to Key Stage 3, Learners: Key Stage 4 and 5 and adult education or children and young people under 18 privacy notices for details.

For further details about safeguarding children with special educational needs and disability in schools, colleges and children’s services, see Special educational needs and disability (SEND) and Special educational needs and disability (SEND) and high needs.

What we do with your data

We use your personal information to support these children and monitor their progress.

We’ll use your personal information to:

  • keep a pupil or learner safe from potential harm
  • identify issues and provide support for mental and physical health issues
  • prevent extremism in the education system - DfE works to ensure children and young people are not exposed to extremists and extremist messages

The Teaching Regulation Agency (TRA) is an executive agency of the Department for Education (DfE). TRA regulate the teaching profession in England and investigate cases of serious misconduct. If you are a witness or potential witness within a teacher misconduct investigation, TRA processes your information to investigate allegations of serious misconduct.

Sharing your data

We may share your personal data with other organisations where DfE and its executive agencies are notified of an issue regarding safeguarding of children and young people.

Other people and organisations may also share personal data with DfE and its executive agencies, for example, when they make a complaint or raise a concern with us. This can include information shared in accordance with the statutory guidance keeping children safe in education and working together to safeguard children. This information will be used to investigate complaints and to ensure trusts and academies comply with the regulations (including independent schools).

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

For safeguarding cases, we keep your personal information until you are aged 25, or 10 years after the date of the allegation, whichever is longer, then it is reviewed.

The TRA will only keep your personal data for as long as they need to for the purpose of regulating the teaching profession, specifically up to 50 years after the closure of a case. After 50 years it will be securely destroyed.

Your rights

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. We do not use any data processors for this processing activity.

2.1 Using your data when a child is looked after by local authorities

Local authorities have a legal duty to provide DfE with information each year about the children they look after.

See the section in children’s privacy notice for details: Using your data when a child is looked after by local authorities.

2.2 Using your data when a child is in need

Local authorities have a legal duty to provide DfE with information each year about the children in need.

A child in need is defined under the Children Act 1989 as a child:

  • who is unlikely to reach or maintain a satisfactory level of health or development
  • whose health or development will be significantly impaired without the provision of services
  • who is disabled

See the section in children’s privacy notice for details: Using your data when a child is in need.

2.3 Using your data when we receive a Serious Incident Notification (SIN)

DfE has established the Child Safeguarding Practice Review Panel (the Panel). The Panel commissions national reviews of child safeguarding cases that raise issues that are complex or of national importance.

Local authorities in England have to notify the Panel, under section 16C(1) of the Children Act 2004, where the local authority knows or suspects that a child has been abused or neglected and:

  • the child has died or has been seriously harmed in the local authority’s area
  • the child has died or been seriously harmed outside England, when they are normally resident in the local authority’s area

The local authority must notify the Panel, under Schedule 2, paragraph 20(1)(a) of the Children Act 1989, if a child who is being looked after by a local authority dies, whether or not neglect is known or suspected.

Once a notification is submitted, no local authority will have access to it, including the one that made the notification.

See the section in children’s privacy notice for details: Using your data when we receive a Serious Incident Notification (SIN).

3. Using your data for learner assessments

3.1 Using your data to support learner assessments

The Standards and Testing Agency (STA) is an executive agency of DfE, responsible for the development and delivery of assessments for children in education between reception and the end of key stage 2.

The learner assessments include national curriculum assessments, which are supported by the Primary Assessment Gateway.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. Section 87 of the Education Act 2002 allows us to do this.

Data we collect

DfE collects and uses the following personal information:

  • your name
  • your email address
  • your phone number

What we do with your data

For the Primary Assessment Gateway, we use your personal information to set up a user account.

For the teacher assessment and moderation process, we use your data to:

  • keep you informed about developments within teacher assessment and moderation
  • recruit for future projects and events run by STA or contracted suppliers
  • contact you regarding any external moderation visits we may undertake at your local authority

For the purpose of this work, the relevant condition is Article 6 (1) (e) of the General Data Protection Regulations (GDPR) for the processing of personal data.

For the processing of special category data, the relevant condition is Article 9 (2) (j) of the GDPR which includes processing your data to:

  • contact and invite you to attend standardisation training events
  • select you for an external moderation visit
  • make you aware of possible job opportunities

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for 7 years.

Your rights

We are relying on public task for this processing. This means you have:

  • the right to be informed about the collection and use of your personal data – this is called the ‘right to be informed’
  • the right to ask us for copies of personal information we have about you – this is called the ‘right of access’ and is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called the ‘right to rectification’
  • the right to ask us to stop using your information – this is called the ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • the right to complain to the Information Commissioner (ICO) if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See the Request your personal information section for more on what you’re entitled to ask us or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses a data processor for the following activity:

  • Capita processes your data for the Primary Assessment Gateway

4. Using your data to get your views

4.1 Using your data to contact you for feedback

DfE measures the impact and effectiveness of each of our services, our programmes or our events to make improvements to the service we offer to you. We do this through surveys, public consultations and feedback about our help desks.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. Sections 10 and 11 of the Education Act 1996 allows us to do this.

Data we collect

We collect and use the following personal information directly from you. We use the information you provide to us when you contact DfE or attend one of your programmes or events:

  • your full name
  • email address
  • phone number
  • date of birth
  • your address

See Using your data to contact you for research for more information.

What we do with your data

We use your data to make improvements to the services we offer to you.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for 5 years. This is in line with the DfE retention policy for business operational data.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses a data processor for the following activities:

  • we use Arvato to provide our service desk

5. Using your data to contact you for research

DfE undertakes research to learn how you interact with our services and to support our operational development and delivery. We do this research to make improvements to the services we offer to you. We will always seek your permission to take part in any research.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. Section 10 of the Education Act 1996 allows us to do this.

Data we collect

We collect and use the following personal information. We use the information you provide directly to us when you contact DfE or attend one of your programmes or events or use our digital services or helpdesk:

  • your full name
  • email address
  • phone number

What we do with your data

We use your data to make improvements to the services we offer to you, to develop policy and to develop new services. We use your data to contact you to invite you to participate in research that is relevant to you. You are under no obligation to participate in any research we invite you to. We will not contact you about research using your data if you tell us not to. See Using your data to gather evidence for policy development and delivery for more information on how we process your personal information during the research.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information until 2 years after the end of the survey or research.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

6. Using your data to carry out research

6.1 Using your data to gather evidence for policy development and delivery

DfE undertakes research and surveys to gather evidence to support our policy development and delivery. Having this evidence is important when improving outcomes for children, young people, families and adults. See Research at DfE for more details.

Purpose and lawful basis for processing

The lawful basis we rely on for processing your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. Section 10 of the Education Act 1996 allows us to do this.

When we use your sensitive information, this is ‘special category’ data. The reasons we use it because we have a substantial public interest under article 9(2)(g) of UK GDPR, the Education Act 2002 allows this.

Data we collect

We collect and use the following personal information directly from you:

  • your full name
  • email address
  • phone number
  • date of birth
  • your address

When we use your sensitive or ‘special category’ data. The reasons we use it because you have given your explicit consent under article 9(2)(a) of UK GDPR. As part of our research we may need to collect information about your:

  • heath or disability
  • racial or ethnic origin
  • gender

Full details about how we process special category data are given in the DfE appropriate policy document and in the research information sheet. You will be given this research information sheet at the start of the research.

What we do with your data

We’ll use your personal information for research that DfE undertakes to provide high-quality evidence to inform policy development and delivery.

Sometimes we link your survey responses to other government-held data, the lawful basis for this processing is ‘consent’. At any time, you can tell us you no longer want us to link your data to other data. You can do this by using our contact form.

We will publish a summary of the research and the full research report. Your responses may be attributed to an organisation where this information has been provided but our publications will not contain any personal data. DfE will anonymise or desensitise the data where possible.

Research reports published since May 2010 are available on GOV.UK.

Research published before May 2010 is available from the UK Government Web Archive.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information until 12 months after the end of the survey or research.

See Research at DfE and Parent, pupil and learner panel omnibus surveys for more information.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ‘right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • your ‘right to object to processing’ of your information, in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time, by using our contact form
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

If you have agreed that we can link your survey responses to other government-held data, we are undertaking this processing with your consent. You have the right to withdraw that consent up until the data is analysed for the publication. If you change your mind, or you are unhappy with our use of your personal data, contact DfE and state the project or initiative name.

Further information on rights and the ways in which your data may be used are contained in the research consent form.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses a data processor for the following activities:

  • DfE uses contractors to work on behalf of DfE to undertake the research. Our contractors will receive your personal data directly from you during the activity or initiative.

7. Using your data to take part in our consultations

DfE has public consultation to develop our policies, programmes and guidance.

Purpose and lawful basis for processing

The lawful basis we rely on for processing your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. This is done under section 11 of the Education Act 1996, to promote learning and education.

Data we collect

We collect and use the following personal information:

  • your full name
  • your job role
  • your address
  • email address
  • phone number
  • IP address

What we do with your data

We’ll use your personal information when gathering feedback to our public consultation.

Information provided in response to consultations, including personal information, may be subject to publication or disclosure under the Freedom of Information Act 2000, the Data Protection Act 2018 or the Environmental Information Regulations 2004.

If you want all, or any part, of a response to be treated as confidential, please explain why you consider it to be so in the relevant section of the consultation response.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal data for 10 years, as it supports our policy making.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ‘right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • your ‘right to object to processing’ of your information, in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses a data processor for the following activities:

  • DfE uses Delib to manage our public consultations. Delib’s software enables you to provide feedback on the documents.

8. Using your data to maintain lists of contact details

DfE maintains list of:

  • contact details for schools, academies, colleges, training providers, apprenticeship employers, children’s homes
  • education sector contacts in local authorities,
  • contacts for DfE programmes and services, for example the Staff Wellbeing Charter
  • safeguarding partner contacts
  • stakeholders, including unions, advisory boards and external bodies, such as Ofqual and Ofsted
  • qualified teachers
  • school governors
  • Honours nominations, see Privacy information relating to honours nominations for more details about the honours process

DfE publishes contact details for schools in Get Information about Schools and a searchable list of governors in Get Information about Schools - Governors.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. This is done under section 11 of the Education Act 1996, to fund and promote learning.

Data we collect

DfE collect and use the following personal information:

  • name and address
  • your job role
  • email address
  • phone number

What we do with your data

We use your personal information to ensure we have up-to-date contacts for the whole education sector in England. We use these contacts for our data collections and education sector governance.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for:

  • policy making - 10 years
  • teachers - the TRA will only keep your personal data for as long as they need to for the purpose of regulating the teaching profession, specifically up to 50 years after the closure of a case. After 50 years it will be securely destroyed.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • your ‘right to object to processing’ of your information, in certain circumstances
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. We do not use any data processors for this processing activity

9. Using your data when you contact us

9.1 When you make an enquiry or complaint

We collect, process and store your personal data when you contact the Department, by DfE contact us form, telephone, email, message us or live chat. In addition, telephone calls to our helplines may be recorded for training and monitoring purposes. If provided, we will also use your email address to send a customer satisfaction survey.

We use this information to:

  • resolve your enquiry
  • progress a follow up enquiry
  • action a request as appropriate

It is also used to ensure our call agents are appropriately trained and to enable us to continually improve the quality of the service provided.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department.

Data we collect

DfE collect and use the following personal information directly from you:

  • your full name
  • email address
  • phone number
  • details about your enquiry or complaint
  • IP address

The following information may also be collected and processed:

  • job title
  • the name of a school, local authority, academy trust or organisation
  • school DfE number, local authority number or academy trust number

If your enquiry is about a pupil, the following data may also be collected and processed:

  • unique pupil number
  • date of birth
  • initials

What we do with your data

We need information from you to investigate your complaint or enquiry properly.

We use the IP address to detect and block malicious visitors to our websites.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for 5 years from the date of the enquiry or complaint.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. We do not use any data processors for this processing activity.

10. Using your data when you use DfE Sign-In

DfE Sign-in allows schools and other education organisations to access DfE’s online services.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. The legislation to support this is Section 8 of the Data Protection Act 2018 – exercising official authority as part of public body tasks and Department for Education functions.

Data we collect

DfE collect and use the following personal information directly from you:

  • full name
  • email address
  • organisation details the account is linked to

What we do with your data

We use the data to allow you access to DfE online services.

Occasionally, we will contact users on the email address provided with essential information about DfE Sign-in.

Sharing your data

We may share your information where the law allows, or where we have a legal obligation to do so.

For Ofsted users, we regularly share your details with Ofsted for monitoring purposes.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for 6 years from the date you deactivate or delete your account.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. We do not use any data processors for this processing activity.

11. Using your data when you use our websites

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department.

Data we collect

We use Google Analytics to collect information from you about how you use this website. We do not collect or store your personal information through Google Analytics so it cannot be used to identify who you are.

Google Analytics uses 3 types of cookies. See the section on cookies for more details.

What we do with your data

We use your personal information to:

  • ensure we present our website content in the best way for you
  • allow you to take part in interactive features of our service, when you choose to do so

See Data when you sign up to our notifications about learning opportunities or events for more information on when we use your data to:

  • notify you about changes to our website or services
  • provide you with information or services that you request from us or which may interest you

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

Your personal information is retained for up to 2 years. See Details about cookies on GOV.UK for more information.

If you create an account on our websites or sign up for an alert your personal information is kept as long as you have an account. If you delete your account or cancel your alert, your data will also be deleted. See Data when you sign up to our notifications about learning opportunities or events for more information.

Your rights

We are relying on public task for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ‘right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses a data processor for the following activities:

  • we use Google Analytics cookies and a Real User Monitoring (RUM) cookie from SpeedCurve to collect information about how you use GOV.UK

12. Using your data when you use our social media channels

We use social media to share news and views with people working in:

  • schools
  • colleges
  • local authorities
  • children’s services

We also use social media to communicate with parents, children and young people.

See our Social media use policy for more details.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is consent under article 6(1)(a) of the UK GDPR – this is when we ask your consent to use your information.

Data we collect

When you interact with our social media channels we collect and use:

  • your name

What we do with your data

We use your personal information to:

  • ensure we present our website content in the best way for you
  • allow you to take part in interactive features of our service, when you choose to do so

See Data when you sign up to our notifications about learning opportunities or events for more information on when we use your data to:

  • notify you about changes to our website or services
  • provide you with information or services that you request from us or which may interest you

See the section on cookies for more details.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

The DfE social media channels are captured by the National Archives’ Government Web Archive as a permanent record of DfE’s social media communication.

Your personal information is retained for up to 2 years, see Details about cookies on GOV.UK for more information.

Your rights

We are relying on consent for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ‘right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to delete your personal information – this is called ‘right to erasure’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant), by using our contact form
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

You can ask DfE to cease publication of your image, words and/or voice on its social media channels. If you do so, DfE will not publish further social media posts featuring this content, but it is not obligated to remove or delete existing posts. The DfE social media channels are captured by the National Archives’ Government Web Archive as a permanent record of DfE’s social media communication

If you change your mind, or you are unhappy with our use of your personal data, contact DfE and state the project/initiative name.

Further information on rights and the ways in which your data may be used are contained in the filming, photography and audio recordings consent form.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses a data processor for the following activities:

  • we use Google Analytics cookies and a Real User Monitoring (RUM) cookie from SpeedCurve to collect information about how you use GOV.UK

13. Using your data when you sign up to our notifications about learning opportunities

DfE has campaigns to promote university education or apprenticeships or learning to specific groups, for example to minority groups or disadvantaged children.

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is Legitimate Interest, under article 6(1)(f) of the UK GDPR.

Data we collect

DfE collect and use the following personal information directly from you:

  • full name
  • address
  • email
  • mobile number, if applicable

DfE may purchase mailing lists to support these DfE campaigns.

You have the right to opt out of these messages. If you do not want to receive these messages, click on the ‘unsubscribe’ link in the email. Alternatively, let us know by contacting DfE and stating the title of the email message.

What we do with your data

We use your personal information for inspiration campaigns that promote and encourage uptake of learning.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information for 5 years from the date of the campaign.

Your rights

We are relying on legitimate interest for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to delete your personal information – this is called ‘right to erasure’
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

You have the right to opt out of these messages. If you do not want to receive these messages, click on the ‘unsubscribe’ link in the email. Alternatively, let us know by contacting DfE and stating the title of the email message.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses data processors to send our email and text notifications.

14. Using your data to check our IT systems

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is legitimate interest, under article 6(1)(f) of the UK GDPR.

When we use your sensitive information, this is ‘special category’ data. The reasons we use it because we have a substantial public interest under article 9(2)(g) of UK GDPR. The Education Act 2002 and Section 54 of the Further and Higher Education Act (1992) allows this.

Data we collect

DfE collects information from educational settings, local authorities, your employer and other government departments. We will process the following information about you:

  • personal contact details

If the IT system or database contains special category data, we would be processing details about:

  • your equality, diversity and inclusion information
  • your health

Full details about how we process special category data are given in the DfE appropriate policy document.

What we do with your data

When we are designing a new system or database, it is sometimes necessary to use ‘live’ personal data to test the design in a secure environment. This is because ‘dummy data’ is not capable of replicating the complexity of the data that is actually collected.

Similarly, it is necessary to extract copies and run quality checks for the purposes of identifying unnecessary duplication or even conflicting data about the same data subject. In order to maintain the accuracy of our data, if duplicate records are identified, we would either merge the duplicate records under one Unique Learner Number or maintain existing records but include cross referencing so all the records are linked and are retrieved when searching for the one data subject.

How long we keep your data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and also what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

This processing activity is for the length of time it takes to test or check the data, any copies of the data created would be deleted as soon as the text or check is complete.

Your rights

We are relying on legitimate interest for this processing, this means you have:

  • the right to be informed about the collection and use of your personal data – this is called ‘right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’. This is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to delete your personal information – this is called ‘right to erasure’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

For more information, see the ICO’s guide to individual rights.

See Requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

Data processors

A data processor is an organisation that processes your information on DfE’s behalf. DfE uses a data processor for the following activities:

  • we use contractors to do our IT Health Checks (ITHC). An ITHC is a series of controlled tests and actions that check the security of our IT systems

15. Using your data when we share your personal information

We will only share your personal data with others where it is lawful, secure and ethical to do so. Where these conditions are met, we can share your personal information with:

  • schools and other education providers
  • local authorities
  • researchers (like universities, think tanks, research organisations)
  • organisations connected with promoting the education or wellbeing of children in England
  • organisations fighting or identifying crime (like police, courts, Home Office, etc)
  • other specified crown and public bodies (like Ofqual, Ofsted, UCAS, Office for Students, etc)
  • organisations working for DfE under contract (like DfE commissioned research or training providers)
  • organisations who provide careers and other guidance
  • organisations who provide statistics and research about education, training, employment and well-being, including Jisc (formerly the Higher Education Statistics Agency or ‘HESA’) as detailed in Jisc’s collection notices. Your data is also submitted to Jisc so that you can take part in the graduate outcomes survey

DfE shares personal data where this is a benefit to education, the children’s services sector or it is in the interests of the wider public or society - such as sharing data to fight crime or for policy development is in the interests of society.

How DfE shares personal data gives details of the protections DfE has in place when sharing your data and the relevant legislation.

The DfE Data Sharing Approval Panel (DSAP) must approve all data share requests. The panel of experts assesses each application for public benefit, proportionality, legal underpinning and strict information security standards. The DSAP panel has external members who analyse decisions to increase public trust in the data share process.

DfE will only share data with a third party where we have a lawful basis for the data share under article 6(1) or article 9(2) of the UK GDPR. In most cases, the Department relies on article 6(1)(e) ‘public task’ as the lawful basis where the task or function has a clear basis in law or 6(1)(f) ‘legitimate interest’ where the sharing of your data does not override your rights or when you expect us to share your data. But the Department will review each data share request on a case-by-case basis to ensure the right lawful basis is used.

Full details about how we process special category data are given in the DfE appropriate policy document.

See the ICO guide to Lawful basis for processing for more details.

For example, we share data under public task with:

  • awarding organisations – to allow exam outcomes to be accurately predicted
  • Children’s Commissioner’s Office (CCO) - to protect and promote the rights and interests of children in England, especially the most vulnerable
  • fraud prevention and law enforcement agencies such as the police and the National Crime Agency - to prevent and detect fraud in the funding of education and learning
  • Home Office (HO) - to prevent abuse of immigration control
  • police and criminal investigation authorities, through court orders - to safeguard and promote welfare of children in the UK

For example, we share data under legitimate interest with:

  • Education Policy Institute (EPI) - to identify if government policies are delivering a high-quality education system
  • National Foundation for Educational Research (NFER) and Scottish Qualifications Authority (SQA) - to investigate developments to the national curriculum

Full details of who we share data with are available: DfE external data shares.

16. How to contact us and how to make a complaint

16.1 How to contact us

Contact the Data Protection Team with questions about this document or how we use your information.

16.2 How to make a complaint

If you have concerns about how we use your personal information, you can make a complaint in writing to the Data Protection Officer and Information Commissioner’s Office.

16.3 How to access your personal information

A request to access your personal information can be made verbally or in writing.

Back to top