Personal information charter

Privacy notices and how we collect, hold or use your personal information at the Department for Education (DfE).


DfE as data controller

Under the Data Protection Act (DPA) and the UK General Data Protection Regulation (UK GDPR), a data controller decides how and why personal data is processed.

The Department for Education (DfE) is data controller for the personal data DfE and our executive agencies process. Our executive agencies are:

  • Education and Skills Funding Agency (ESFA)
  • Standards and Testing Agency (STA)
  • Teaching Regulation Agency (TRA)

DfE has privacy notices for each of our areas of work. These show how we use your personal information in each area.

DfE arm’s length bodies (ALBs) are data controllers in their own right, and have their own privacy notices.

We may sometimes change this document, and we encourage you to check it from time to time.

DfE’s personal information charter

This charter sets out what you can expect from us when we hold your personal information. We will follow all applicable UK data protection laws, including the data protection principles.

The personal information we hold about you will be:

  • used lawfully, fairly and in a transparent way
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  • relevant to the purposes we have told you about and limited only to those purposes
  • accurate and, where necessary, kept up to date
  • kept only as long as necessary for the purposes we have told you about
  • kept securely

DfE privacy notices show how we use your personal information in each of our areas of work.

How we collect your personal information

We receive your personal information indirectly from other organisations. For example, we collect information about:

  • you, your learning and your achievements etc - we collect this information from early years providers, schools, academies, independent schools, colleges and training providers; we sometimes refer to these as ‘educational settings’ - we also collect this information from your employer, if applicable
  • children in need, children looked after and alternative provision - we collect this information from local authorities
  • you to support research and to safeguard children - we collect this information from other government departments, early years providers, schools, academies, independent schools, colleges and training providers
  • your exam results - we receive this from awarding organisations and exam boards
  • teachers and employees in educational settings or local authorities - we collect this information from the educational setting or local authorities

More details are available of how we collect this information through our school and college and further education data collections, such as the school census.

We may also collect information directly from you:

  • over the telephone, like when you contact our helpdesks
  • in correspondence that you send to us, like emails, letters and social media posts
  • details of your visits to our website including the resources that you access
  • when you subscribe to our mailing lists

Storing your personal information outside the UK

When DfE stores personal information outside the UK, we will make sure we keep it safe.

Most personal information we collect and use is stored on systems in the UK and EU.

On occasion, your information may leave the UK or EU:

  • to get to another organisation
  • if it is stored in a system outside the EU

Details of these transfers can be found in the data-subject privacy notices.

When this happens, we make sure the country it is sent to has the required level of data protection. We also take additional steps to protect your information including:

  • making sure it is transferred securely
  • there is a contract in place which ensures the recipient will protect your information

Where we have to send personal information to a country without an adequacy decision, we carry out due diligence to ensure that the transfer is made in accordance with UK data protection legislation.

Automated decision making and profiling

DfE sometimes uses automated processing in some decision making to help us deliver efficient services. We will not make any decision based solely on automated processing which has a significant effect on you unless the law specifically allows this.

Profiling involves the use of personal data to evaluate certain personal aspects such as a person’s:

  • performance at work
  • economic situation
  • health
  • personal preferences
  • interests
  • reliability
  • behaviour
  • location or movements

We will sometimes use profiling where there is a clear benefit for doing so. DfE examples of profiling may include:

  • to avoid asking for information or evidence that we do not need, and make sure we ask for it when necessary
  • to improve our services and to support the achievement of our objectives
  • to detect and prevent fraud and error

Artificial intelligence

Artificial intelligence (AI) is the theory and development of digital technology to be able to perform tasks normally requiring human intelligence. This includes such things as the creation or use of large language models and machine learning.

DfE may make use of AI when processing personal data to achieve efficiencies or other benefits. Where we do so, we will inform you via the specific privacy notice for that activity.

Your rights

The UK GDPR gives you certain rights about how your information is collected and used.

These include:

  • the right to be informed about the collection and use of your personal data – this is called ‘right to be informed’
  • the right to ask us for copies of your personal information we have about you – this is called ‘right of access’, this is also known as a subject access request, data subject access request or right of access request
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’
  • the right to ask us to delete your personal information – this is called ‘right to erasure’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’
  • the ‘right to object to processing’ of your information, in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant)
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way

There are legitimate reasons why we may refuse your information rights request, which depends on why we are processing it. For example, some rights will not apply:

  • right to erasure does not apply when the lawful basis for processing is legal obligation or public task
  • right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests
  • right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t haven’t the right to object, but you have the right to withdraw consent

DfE privacy notices provide details of your rights and the lawful basis for each processing activity.

For more information, see the ICO’s guide to individual rights.

See requesting your personal information for more on what you’re entitled to ask us, or any of our executive agencies, and your rights about how your information is collected and used.

How we use your information

DfE and our executive agencies, Education and Skills Funding Agency (ESFA), Standards and Testing Agency (STA) and Teaching Regulation Agency (TRA), publish privacy notices for and process personal data about:

Model data protection privacy notices that schools and academies can use are available on GOV.UK.

DfE’s agencies and arm’s length bodies (ALBs)

These DfE ALBs are data controllers in their own right. See their individual privacy notices for details of what personal information they process:

DfE is data controller for these DfE ALBs. See their individual privacy notices for details of what personal information they process:

How to contact us and how to make a complaint

Contact the Data Protection Team with questions about this document or how we use your information.

How to make a complaint to DfE

If you have concerns about how we use your personal information, you can make a complaint in writing to the Data Protection Officer and Information Commissioner’s Office.

How to whistleblow to DfE

Whistleblowing is an important source of intelligence to identify wrongdoing and risks to public service delivery. The DfE’s contact us form includes an option to make a ‘disclosure in the public interest’ or whistle blow. However, we cannot advise you if disciplinary or regulatory action is taken or the outcome to an investigation.

If you request anonymity, the form will be logged as ‘anonymous’, however, we will not be able to suggest other sources of information or confirm if we referred your report to another public body to consider.

How to access your personal information

A request to access your personal information from DfE can be made verbally or in writing.

DfE’s data policies and collections

More detail on how DfE collects your personal information and the statistics we publish is available. See how we collect this information through our school and college and further education data collections, such as the school census.

Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

DfE uses necessary cookies to make our websites work. Necessary cookies enable core functionality such as security, network management and accessibility. Each website with cookies on it will have a cookie banner with details.

Cookies are used to:

  • measure how you use this service so it can be updated and improved based on your needs
  • remember who you are if you return to your saved results so we can show you your information and information relevant to you

Cookies aren’t used to identify you personally. We record tracking information anonymously, so cookies do not track your personal data, only your activity on the site.

Find out more about cookies on GOV.UK.

Each DfE website will have details about the specific cookies that are used on that site or social media channel.

Sharing your personal information

We will only share your personal data with others where it is lawful, secure and ethical to do so. Where these conditions are met, we can share your personal information with:

  • schools and other education providers
  • local authorities
  • researchers (like universities, think tanks, research organisations)
  • organisations connected with promoting the education or wellbeing of children in England
  • organisations fighting or identifying crime (like police, courts, Home Office)
  • other specified crown and public bodies (like Ofqual, Ofsted, UCAS, Office for Students)
  • organisations working for DfE under contract (like DfE commissioned research or training providers)
  • organisations who provide careers and other guidance
  • organisations who provide statistics and research about education, training, employment and well-being, including Jisc (formerly the Higher Education Statistics Agency or ‘HESA’) as detailed in Jisc’s collection notices. Your data is also submitted to Jisc so that you can take part in the graduate outcomes survey

DfE shares personal data where this is a benefit to education, the children’s services sector or it is in the interests of the wider public or society - such as sharing data to fight crime or for policy development.

How DfE shares personal data gives details of the protections DfE has in place when sharing your data and the relevant legislation.

Our Data Sharing Approval Panel must approve all data share requests. The panel of experts assesses each application for public benefit, proportionality, legal underpinning and strict information security standards. The panel has external members who analyse decisions to increase public trust in the data share process.

DfE will only share data with a third party where we have a lawful basis for the data share under article 6(1) of the UK GDPR. In most cases, we rely on article 6(1)(e) ‘public task’ as the lawful basis where the task or function has a clear basis in law or 6(1)(f) ‘legitimate interest’ where the sharing of your data does not override your rights or when you expect us to share your data.

When we share special category data, we have a lawful basis to data share under article 9(2) of the UK GDPR. Full details about how we process special category data are given in the DfE appropriate policy document and How DfE shares personal data.

However, we will review each data share request on a case-by-case basis to ensure the right lawful basis is used. See the ICO guide to lawful basis for processing for more details.

For example, we share data under public task with:

  • awarding organisations – to allow exam outcomes to be accurately predicted
  • Children’s Commissioner’s Office - to protect and promote the rights and interests of children in England, especially the most vulnerable
  • fraud prevention and law enforcement agencies such as the police and the National Crime Agency - to prevent and detect fraud in the funding of education and learning
  • Home Office - to prevent abuse of immigration control
  • police and criminal investigation authorities, through court orders - to safeguard and promote welfare of children in the UK

For example, we share data under legitimate interest with:

  • Education Policy Institute - to identify if government policies are delivering a high-quality education system

  • National Foundation for Educational Research and Scottish Qualifications Authority - to investigate developments to the national curriculum

Full details of who we share data with are available.