Who we are

Privacy notice (1): staff communication

How we use your data
Your data is used only for the purposes outlined in this notice and in compliance with GDPR.

Who we share your data with
We do not share your information with third parties unless required by law. All data is stored securely on University servers.

Retention
We retain your personal information for 12 months after you commence ECC training. After this period, your data is securely deleted.

Data security
Access to your information is restricted to authorised staff and stored on secure University systems.

Your rights
You have the right to:

• Access the personal data we hold about you
• Understand how it is used

To exercise these rights, please refer to the University’s Subject Access Request Form fill out a subject access request form. We may update this notice from time to time. Significant changes will be communicated via the ECC website or directly to you.

Privacy notice (2): pupil data

Who we share your data with
We do not share your information with third parties unless required by law. All data is stored securely on EHU servers with limited access by authorised staff.

Retention
We keep data for up to 4 years, then anonymise it for research purposes. Schools may also anonymise/pseudonymise pupil data at entry.

Data security

Access to pupil information is restricted to authorised staff and stored on secure University systems.

Your rights
You have the right to:

• Access, correct, or request deletion of pupil data
• Object to or restrict processing
• Complain to the ICO

International transfers
Data is stored in the UK; no transfers outside UK/EEA.

Automated decision-making
We do not use automated decision-making or profiling.

Data protection and the Every Child Counts data system

The Every Child Counts (ECC) online data system is a data processing system. Edge Hill University (EHU) provides it as a service to the schools that take part in ECC programmes. EHU and each school that enters pupil data on the system are identified as data controllers.

Definitions

Data Protection Authority: The Information Commissioner’s Office (ICO).

Applicable Law: UK GDPR, Data Protection Act 2018. Data Use & Access Act 2025 and related guidance

Data Security Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Terms: Data Controller, Data Processor, Data Subject and Personal Data, Sensitive Personal Data, Special Category Data and processing shall have the meanings given to them in the DPA and the GDPR.

Purpose

This notification reflects the arrangements that have been agreed to facilitate the sharing of personal data relating to pupils between the Parties acting as data controllers and explains the purposes for which the personal data may be used.

Schools may use the data to:

• track the progress made by individual pupils and share this with parents
• monitor the progress made by groups of pupils, including vulnerable groups, and share this with governors and inspectors
• benchmark your school’s outcomes against national ECC outcomes and evaluate and improve the effectiveness of your ECC programmes.

EHU may use the data to:

• provide reports for schools for the above purposes
• evaluate and improve the effectiveness of ECC programmes for schools across the country and share national outcomes with schools and interested parties
• research the implementation and impact of ECC.

Lawful basis

Schools: UK GDPR Art.6(1)(e), processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (ie for statutory education duties).

Each school that enters pupil data has been identified as a data controller.

Edge Hill University: UK GDPR Art.6(1)(f), processing is legitimate interest for programme evaluation and research.

Art.9(2)(g), special category data (eg. SEN, Pupil Premium) processing requires an additional condition under substantial public interest for education.

Security

The online data system is currently operated on behalf of EHU by Data Architects Ltd., who are  certified as meeting the ISO 27001 standard for information security management. Data Architects Ltd. is recognised as a data processor for this purpose. Data that is processed directly by EHU is governed by EHU’s Information Security Policy, which is aligned to ISO 27001.

The online system is password protected and schools can only enter and view data relating to their own pupils. Only authorised EHU staff can access the data and no hard copy records are stored. EHU will not share the data with any third party and will not transfer it outside UK/EEA.

Retention

EHU will retain records on the online data system for up to four years after their entry date and will then archive them and delete them from the online system. EHU will anonymise the archived records so that no pupil or school can be identified and will retain them on its secure internal network for evaluation and research purposes.

Data subject rights

Individuals have the right to:

• access their data
• rectify inaccuracies
• request erasure
• restrict or object to processing
• complain to the ICO

Personal or anonymised data

As a school, you can decide whether you want to enter personal data or anonymised data about each pupil – or personal for some and anonymised for thers.

Personal data is data that could enable a pupil to be identified, e.g. their name and date of birth and characteristics such as pupil premium eligibility and special need.

The advantage of entering personal data is that the more information you put into the system, the more your reports will include. It is more straightforward to share a pupil report with a parent if it states their child’s actual name rather than, for example, “Child A”. Your school report will analyse the impact of ECC for vulnerable groups such as pupil premium children, but can only do so if this information has been entered.

If you want to enter personal data on the system then, as a data controller, you need to have a legal basis for doing this. You might decide that this is covered by parental consent that you have already obtained or on some other basis. Alternatively, you might decide that you need to obtain specific consent from parents to use the ECC data system. Your school should keep the signed forms; you do not need to send them to us.

If a parent later withdraws their consent, just let us know and we will anonymise the pupil’s data on the system.

Anonymised data is non-personal data that cannot be used to identify a pupil. You can enter anonymised data on the system for any pupil for whom you decide not to enter personal data. EHU will be unable to identify the pupil, and so would anyone who gained unauthorised access to the system.

Data contacts

Contact us

Stay in touch