Skip to main content

School Meals Privacy Notice

Privacy notice relating to the processing of personal data by Rhondda Cynon Taf County Borough Council for the provision of School Meals 

School Meals Provision

In Rhondda Cynon Taf, school meals are provided to pupils by the Local Authority’s (Rhondda Cynon Taf Country Borough Council (RCTCBC)) Catering Service, who work in conjunction with the school to deliver the provision.

Introduction

This privacy notice is intended to provide information about how Rhondda Cynon Taf County Borough Council (‘RCTCBC’, ‘Council’, ‘Local Authority’ ‘we’) will use (or ‘process’) personal data about individuals including current, past and prospective pupils and their parents, carers or guardians (referred to in the notice as ‘parents’) for the provision of School Meals at the school.

It does not cover the processing of personal data relating to applications for Free School Meals.

When processing the personal data, only the minimum amount necessary in relation to the purpose is processed.

This privacy notice should be read in conjunction with;

The Data Controller

The Council is the data controller for the personal data we process, unless otherwise stated. This includes the personal data processed by our staff.

The Council is registered with the Information Commissioner’s Office (ICO) as a controller under reference Z4870100.

 How to contact us for data protection matters or concerns relating to this privacy notice

If you would like to discuss anything in this privacy notice, please contact Catering Services at;

Alternatively, you may contact the Councils Data Protection Officer at;

The categories of personal data we process

We may process the following categories of personal data relating to the provision of School Meals at the School.

Pupil personal data;

  • School the pupil attends
  • Name
  • Date of birth
  • Year group
  • Dietary needs
  • Relevant medical information e.g. allergies etc.
  • Free school meal status and information (if applicable)
  • School meal register (detailing whether the pupil was in school and received a school meal etc.)
  • Biometric information (Secondary schools and Years 7 - 13 in Through schools only)

Parent personal data;

  • Name
  • Contact details such as address, email address, telephone number
  • Relationship to the child e.g. parent
  • Financial details (such as amounts paid / owed, payment information etc.)

Why we process the personal data

We process the personal data to manage School Meals provision at the school. This may include but is not limited to the following activities;

  • Planning school meal provision within the school and RCT
  • Working in conjunction with the school to deliver school meal provision
  • General administration relating to school meal provision
  • Managing dietary needs of the pupil (if applicable)
  • Processing of payments for school meals
  • Recovery of outstanding payments in respect of school meals

Our lawful basis for processing the personal data

Under the General Data Protection Regulation (GDPR), our lawful basis for processing the personal data to manage School Meals provision at the school is;

  • Legal Obligation Article(c) – processing is necessary for compliance with a legal obligation to which the controller is subject. 
  • Public Task - Article 6 (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Substantial public interest - Article 9 (2) (g)  - processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The primary legislation, regulations and guidance that supports this includes but is not limited to;

  • Education Act 1996
  • School Standards and Organisation (Wales) Act 2013
  • Healthy Eating in Schools (Nutritional Standards & Requirements) (Wales) Regulations 2013
  • WG guidance - Charging for food and drink provided in maintained schools (2013)

Who and where we get the personal data from

We may receive the personal data from the following individuals or organisations;

  • Pupils
  • Parents
  • Catering staff at the school
  • School
  • Other internal services such as Finance, Free School Meals (Revenues) 

Who we share personal data with

We may share personal data with the following key organisations to manage School Meals provision at the school.

When sharing the personal data, we only share the minimum amount necessary in relation to the purpose.

Who

Purpose

School

To co-ordinate school meal provision at the school

 

Data Processors

A data processor is a company or organisation that processes personal data on behalf of a controller. The Council uses data processors that provide services to us. The category of data processors that we use in relation to the management of School Meals provision is;

  • General IT system suppliers / service providers
  • School Dinner Cashless System (Secondary schools and Years 7 - 13 in Through schools only)

Our data processors act only upon our instruction. They cannot do anything with the personal data unless we instruct them to do so. They will not share the personal data with any organisation apart from us or use it for their own purposes. They will hold it securely and retain it for the period we instruct.

Should you have a specific query relating to the processors that we use for School Meals provision please contact us at;

 

How long we retain the personal data

The Council retains records relating to school meals provision for

Information relating to Special Dietary requirements

Until the pupil leaves school plus 1 year

The School will retain the following records on behalf of the Council

School meals register

 

Current year + 3 years

School meals summary sheet

Current year + 3 years

In keeping with the General Data Protection Regulation storage limitation principle, records are periodically reviewed. Not all personal data is retained. Only personal data that is relevant to the record is retained for the entire retention period. Information that has no long term or evidential value is routinely destroyed in the normal course of business.  

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your personal data.

Your right of access

You have the right to ask us for copies of your personal data. This right always applies. There are some exemptions, which means you may not always receive all the data we process. You can read more about this right on the ICO’s website

Your right to get your data corrected

You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete data you think is incomplete. This right always applies. You can read more about this right on the ICO’s website.

Your right to get your data deleted

You have the right to ask us to erase your personal data in certain circumstances. You can read more about this right on the ICO’s website. 

Your right to limit how organisations use your data

You have the right to ask us to restrict the processing of your personal data in certain circumstances. You can read more about this right on the ICO’s website.

Your right to object to the use of your data

You have the right to object to us processing your personal data in certain circumstances. You can read more about this right on the ICO’s website. 

Your right to data portability

This only applies to personal data you have given us. You have the right to ask that we transfer the personal data you gave us from one organisation to another or give it to you. This right only applies if we are processing the personal data based on your consent or under, or in talks about entering a contract and the processing is automated. You can read more about this right on the ICO’s website.

You are not required to pay any charge for exercising your rights. We have one month to respond to your request from the date your request is validated. We may extend this period by a further two months if the request is complex or we receive a number of requests from you. 

For more information on your rights and how to exercise them please refer to the ‘Your Information Rights’ section of the Council’s website.

Your right to make a data protection complaint to the Council

You have the right to complain to the Council if you believe we have not handled your personal data responsibly and in line with good practice.

If you have a concern, we encourage you to contact us in the first instance. Most concerns can be resolved relatively quickly through a simple phone call or email. Should you wish to make a formal complaint you can do so via our Comments, Compliments and Complaints Policy.

Your right to make a data protection complaint to the ICO

You can also complain to the ICO if you are unhappy with how we have used your data, but we encourage you to contact us first.

The ICO’s contact information is:            

  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline number: 0303 123 1113
  • Website: https://www.ico.org.uk