Data Protection Policy
Contents Page
2....... Scope of this policy. 3
3....... Data protection principles. 3
4....... Responsibilities of staff and contractors. 4
5....... Personal data in the public domain. 4
7....... Sending personal data securely. 5
8....... Data subject rights. 5
9....... Prohibited activities. 8
11..... Privacy impact assessments (PIA) 8
12..... International transfers. 9
Our school is committed to protecting the rights and freedom of all individuals in relation to the processing of their personal data.
The school needs to comply with the Data Protection Act 2018 and EU General Data Protection Regulations. This policy has been developed to ensure all staff, contractors and partners understand their obligations when processing personal and special category data.
This policy and the legislation apply to all personal data, both that held in paper files and electronically. So long as the processing of the data is carried out for school purposes, it applies regardless of where data is held.
‘Processing’ data is widely defined and includes obtaining, recording, keeping, or using it in any way; sharing or disclosing it; erasing and destroying it.
Personal and special category data must be:
All personal and special category data must be processed lawfully, fairly and in a transparent manner in relation to individuals
The data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
The data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Staff and contractors must:
Our school holds certain information about people in the public domain, for example the Head Teachers name will be on the website. Personal data classified as being in the ‘public domain’ refers to information which will be publicly available world-wide and may be disclosed to third parties without recourse to the data subject.
Keeping personal data properly secure is vital in complying with the Data Protection Act. All staff and contractors are responsible for ensuring that any personal data we have access to is kept securely. We are also responsible for ensuring that personal data is not disclosed inappropriately (either orally or in writing or accidentally) to any unauthorised third party.
This includes, as a minimum:
We can send documents containing personal data securely using the following methods:
Requested by: |
Method: |
Hard copy |
Documents should be hand delivered to the data subject wherever possible. Check ID and address for sending before handing over documents. Make sure that the documents are securely contained in a sealed envelope. If it not possible for the data subject to collect the documents themselves use the special delivery service and include the name of the data subject on the envelope to ensure that they sign for the documents. Note: Check you have the correct address before posting |
Encrypted device |
Where the data is especially sensitive consider saving the documents on a password protected, encrypted memory device rather than posting hard copies. The password can be sent to the data subject once they have received the device by post to ensure that only they have access. |
|
This is the preferred method. Scan a copy of the file and move it to a secure location on the school’s network. Send the file by secure data transfer [currently Egress]. Ask the data subject to confirm receipt of the documents as soon as possible |
Data subjects have defined rights over the use of their data. These rights have been reinforced and extended by the Data Protection Act 2018.
These rights are:
Informed
Access
Rectification
Erasure
Restrict processing
Data Portability
Object
Automated decision making and profiling
The Data Protection Act 2018 has provisions on:
The Data Protection Act 2018 applies to all automated individual decision-making and profiling. The Act has additional rules to protect individuals if the school is carrying out solely automated decision-making that has legal or similarly significant effects on them.
We can only carry out this type of decision-making where the decision is:
If we are carrying out any of these activities, we must:
Carry out regular checks to make sure that the school’s systems are working as intended.
The above rights are conditional depending on the reason we hold the data and why we may need to retain it.
Where we have a legal obligation to collect and process data or we are collecting the data to carry out a public task, we cannot always agreed with any objection application to the processing of that data. We will consider all requests and explain the reason for the decision.
Similarly if an individual claims that there is an error in the recording of a child protection meeting or a behavioural incident, it is unlikely that these records will be amended because it is likely that the records contain the professional opinion of a social worker or other professional. Whilst the school would be unable to amend the original we would be able to place the individual’s objections on file next to the original record so that their objections can be noted.
Were we rely on consent to process data about an individual we will be obliged in most cases to apply the above rights.
The following activities are strictly prohibited when processing personal and special category data:
Under the Data Protection Act 2018 the School has a general obligation to implement technical and organisational measures to show that we have considered and integrated data protection into our processing activities. In order to achieve this, staff is expected to complete Privacy Impact Assessments to help identify and minimise any data protection risks
The school must do a PIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests:
We must consider completing a PIA when you identify:
The Data Protection Act 2018 imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
We may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Adequate safeguards may be provided for by a legally binding agreement between public authorities or bodies or the transfer is
Exemptions to the Data Protection Act 2018 can apply in a small number of areas and only where the restriction respects the essence of the individual’s fundamental rights and freedoms and it is a necessary and proportionate measure in a democratic society to safeguard:
Compliance with the Data Protection Act 2018 is the responsibility of all members of staff and contractors. Any questions about this policy or any queries concerning data protection matters should be raised with the Head Teacher.
Subject Access Request or SAR |
A request for access to data by a living person under the Act is known as a Subject Access Request or SAR. All records that contain the personal data of the subject will be made available, subject to certain exemptions. |
Freedom of Information Request or FOI. |
A request for access to data held is dealt with under the Freedom of Information Act 2000 and is known as a Freedom of Information Request or FOI. Requests for the data of deceased people may be processed under this legislation. |
Personal Data |
Personal data means data which relate to a living individual who can be identified directly or indirectly from the data, particularly be reference to an identifier. Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). Examples of personal data are the name and address of an individual; email and phone number; a Unique Pupil reference number or an NHS number |
Special Category Data |
Certain personal data, special category data, is given special protections under the Act because misuse could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination. Information relating to criminal activities or convictions is not special category data but must be treated with similar safeguards in place. Special category data includes:
|
Confidential Data
|
Data given in confidence or data which is confidential in nature and that is not in the public domain. Some confidential data will also be personal data and/or special category data and therefore come within the terms of this policy. Staff working in social care and in management roles will handle confidential data regularly and must be careful not to disclose this information incorrectly. |
Data Controller |
The organisation which determines the purposes and the manner in which, any personal data is processed is known as the data controller. The School is the data controller of all personal data used and held by the school. |
Data Processors |
Organisations or individuals who process personal data on behalf of the data controller are known as data processors. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on our behalf. |
Data Subject |
A living individual who is the subject of personal data is known as the data subject. This need not be a UK national or resident. Provided that the data controller is subject to the Act, rights with regards to personal data are available to every data subject, wherever his nationality or residence. |
Lawful Basis |
The grounds specified by the Regulations which need to be satisfied for any data processing to be legal. One ground needs to exist for processing personal data. Where special category data is processed a second ground must also exist. |
Relevant Professional |
The practitioners who supply information held on Social Services records, and various other medical and educational records. A relevant professional will consider where disclosure is likely to cause serious physical or mental harm to the applicant or any third party. |
Data Breach |
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A data breach may occur by accidentally sending an email to the wrong person or leaving a file in a public place. Breaches which result in a high risk to the individual must be reported to the ICO within 72 hours. |