On the 25th May 2018 the General Data Protection Regulation (GDPR) will be applicable and the current Data Protection Act (DPA) will be updated by a new Act giving effect to its provisions. Before that time the DPA will continue to apply.
This Policy sets out the manner in which personal data of staff, students and other individuals is processed fairly and lawfully.
The School collects and uses personal information about staff, students, parents or carers and other individuals who come into contact with the School. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the School complies with its statutory obligations.
The School is a data controller and must therefore comply with the Data Protection Principles in the processing of personal data, including the way in which the data is obtained, stored, used, disclosed and destroyed. The School must be able to demonstrate compliance. Failure to comply with the Principles exposes the School and staff to civil and criminal claims and possible financial penalties.
Details of the School's purpose for holding and processing data can be viewed on the data protection register: https://ico.org.uk/esdwebpages/search
The Schools registration number is Z7985856. This registration is renewed annually and up dated as and when necessary.
This Policy will ensure:
The School processes person data fairly and lawfully and in compliance with the Data Protection Principles.
All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities under this policy.
That the data protection rights of those involved with the School community are safeguarded. Confidence in the School’s ability to process data fairly and securely.
This Policy applies to:
Personal data of all School employees, governors, students, parents and carers, volunteers and any other person carrying out activities on behalf of the School.
The processing of personal data, both in manual form and on computer. All staff and governors.
The Data Protection Principles
The School will ensure that personal data will be:
1. Processed fairly, lawfully and in a transparent manner.
2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
6. Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The School will be able to demonstrate compliance with these principles.
The School will have in place a process for dealing with the exercise of the following rights by Governors, staff, students, parents and members of the public in respect of their personal data:
· to be informed about what data is held, why it is being processed and who it is shared with;
· to access their data;
· to rectification of the record;
· to erasure;
· to restrict processing;
· to data portability;
· to object to processing;
· not to be subject to automated decision-making including
Roles and Responsibilities
The Governing Body of the School and the Head Teacher are responsible for implementing good data protection practices and procedures within the School and for compliance with the Data Protection Principles.
It is the responsibility of all staff to ensure that their working practices comply with the Data Protection Principles. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures forming part of this policy
A designated member of staff, the Data Protection Officer, will have responsibility for all issues relating to the processing of personal data and will report directly to the Head Teacher.
The Data Protection Officer will comply with responsibilities under the GDPR and will deal with subject access requests, requests for rectification and erasure, data security breaches. Complaints about data processing will be dealt with in accordance with the Schools Complaints Policy.
Data Security and Data Security Breach Management
All staff are responsible for ensuring that personal data which they process is kept securely and is not disclosed to any unauthorised third parties.
Access to personal data should only be given to those who need access for the purpose of their duties.
All staff will comply with the Schools Acceptable IT use Policy.
Staff who work from home must have particular regard to the need to ensure compliance with this Policy and the Acceptable IT use Policy.
Data will be destroyed securely in accordance with the ‘Information and Records Management Society Retention Guidelines for Schools’.
New types of processing personal data including surveillance technology which are likely to result in a high risk to the rights and freedoms of the individual will not be implemented until a Privacy Impact Risk Assessment has been carried out.
The School will have in place a data breach security management process and serious breaches where there is a high risk to the rights of the individual will be reported to the Information Commissioner’s Office (ICO) in compliance with the GDPR.
All staff will be aware of and follow the data breach security management process.
All staff will be aware of and comply with the list of Do’s and Don’ts in relation to data security in Appendix A
Subject Access Requests
Requests for access to personal data (Subject Access Requests) (SARs) will be processed by the Data Protection Officer. Those making a Subject Access Request will be charged a fee in accordance with Regulations. After the implementation of GDPR on 25th May 2018 no fee is applicable. Records of all requests will be maintained.
The School will comply with the statutory time limits for effecting disclosure in response to a Subject Access Request. The statutory time limit of 40 days continues until 25th May 2018 when under the GDPR the statutory time period reduces to one calendar month of receipt of the request.
Sharing data with third parties and data processing undertaken on behalf of the School.
Personal data will only be shared with appropriate authorities and third parties where it is fair and lawful to do so. Any sharing will be undertaken by trained personnel using secure methods. Where a third party undertakes data processing on behalf of the School e.g. by providing cloud based systems or shredding services, the School will ensure that there is a written agreement requiring the data to be processed in accordance with the Data Protection Principles.
All new staff will be trained on the data protection requirements as part of their induction. Training and guidance will be available to all staff.
All staff will read the Acceptable IT use Policy.
The School advises students whose personal data is held, the purposes for which it is processed and who it will be shared with. This is referred to as a "Privacy Notice" and is available on the School website.
The School also provides a Privacy Notice to staff which is available on the School website. The School will ensure Privacy Notices contains the following information:
· Contact Data Controller and Data Protection Officer
· Purpose of processing and legal basis. Retentions period. Who we share data with.
· Right to request rectification, erasure, to withdraw consent, to complain, or to know about any automated decision making and the right to data portability where applicable.
Photographs, Additional Personal Data and Consents
Where the School seeks consents for processing person data such as photographs at events it will ensure that appropriate written consents are obtained. Those consent forms will provide details of how the consent can be withdrawn.
Where the personal data involves a child under 16 years written consent will be required from the adult with parental responsibility.
What staff should do:
DO get the permission of your manager to take any confidential information home.
DO transport information from school on secure computing devices (i.e. encrypted laptops and encrypted memory sticks). Wherever possible avoid taking paper documents out of the office.
DO use secure portable computing devices such as encrypted laptops and encrypted USB memory sticks when working remotely or from home.
DO ensure that any information on USB memory sticks is securely deleted off the device, or saved on a School shared drive.
DO ensure that all paper based information that is taken of premises is kept confidential and secure, ideally in a sealed envelope which indicates a return address if misplaced.
DO ensure that any confidential documents that are taken to your home are stored in a locked drawer.
DO ensure that paper based information and laptops are kept safe and close to hand when taken out off premises. Never leave them unattended. Particular care should be taken in public places (e.g. reading of documentation on public transport).
DO ensure that when transporting paper documentation in your car that it is placed in the boot (locked) during transit.
DO return the paper based information to the School as soon as possible and file or dispose of it securely.
DO report any loss of paper based information or portable computer devices to your line manager immediately.
DO ensure that all postal and e-mail addresses are checked to ensure safe dispatch of information. When sending personal information by post the envelope should clearly state ‘Private – Contents for Addressee only’.
DO ensure that when posting/emailing information that only the specific content required by the recipient is sent.
DO use pseudonyms and anonymise personal data where possible.
DO ensure that access to SIMS (or equivalent) is restricted to appropriate staff only, that leavers are removed in a timely manner and that generic user names such as ‘Sysman’ are disabled.
What staff must not do:
DO NOT take confidential information to an entertainment or public place such
as a pub or cinema, whether held on paper or an electronic device. Any
information must be taken to the destination directly and never left unattended
during the journey.
DO NOT unnecessarily copy other parties into e-mail correspondence.
DO NOT e-mail documents to your own personal computer.
DO NOT store work related documents on your home computer.
DO NOT leave personal information unclaimed on any printer or fax machine.
DO NOT leave personal information on your desk overnight, or if you are away
from your desk in meetings.
DO NOT leave documentation in vehicles overnight.
DO NOT discuss case level issues at social events or in public places.
DO NOT put confidential documents in non-confidential recycling bins.
DO NOT print off reports with personal data (e.g. pupil data) unless absolutely
DO NOT use unencrypted memory sticks or unencrypted laptops
© West Sussex County Council