Data Protection Policy and Privacy Notice for Students and Parents.
- Legislation and guidance
- The data controller
- Data protection principles
- Roles and responsibilities
- Privacy/fair processing notice
- Subject access requests
- Parental requests to see the educational record
- Storage of records
- Disposal of records
- Monitoring arrangements
- Links with other policies
This policy sets out how the school deals with personal information correctly and securely, in accordance with the General Data Protection Regulation, and other related legislations.
Our school aims to ensure that all data collected about, pupils, parents and visitors is collected, stored and processed in accordance with the General Data Protection Regulation (Regulation (EU)2016/679)(GDPR).
This policy applies to all personal data, regardless of whether it is in paper or electronic format.
2. Legislation and Guidance:
This policy meets the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).
Terms & Definition
3.1 Personal Data: Data from which a person can be identified, including data that, when combined with other readily available information, leads to a person being identified.
3.2 Sensitive Personal Data:
Data such as:
- Racial or ethnic origin
- Religious beliefs, or beliefs of a similar nature
- Physical and mental health
- Whether a person has committed, or is alleged to have committed, an offence
- Criminal convictions.
3.3 Processing: Collecting, using, recording and storing data
3.4 Data Subject: The person whose personal data is processed
3.5 Data Controller: A person or organization that determines the purposes for which, and the manner in which personal data is processed
3.6 Data Processor: A person, other than an employee of the data controller, who processes the data on behalf of the data controller
4. The Data Controller
Our school processes (collects, uses and stores) personal information relating to pupils, staff, and visitors, and, therefore, is a data controller. Our school delegates the responsibility of supervising the data protection mechanisms both organizational and technical to the appointed Data Protection Officer.
This information is gathered in order to enable the provision of education and other associated functions. In addition, the school may be required by law to collect, use and share certain information.
5. Data Protection Principles
The GDPR establishes six principles as well as a number of additional duties that must be adhered to, at all times:
- Personal data shall be processed lawfully, fairly and in a transparent manner,
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (subject to exceptions for specific archiving purposes)
- Personal data shall be adequate, relevant and limited to what is necessary to the purposes for which they are processed and not excessive;
- Personal data shall be accurate and where necessary, kept up to date;
- Personal data shall be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Personal data shall be processed in a manner that ensures appropriate security of the personal
Personal data shall not be transferred to a country or territory outside the European Economic Area unless it is imperative and if the country or territory ensures an adequate level of protection for the rights and freedoms of data in relation to the processing of personal data.
6. Roles & Responsibilities
The governing board has overall responsibility for ensuring that the school complies with its obligations under the GDPR.
Day-to-day responsibilities rest with the Head Teacher and Data Protection Officer. The Head Teacher will ensure that all staff are aware of their data protection obligations, and oversee any queries related to the storing or processing of personal data.
Staff are responsible for ensuring that they collect and store any personal data in accordance with this policy.
The school is always committed to maintaining the principles and duties in the GDPR. Therefore, the school will:
- Inform individuals of the identity and contact details of the data controller.
- Inform individuals of the contact details of the Data Protection Officer.
- Inform individuals of the purposes that personal information is being collected and the basis for this.
- Inform individuals when their information is shared, and why and with whom unless the GDPR provides a reason not to do this.
- If the school plans to transfer personal data outside the EEA the school will inform individuals and provide them with details of where they can obtain details of the safeguards for that information.
- Inform individuals of their data subject rights
- Inform individuals that the individual may withdraw consent (where relevant) and that if consent is withdrawn that the school will cease processing their data although that will not affect the legality of data processed up until that point.
- Provide details of the length of time an individual’s data will kept.
- Should the school decide to use an individual’s personal data for a different reason to that for which it was originally collected the school shall inform the individual and where necessary seek consent.
- Check the accuracy of the information it holds and review it at regular intervals.
- Ensure that only authorised personnel have access to the personal information whatever medium (paper or electronic) it is stored in.
- Ensure that clear and robust safeguards are in place to ensure personal information is kept securely and to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded.
- Ensure that personal information is not retained longer than it is needed.
- Ensure that when information is destroyed that it is done so appropriately and securely.
- Share personal information with others only when it is legally appropriate to do so.
- Comply with the duty to respond to requests for access to personal information (known as Subject Access Requests).
- Ensure that personal information is not transferred outside the EEA without the appropriate safeguards.
- Ensure that all staff and governors are aware of and understand these policies and procedures.
7. Privacy Policies
7.1 Pupils and parents
We hold personal data about pupils to support teaching and learning, to provide care and to assess how the school is performing. We may also receive data about pupils from other organizations including, but not limited to, other schools and the Department for Education.
This data includes, but is not restricted to:
- Contact details
- Results of internal assessment and externally set tests
- Data on pupil characteristics, such as ethnic group or special educational needs
- Exclusion information
- Details of any medical conditions
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
We will not share information about pupils with anyone without consent unless the law and our policies allow us to do so. Individuals who wish to receive a copy of the information that we hold about them/their child should refer to sections 8 and 9 of this policy.
We are required, by law, to pass certain information about pupils to specified external bodies, such as our local authority and the Department for Education, so that they are able to meet their statutory obligations.
8. Subject Access Requests
Under the GDPR, pupils have a right to request access to information the school holds about them. This is known as a subject access request.
Subject access requests must be submitted in writing, either by letter, email or fax. Requests should include:
- The pupil’s name
- A correspondence address
- A contact number and email address
- Details about the information requested
The school will not reveal the following information in response to subject access requests:
- Information that might cause serious harm to the physical or mental health of the pupil or another individual
- Information that would reveal that the child is at risk of abuse, where disclosure of that information would not be in the child’s best interests
- Information contained in adoption and parental order records
- Certain information given to a court in proceedings concerning the child
Subject access requests for all or part of the pupil’s educational record will be provided within 30 days following a request through our DPA.
9. Parental Requests To See The Educational Record
Parents have the right of access to their child’s educational record, free of charge, within 30 days of a request.
Personal data about a child belongs to that child, and not the child’s parents. This is the case even where a child is too young to understand the implications of subject access rights.
Current legislation generally regards children aged 14 and above as mature enough to understand their rights and the implications of a subject access request. Therefore, most subject access requests from parents of pupils at our school may be granted without the express permission of the pupil.
Subject access requests for all or part of the pupil’s educational record will be provided within 30 days following a request through our DPO
10. Storage Of Records
Paper-based records and portable electronic devices, such as laptops and hard drives, that contain personal information are kept secure when not in use.
Papers containing confidential personal information should not be left on office and classroom desks, on staffroom tables or pinned to noticeboards where there is general access.
There personal information needs to be taken off site (in paper or electronic form), this will be carried out in accordance with the school’s data mapping document.
Passwords are used to access school computers, laptops and other electronic devices. Staff and pupils are reminded to change their passwords at regular intervals.
Encryption software is used to protect all portable devices and removable media, such as laptops and USB Devices.
Staff, or pupils who store personal information on their personal devices are expected to follow the same security procedures for school-owned equipment.
11. Disposal Of Records
Personal information that is no longer needed, or has become inaccurate or out of date, is disposed of securely.
For example, we will shred or incinerate paper-based records, and override electronic files. We may also use an outside company to safely dispose of electronic records.
Our staff are provided with data protection training as part of their induction process.
Data protection will also form part of continuing professional development, where changes to legislation or the school’s processes make it necessary.
13. Monitoring Arrangements
The Head Teacher, Data Protection Officer and [nominated governor representative] are responsible for monitoring and reviewing this policy.
This document will be reviewed every 2 years unless there are significant changes to the Personal Data Protection Laws.
14. Links With Other Policies
This data protection policy and privacy notice is linked to the freedom of information publication scheme.
Complaints will be dealt with in accordance with the school’s complaints policy. Complaints relating to the handling of personal information may be referred to the Office of Commissioner for the Protection of Personal Data.
If you have any enquires in relation to this policy, please contact our office at 24 815 400 or email our Data Protection Officer at firstname.lastname@example.org