Data Protection Policy
TREDWORTH JUNIOR SCHOOL
Data Protection Policy
General Data Protection Regulation
|Approved by:||Full Governing Body|
|Last reviewed on:||30 September 2019|
|Next review due by:||September 2021|
In order to work effectively Tredworth Junior School has to collect and use information about people with whom it works. This may include (past, present and future) pupils, parents, teachers, trustees, members of the public, contractors and suppliers. In addition we may be required by law to collect and use information in order to comply with the requirements of central government.
All personal information must be handled and dealt with properly, regardless of how it is collected, recorded and used, and whether it is on paper, in computer records or recorded for other means. We are all responsible for its safe handling.
This documents sets out the principles of data protection, our responsibilities, the access rights of individuals as well as information sharing and complaints.
2. Scope/ Our Commitment
This policy applies to all staff, governors, contractors, agents, representatives and temporary staff, working for or on behalf of the School. The requirements of this policy are mandatory for all of these parties.
The School regards the lawful and correct treatment of personal information as critical to its successful operation, maintaining confidence between the school and those it interacts with. The school will ensure that it treats personal information correctly in accordance with the law.
The School fully endorses and adheres to the principles of Data Protection as set out in the Data Protection Act (2018) and the General Data Protection Regulation (GDPR).
The school is committed to ensuring that their staffs are aware of data protection policies, legal requirements and that adequate training is provided by Gloucestershire County Council.
Changes to data protection legislation under the GDPR and DPA, shall be monitored and implemented in order to remain compliant with all requirements.
3. Principles of data protection
The GDPR outlines seven key principles for anyone who processes data. These principles form the basis of our approach to processing personal data.
• ensure that data is fairly and lawfully processed
• process data only for limited purposes
• ensure that all data processed is adequate, relevant and not excessive
• ensure that data processed is accurate
• not keep data longer than is necessary
• process the data in accordance with the data subject's rights
• ensure that data is secure
• ensure that data is not transferred to other countries without adequate protection.
The School is registered as a data controller with the ICO and will renew this registration as required.
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
Data breaches shall be notified within 72 hours to the individual(s) concerned and the ICO.
The members of staff responsible for data protection within the School are mainly Mr. A Darby (Headteacher), and Mrs. J Jones (School Business Manager). However all staff must treat all pupil (or other relevant) information in a confidential manner and follow the guidelines set out in this document.
We have appointed Gloucestershire County Council as our Data Protection officer. They can be contacted on 01452 583619 or email@example.com
5. Definitions of Data
Personal data is information about living, identifiable individuals. It covers both facts and opinions about the individual but need not be sensitive information. The GDPR makes a distinction between personal data and “special category” (sensitive data). Special category personal data requires stricter conditions for processing.
Personal data is Defined in s(1) of the GDPR, as ‘data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of the data controller’ (the School is a data controller), and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other in respect of the individual.
Special Category Data is information about racial or ethnic origin, sexual life or sexual orientation, biometric and genetic data, religious beliefs (or similar), physical or mental health/condition, membership of a trade union, political opinions or beliefs, details of proceedings in connection with an offence or an alleged offence.
6. Legal bases
The legal bases for processing data are as follows –
(a) Consent: the member of staff/pupil/parent has given clear consent for the school to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for the member of staff’s employment contract or student placement contract.
(c) Legal obligation: the processing is necessary for the school to comply with the law (not including contractual obligations).
7. Fair Processing / Privacy Notice
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, parents and pupils prior to the processing of an individual’s data.
Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation.
8. Sharing data
There may be circumstances where the school is required either by law or in the best interests of our pupils or staff to pass information onto external authorities, for example local authorities, Ofsted, or the department of health.
These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect.
Any proposed change to the processing of individual’s data shall first be notified to them.
Personal data about pupils will not be disclosed to third parties without the consent of the child’s parent or carer, unless it is obliged by law or in the best interest of the child. Data may be disclosed to the following third parties without consent:
- Other schools
If a pupil transfers from Tredworth Junior School to another school, their records and other data that relates to their health and welfare will be forwarded onto the new school. This will support a smooth transition from one school to the next and ensure that the child is provided for as is necessary. It will aid continuation which should ensure that there is minimal impact on the child’s academic progress as a result of the move.
- Examination authorities
This may be for registration purposes, to allow the pupils at our school to sit examinations set by external exam bodies.
- Health authorities
As obliged under health legislation, the school may pass on information regarding the health of children in the school to monitor and avoid the spread of contagious diseases in the interest of public health.
- Police and courts
If a situation arises where a criminal investigation is being carried out we may have to forward information on to the police to aid their investigation. We will pass information onto courts as and when it is ordered.
- Social workers and support agencies
In order to protect or maintain the welfare of our pupils, and in cases of child abuse, it may be necessary to pass personal data on to social workers or support agencies.
- Education division
Schools may be required to pass data on in order to help the government to monitor the national educational system and enforce laws relating to education.
Under no circumstances will the school disclose information or data:
- that would cause serious harm to the child or anyone else’s physical or mental health or condition
- indicating that the child is or has been subject to child abuse or may be at risk of it, where the disclosure would not be in the best interests of the child
- recorded by the pupil in an examination
- that would allow another person to be identified or identifies another person as the source, unless the person is an employee of the school or a local authority or has given consent, or it is reasonable in the circumstances to disclose the information without consent. The exemption from disclosure does not apply if the information can be edited so that the person’s name or identifying details are removed
- in the form of a reference given to another school or any other place of education and training, the child’s potential employer, or any national body concerned with student admissions.
9. Biometric recognition systems
Pupils biometric data is currently not used at Tredworth Junior School. Were we to introduce the use of pupils’ biometric data as part of an automated biometric recognition system (for example, pupils use finger prints to receive school dinners instead of paying with cash) we will comply with the requirements of the Protection of Freedoms Act 2012.
Parents/carers will be notified before any biometric recognition system is put in place or before their child first takes part in it. The school will get written consent from at least one parent or carer before we take any biometric data from their child and first process it.
Parents/carers and pupils have the right to choose not to use the school’s biometric system(s). We will provide alternative means of accessing the relevant services for those pupils. For example, pupils would be able pay for school dinners in cash at each transaction if they wished.
Parents/carers and pupils can object to participation in the school’s biometric recognition system(s), or withdraw consent, at any time, and we will make sure that any relevant data already captured is deleted.
As required by law, if a pupil refuses to participate in, or continue to participate in, the processing of their biometric data, we will not process that data irrespective of any consent given by the pupil’s parent(s)/carer(s).
Where staff members or other adults use the school’s biometric system(s), we will also obtain their consent before they first take part in it, and provide alternative means of accessing the relevant service if they object. Staff and other adults can also withdraw consent at any time, and the school will delete any relevant data already captured.
10. Photographs and Videos
As part of our school activities, we may take photographs and record images of individuals within our school.
We will obtain written consent from parents/carers, or pupils aged 18 and over, for photographs and videos to be taken of pupils for communication, marketing and promotional materials.
Where we need parental consent, we will clearly explain how the photograph and/or video will be used to both the parent/carer and pupil. Where we don’t need parental consent, we will clearly explain to the pupil how the photograph and/or video will be used.
Uses may include:
- Within school on notice boards and in school magazines, brochures, prospectuses, newsletters, etc.
- Outside of school by external agencies such as the school photographer, newspapers, campaigns or third party benefactors (such as charities or companies who provide financial support to the school).
- Online on our school website or social media pages/ feeds.
- Videos and photographs may be labelled with pupil’s names or tutor groups when used in this way.
Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further.
11. Data Protection rights of the individual
Data Access Requests (Subject Access Requests)
All individuals, whose data is held by us, have a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing to:
Mr. A Darby (Headteacher)
Tredworth Junior School
No charge will be applied to process the request.
Other data protection rights of the individual
In addition to the right to make a subject access request (see above), and to receive information when we are collecting their data about how we use and process it individuals also have the right to:
- Withdraw their consent to processing at any time
- Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances)
- Prevent use of their personal data for direct marketing
- Challenge processing which has been justified on the basis of public interest
- Request a copy of agreements under which their personal data is transferred outside of the European Economic Area
- Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them)
- Prevent processing that is likely to cause damage or distress
- Be notified of a data breach in certain circumstances
- Make a complaint to the ICO
- Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances)
- Where personal data is no longer required for its original purpose, an individual can demand that the processing is stopped and all their personal data is erased by the school including any data held by contracted processors.
12. Data Security
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.
Risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance. The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data.
13. Location of information and data
Hard copy data, records, and personal information are stored out of sight and in a locked cupboard or office. The only exception to this is medical information that may require immediate access during the school day. This will be stored with the school medical officer.
Sensitive or personal information and data should not be removed from the school site, however the school acknowledges that some staff may need to transport data between the school and their home in order to access it for work in the evenings and at weekends. This may also apply in cases where staff have offsite meetings, or are on school visits with pupils.
The following guidelines are in place for staff in order to reduce the risk of personal data being compromised:
- Paper copies of data or personal information should not be taken off the school site. If these are misplaced they are easily accessed. If there is no way to avoid taking a paper copy of data off the school site, the information should not be on view in public places, or left unattended under any circumstances.
- Unwanted paper copies of data, sensitive information or pupil files should be shredded. This also applies to handwritten notes if the notes reference any other staff member or pupil by name.
- Care must be taken to ensure that printouts of any personal or sensitive information are not left in printer trays or photocopiers.
- If information is being viewed on a PC, staff must ensure that the window and documents are properly shut down before leaving the computer unattended. Sensitive information should not be viewed on public computers
- Laptops and USB sticks that staff use must be password protected.
These guidelines are clearly communicated to all school staff, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.
14. Data Disposal
The school recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services.
All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process. Disposal of IT assets holding data shall be in compliance with ICO guidance:
The school has identified a qualified source for disposal of IT assets and collections. The school also uses Hemplan to dispose of sensitive data that is no longer required.
Complaints about how the school processes data under the GDPR and responses to subject access requests are dealt with using the School’s complaints procedure.
16. Breach of Policy
Any breach of this policy should be investigated in accordance with our Data breach process The School will always treat any data breach as a serious issue, potentially warranting a disciplinary investigation. Each incident will be investigated and judged on its individual circumstances, addressed accordingly and carried out in line with the employee code of conduct.
17. Related policies /documentation
- Privacy Notice
- Complaints procedure
- Consent form
- Freedom of Information Policy