Bishop Bewick Catholic Education Trust
Policy Title: Data Protection Policy
Date of Approval: May 2024
Approved by: Trust Board
Date of next review: May 2027
Applies to: All school & Trust settings
Change log:
by
COO Sep2022 TrustBoard Original 1.1 CCO May2024 TrustBoard GuidanceonCCTVfootage
Introduction
ThefollowingdataprotectionpolicyisusedbytheschooltoshowcompliancewiththeData Protection Act2018,sometimesreferredtoasUKGDPR.
Theschoolarethedatacontrollerandareultimatelyresponsibleforensuringthattheycomplywithdata protectionlaw.TheDataProtectionOfficerroleiscarriedoutbyChapmanData&InformationServices LTD,whoseroleistoadvise,assistandinstructtheschool.
Chapman Data & Information Services LTD, cannot be held accountable should the school as data controllerfailtofollowadvicethathasbeengiven.
TheDataProtectionAct2018(UKGDPR) putscertainresponsibilitiesuponthedatacontrollersuchas ensuringtheyhavethecorrectpoliciesinplace,dataauditshavebeencarriedout,schoolstaffhavehad basicdataprotectiontraining,andtheschoolhasthecorrectICOregistrationinplace.
It is recommended that this policy is given to every member of staff within the school – This is to ensure that regardless of how a staff member processes data they understand the importance and responsibility they have around protecting personal data.
It is also recommended that the school upload this policy to their website.
Theschoolasdatacontrollerwillensurethatpersonaldataiskeptinaccordancewiththefollowingkey dataprotectionprinciples:
• Fair,lawful,andtransparentprocessing-PrivacyNotice.
• Purposelimitation–Onlyholddatawhererequiredandforitsintendedpurpose.
• Dataminimisation–Donotholddataanylongerthanisnecessary.
• Accuracy–Ensurethatdataiscorrect.
• Dataretentionperiods–Awareoflegalrequirementstokeepdocuments.Ifadocumentdoesnot comeunderalegalrequirement,thenthedataminimisationprincipalshouldbefollowed.
• Datasecurity–Allreasonablestepswillbetakentoprotectthedatatheschoolholds.
• Accountability–Tobeabletoprovethattheschooladherestodataprotectionlaw.
Theschool’sprivacynoticehasbeenadaptedfromthemodelprivacynoticeprovidedbytheDepartment of Education (DFE). This is the minimum requirement expected. However, the school can add to this shouldtheywish.
Privacy Notice (How we use your information)
This notice is aimed at pupils, parents/carers – the school should decide if they pass this notice to the children themselves as well as parents/carers. This would depend on if the child is old enough and mature enough to understand the notice.
The categories of information that we collect, hold and/or share include but are not limited to:
• Personal information (such as names, unique pupil number and address, adult emergency contact information)
• SpecialCategories(suchasEthnicity,Language,Nationality,Countryofbirth&Religion)
• Characteristics(suchasfreeschoolmealeligibility,PupilPremiumInformation)
• Safeguardinginformation(suchascourtordersandprofessionalinvolvement)
• Medical and administration (such as doctor information, child health, dental health, allergies, medication,anddietaryrequirements)
• Attendanceinformation(suchassessionsattended,numberofabsencesandabsencereasonsandany previousschoolsattended)
• Assessmentinformationandattainment(suchaskeystage1,keystage2andphonicsresults)
• Relevantmedicalinformation(SpecialCategoryData)
• SpecialEducationalNeedsinformation(includingneedsandranking)
• Behaviouralinformation(suchasexclusionsandanyrelevantalternativeprovisionputinplace)
• FinancialInformation(suchasdinnermoneytransactions,triptransactions)
Why we collect and use this information
Weusethepupildata:
• tosupportpupillearning
• tomonitorandreportonpupilattainmentprogress
• toprovideappropriatepastoralcare
• toassessthequalityofourservices
• tokeepchildrensafe(foodallergiesoremergencycontactdetails)
• tomeetthestatutorydutiesplacedonusbytheDepartmentforEducation
• tocomplywiththelawregardingdatasharing
• Financialaudits
• toprovidearewardsstructure
• totrackhowwelltheschoolisperformingasawhole
The lawful basis on which we use this information
We collect and use your information under the Data Protection Act 2018 (sometimes referred to as UKGDPR),article6,andarticle9.
Specialcategorydatafromarticle9isprocessedundercondition(a)thedatasubjecthasgivenexplicit consenttotheprocessingofthosepersonaldataforoneormorespecifiedpurpose.
Collecting pupil information
Pupil data is essential for the school’s operational use. Whilst the majority of pupil information you providetousismandatory,someofitisprovidedtousonavoluntarybasis.InordertocomplywithData Protectionlegislation,wewillinformyouatthepointofcollection,whetheryouarerequiredtoprovide certainpupilinformationtousorifyouhaveachoiceinthis.Thiswillbeviathepupilinformationsheet thatyouarerequestedtocompleteuponyourchild’sentrytotheschool.Also,ifapplicabledatawillbe takenfromyourpreviousschoolusingacommontransferfile(CTF).
Storing your data
WeholdyourdataifitislawfulforustodosoinaccordancewithretentionguidancetakenfromtheDFE recommendedsourcewhichistheIRMStoolkit.Shouldadocumentnotbelistedinthistoolkitthenthe schoolwillkeeparecordofwhythisdataisbeingretainedandwillproduceuponrequest. Wherethe schooldoes not followthe guidance withinthis toolkit, the school have their ownretentiondocument whichcanbeprovideduponrequest.
Any data that we are no longer required to hold lawfully is deleted/destroyed in accordance with the school’sdisposalguidancepolicy.
Who we share pupil information with
Weroutinelysharepupilinformationwith:
• schoolsthatthepupilsattendafterleavingus
• Ourlocalauthority
• theDepartmentforEducation(DfE)
• Medicalinformationasappropriate/necessarywiththeNHS
• Iftheschoolisamemberofanacademytrust,thenwemaywhereappropriatesharepupilinformation withthetrust.
Wealsoroutinelysharepupilinformationwith:
ThirdPartyCompanies/Partnerswhoareassistingtheschoolorenhancingachild’seducation.Alistof suchcompanies/partnerscanbeprovideduponrequest.Thesearenotaddedtotheprivacynoticedue totheirfluidnature.
• Whererequiredtheschoolwillensurethatadataprocessingagreementisinplace
• WewillensurethataPrivacyImpactAssessment(PIA)iscarriedforanynewsystemthattheschool acquires.
• We will ensure that if any personal data is transferred to a country that the UK deem to not have adequatedataprotectionlawsthataStandardContractualClause(SCC)isinplace.
• Wewillensureforanysystemthatisonlineanddirectedatchildrenwillbecompliantwiththeageappropriatedesigncode(children’scode)
Why we share your information
• Wedonotshareinformationaboutyouwithanyonewithoutconsentunlessthelawandourpolicies allowustodoso.
• Wesharedatawithschoolsthatyourchildattendsafterleavingustoassistwiththeschooltransition process.
• Wesharedatawithourlocalauthoritywhenitisappropriatetodosotoassistintheeducationofthe pupilswithinourschool.
• Wesharedatawiththirdpartycompanies/partnerswhomayrequirethisinformationtoassistthe school.
• WesharepupildatawiththeNHSwhenappropriatetoassistwithmedicalneeds ofchildrenwithin theschool.
Youth support services
Pupilsaged13+
Onceourpupilsreachtheageof13,wealsopasspupilinformationtoourlocalauthorityand/or providerofyouthsupportservicesastheyhaveresponsibilitiesinrelationtotheeducationortraining of13-19yearoldsundersection507BoftheEducationAct1996.
Thisenablesthemtoprovideservicesasfollows:
• youthsupportservices
• careersadvisers
Theinformationsharedislimitedtothechild’sname,addressanddateofbirth.Howeverwherea parentorguardianprovidestheirconsent,otherinformationrelevanttotheprovisionofyouthsupport serviceswillbeshared.Thisrightistransferredtothechild/pupiloncetheyreachtheage16
Dataissecurelytransferredtotheyouthsupportservice.
Pupilsaged16+
Wewillalsosharecertaininformationaboutpupilsaged16+withourlocalauthorityand/orprovider ofyouthsupportservicesastheyhaveresponsibilitiesinrelationtotheeducationortrainingof13-19 yearoldsundersection507BoftheEducationAct1996.
Thisenablesthemtoprovideservicesasfollows:
• post-16educationandtrainingproviders
• youthsupportservices
• careersadvisers
Dataissecurelytransferredtotheyouthsupportservice.
Formoreinformationaboutservicesforyoungpeople,pleasevisitourlocalauthoritywebsite.
Department For Education
• Wesharepupils’datawiththeDepartmentforEducation(DfE)onastatutorybasis.Thisdatasharing underpinsschoolfundingandeducationalattainmentpolicyandmonitoring.
• We are required to share information about our pupils with our local authority (LA) and the DepartmentforEducation(DfE).Maintainedschool-undersection3ofTheEducation(Information AboutIndividualPupils)(England)Regulations2013.Academiesandfreeschools-underregulation 5ofTheEducation(InformationAboutIndividualPupils)(England)Regulations2013.PupilReferral Units - under regulation 4 of The Education (Information About Individual Pupils) (England) Regulations2013
• AlldataistransferredtotheDFEsecurelyandheldbytheDFEunderacombinationofsoftwareand hardware controls which meet the current government security policy framework. government securitypolicyframework.
Data collection requirements:
TofindoutmoreaboutthedatacollectionrequirementsplacedonusbytheDepartmentforEducation (forexample,viatheschoolcensus)gotohttps://www.gov.uk/education/data-collection-andcensuses-for-schools
The National Pupil Database (NPD)
MuchofthedataaboutpupilsinEnglandgoesontobeheldintheNationalPupilDatabase(NPD).
TheNPDisownedandmanagedbytheDepartmentforEducationandcontainsinformationaboutpupils inschoolsinEngland.Itprovidesinvaluableevidenceoneducationalperformancetoinformindependent research,aswellasstudiescommissionedbythedepartment.
Itisheldinelectronicformatforstatisticalpurposes.Thisinformationissecurelycollectedfromarange ofsourcesincludingschools,localauthoritiesandawardingbodies.
TofindoutmoreabouttheNPD,gotohttps://www.gov.uk/government/publications/national-pupildatabase-user-guide-and-supporting-information
Sharing by the Department
ThelawallowstheDepartmenttosharepupils’personaldatawithcertainthirdparties,including:
• schools
• localauthorities
• researchers
• organisationsconnectedwithpromotingtheeducationorwellbeingofchildreninEngland
• othergovernmentdepartmentsandagencies
• organisationsfightingoridentifyingcrime
FormoreinformationabouttheDepartment’sNPDdatasharingprocess,pleasevisit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
OrganisationsfightingoridentifyingcrimemayusetheirlegalpowerstocontactDfEtorequestaccessto individuallevelinformationrelevanttodetectingthatcrime.Whilstnumbersfluctuateslightlyovertime, DfEtypicallysuppliesdataonaround600pupilsperyeartotheHomeOfficeandroughly1peryearto thePolice.
ForinformationaboutwhichorganisationstheDepartmenthasprovidedpupilinformation,(andfor whichproject)ortoaccessamonthlybreakdownofdatasharevolumeswithHomeOfficeandthe Policepleasevisitthefollowingwebsite:https://www.gov.uk/government/publications/dfe-externaldata-shares
How to find out what personal information DfE hold about you
UnderthetermsoftheDataProtectionAct2018,youareentitledtoasktheDepartment:
• iftheyareprocessingyourpersonaldata
• foradescriptionofthedatatheyholdaboutyou
• thereasonsthey’reholdingitandanyrecipientitmaybedisclosedto
• foracopyofyourpersonaldataandanydetailsofitssource
IfyouwanttoseethepersonaldataheldaboutyoubytheDepartment,youshouldmakea‘subjectaccess request’. Further information on how to do this can be found within the Department’s personal informationcharterthatispublishedattheaddressbelow:
https://www.gov.uk/government/organisations/department-for-education/about/personalinformation-charter
TocontactDfE:https://www.gov.uk/contact-dfe
How Government uses your data
ThepupildatathatwelawfullysharewiththeDfEthroughdatacollections:
• underpinsschoolfunding,whichiscalculatedbaseduponthenumberofchildrenandtheir characteristicsineachschool.
• informs‘shortterm’educationpolicymonitoringandschoolaccountabilityandintervention (forexample,schoolGCSEresultsorPupilProgressmeasures).
• supports‘longerterm’researchandmonitoringofeducationalpolicy(forexamplehowcertain subjectchoicesgoontoaffecteducationorearningsbeyondschool)
Requesting access to your personal data (Subject Access Request)
Underdataprotectionlegislation,youhavetherighttorequestaccesstoinformationaboutyourselfthat wehold.Ifaparent/carerisrequestingdatafortheirchild,thenthiswillbeprovidedtotheparent/carer
unless the school deem the child to be mature enough to understand the data and the subject access process.
Theschoolhave30calendardaystorespondtoasubjectaccessrequest.However,thiscanbeextended byafurthertwomonthsifrequired.
Tomakearequestpleasecontacttheschool.
Requesting access to your child educational record
In broad terms an education record would be information that the school holds on a child which is informationallaboutthechildandwouldrequirenoredactionandwouldfollowthechildtoanewschool.
ExampleswouldbeAttendance,schoolwork,assessmentgrades,letterstotheparentsfromtheschool aboutthechildandanyotherinformationthattheschoolholdonthechildthatrelatessolelytothatchild.
Theschoolmustrespondwiththeinformationwithin15workingschooldays.Tomakearequestplease contacttheschool.
Iftheschoolisanacademy,thentheyareundernoobligationtoprovidethisinformation.
You also have the right to the following
• incertaincircumstancestobeabletoobjecttoprocessingofpersonaldatathatislikelytocause,oris causing,damageordistress.
• Prevent processing for the purpose of direct marketing (including profiling)andprocessing for the purposesofscientific/historicalresearchandstatistics.
• not to be subject to decisions based purely on automated processing where it produces a legal or similarlysignificanteffectonyou.
• Haveinaccurate/incompletepersonaldatarectified
• Incertaincircumstancesrestrictprocessing,requestthedeletionorremovalofpersonaldatawhere thereisnocompellingreasonforitscontinuedprocessing.
• arighttoseekredress,eitherthroughtheICOorthroughthecourts.
Ifyouhaveaconcernaboutthewaywearecollectingorusingyourpersonaldata,werequestthatyou raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’sOffice:·Reportaconcernonlineathttps://ico.org.uk/concerns/
·Call03031231113
·Orwriteto:InformationCommissioner’sOffice,WycliffeHouse,WaterLane,Wilmslow,Cheshire,SK9 5AF
Withdrawal of consent and the right to lodge a complaint
Where we are processing your personal data with your consent, you have the right to withdraw that consent.Ifyouchangeyourmindorareunhappywiththe wayweuseyourpersonaldatathenplease contacttheschool.
Contact
If you would like to discuss anything in this privacy notice, please contact the school who will in turn contacttheschool’sdataprotectionofficer.Wemayneedtoupdatethisprivacynoticeperiodically,so werecommendthatyourevisitthisinformationfromtimetotime.Version–September2021
Workforce Privacy Notice (How we use your information)
This notice is aimed at staff within the school, school governors and anyone who is carrying out work on behalf of the school where we are required to hold their personal information.
The categories of information that we collect, hold and/or share include but are not limited to (where applicable)
• personalinformation(suchasname,employeeorteachernumber,nationalinsurancenumber, address)
• specialcategoriesofdataincludingcharacteristicsinformation(suchasgender,age,ethnic group)
• contractinformation(suchasstartdates,hoursworked,post,roles,payroll,andsalary information)
• workabsenceinformation(suchasnumberofabsencesandreasons)
• qualifications(and,whererelevant,subjectstaught)
• Performancemanagementdata(suchasappraisal/observationrecords)
• Medicalinformation
Why we collect and use this information
We use the workforce information to:
• Enablethedevelopmentofacomprehensivepictureoftheworkforceandhowitisdeployed
• Informthedevelopmentofrecruitmentandretentionpolicies
• Enableindividualstobepaid
• Facilitatesaferecruitment,aspartofoursafeguardingobligationstowardspupils
• Supporteffectiveperformancemanagement
• Provideaccesstothirdpartysolutionstodispenseyourprofessionalduties
• Informourrecruitmentandretentionpolicies
• Allowbetterfinancialmodellingandplanning
• Enableethnicityanddisabilitymonitoring
• Improvethemanagementofworkforcedataacrossthesector
• SupporttheworkoftheSchoolTeachers’ReviewBody
The lawful basis on which we use this information
We collect and use your information under the Data Protection Act 2018 (sometimes referred to as UKGDPRarticle6,andarticle9.
Specialcategorydatafromarticle9isprocessedundercondition(a)thedatasubjecthasgivenexplicit consenttotheprocessingofthosepersonaldataforoneormorespecifiedpurpose
Collecting your information
Whilstthemajorityoftheinformationyouprovidetousismandatory,someofitisprovidedtousona voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whetheryouarerequiredtoprovidecertaininformationtousorifyouhaveachoiceinthis.Thisdata willbecollecteduponcommencementofyourinvolvementwiththeschool.
Storing your data
WeholdyourdataifitislawfulforustodosoinaccordancewithretentionguidancetakenfromtheDFE recommendedsourcewhichistheIRMStoolkit.Shouldadocumentnotbelistedinthistoolkitthenthe schoolwillkeeparecordofwhythisdataisbeingretainedandwillproduceuponrequest.Wherethe schooldoes not followthe guidance withinthis toolkit, the school havetheir ownretentiondocument whichcanbeprovideduponrequest.
Any data that we are no longer required to hold lawfully is deleted/destroyed in accordance with the school’sdisposalguidancepolicy.
Who we share your information with
Weroutinelyshareinformationwith:
• Ourlocalauthority.
• TheDepartmentforEducation(DfE)
• Iftheschoolisamemberofanacademytrust,thenwemaywhereappropriatesharepupilinformation withthetrust.
ThirdPartyCompanies/Partnerswhoareassistingtheschoolorenhancingachild’seducation.Alistof suchcompanies/partnerscanbeprovideduponrequest.Thesearenotaddedtotheprivacynoticedue totheirfluidnature.
• Whererequiredtheschoolwillensurethatadataprocessingagreementisinplace.
• WewillensurethataPrivacyImpactAssessment(PIA)iscarriedforanynewsystemthattheschool acquires.
• We will ensure that if any personal data is transferred to a country that the UK deem to not have adequatedataprotectionlawsthataStandardContractualClause(SCC)isinplace.
Wedonotshareinformationaboutworkforcememberswithanyonewithoutconsentunlessthelawand ourpoliciesallowustodoso.
Local authority
Wearerequiredtoshareinformationaboutourworkforcememberswithourlocalauthority(LA)under section5 of the Education (Supplyof Informationabout the School Workforce) (England)Regulations 2007andamendments.
Department for Education (DfE)
The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our children and young people with the Department for Education (DfE) for the purpose of those data collections, undersection 5 of the Education (Supply of Information about the School Workforce) (England)Regulations2007andamendments.
All data is transferred to the DFE securely and held by the DFE under a combination of software and hardwarecontrolswhichmeetthecurrentgovernmentsecuritypolicyframework.governmentsecurity policyframework
How government uses your data
TheworkforcedatathatwelawfullysharewiththeDfEthroughdatacollections:
• informsdepartmentalpolicyonpayandthemonitoringoftheeffectivenessanddiversityofthe schoolworkforce
• linkstoschoolfundingandexpenditure
• supports‘longerterm’researchandmonitoringofeducationalpolicy
Data collection requirements
TofindoutmoreaboutthedatacollectionrequirementsplacedonusbytheDepartmentforEducation includingthedatathatwesharewiththem,goto https://www.gov.uk/education/data-collection-andcensuses-for-schools.
Sharing by the department
The department may share information about school employees with third parties who promote the educationorwell-beingofchildrenortheeffectivedeploymentofschoolstaffinEnglandby:
• conductingresearchoranalysis
• producingstatistics
• providinginformation,adviceorguidance
The department has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whetherDfEreleasespersonaldatatothirdpartiesaresubjecttoastrictapprovalprocessandbasedon adetailedassessmentof:
• whoisrequestingthedata
• thepurposeforwhichitisrequired
• thelevelandsensitivityofdatarequested;and
• thearrangementsinplacetosecurelystoreandhandlethedata
Tobegrantedaccesstoschoolworkforceinformation,organisationsmustcomplywithitsstrictterms andconditionscoveringtheconfidentialityandhandlingofthedata,securityarrangementsandretention anduseofthedata.
How to find out what personal information the DFE hold about you
UnderthetermsoftheDataProtectionAct2018,you’reentitledtoasktheDepartment:
• iftheyareprocessingyourpersonaldata
• foradescriptionofthedatatheyholdaboutyou
• thereasonsthey’reholdingitandanyrecipientitmaybedisclosedto
• foracopyofyourpersonaldataandanydetailsofitssource
IfyouwanttoseethepersonaldataheldaboutyoubytheDepartment,youshouldmakea‘subjectaccess request’. Further information on how to do this can be found within the Department’s personal informationcharterthatispublishedattheaddressbelow:
https://www.gov.uk/government/organisations/department-for-education/about/personalinformation-charter
Tocontactthedepartment:https://www.gov.uk/contact-dfe.
Requesting access to your personal data (Subject Access Request)
Underdataprotectionlegislation,youhavetherighttorequestaccesstoinformationaboutyourselfthat wehold.
Theschoolhave30calendardaystorespondtoasubjectaccessrequest.However,thiscanbeextended byafurthertwomonthsifrequired.
Tomakearequestforasubjectaccessrequestpleasecontacttheschool.
You also have the right to the following
• incertaincircumstancestobeabletoobjecttoprocessingofpersonaldatathatislikelytocause,oris causing,damageordistress.
• Preventprocessing for the purpose of directmarketing (including profiling)andprocessing for the purposesofscientific/historicalresearchandstatistics.
• not to be subject to decisions based purely on automated processing where it produces a legal or similarlysignificanteffectonyou.
• Haveinaccurate/incompletepersonaldatarectified.
• In certain circumstances restrict processing (i.e. permitting its storage but no further processing), requestthedeletionorremovalofpersonaldatawherethereisnocompellingreasonforitscontinued processing.
• arighttoseekredress,eitherthroughtheICOorthroughthecourts.
Ifyouhaveaconcernaboutthewaywearecollectingorusingyourpersonaldata,werequestthatyou raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’sOffice:·Reportaconcernonlineathttps://ico.org.uk/concerns/
·Call03031231113
·Orwriteto:InformationCommissioner’sOffice,WycliffeHouse,WaterLane,Wilmslow,Cheshire,SK9 5AF
Withdrawal of consent and the right to lodge a complaint
Where we are processing your personal data with your consent, you have the right to withdraw that consent.Ifyouchangeyourmindorareunhappywiththewayweuseyourpersonaldatathenplease contacttheschool.
Contact
If you would like to discuss anything in this privacy notice, please contact the school who will in turn contacttheschool’sdataprotectionofficer.Wemayneedtoupdatethisprivacynoticeperiodically,so werecommendthatyourevisitthisinformationfromtimetotime.Version–September2021
Data Breach
A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration,unauthoriseddisclosureof,oraccessto,personaldata.Thiswillincludebreachesthatarethe resultofbothaccidentalanddeliberatecauses.Italsomeansthatabreachismorethanjustaboutlosing personaldata.
It is a security incident that has affected the confidentiality, integrity or availability of personal data. Wheneverasecurityincidenttakesplace,itshouldbequicklyestablishedwhetherapersonaldatabreach hasoccurredand,ifso,promptlytakestepstoaddressit,includinginformingtheICOifrequired.
TheICOmustbeinformedifthebreachhasresultedinarisktopeople’srightsandfreedoms;ifthisis unlikely then it does not have to be reported. However, if the breach has not been reported then the schoolshouldbeabletojustifythisdecision.
Inassessingifadatabreachhascreatedarisktopeople’srightsandfreedomsthenRecital85oftheGDPR shouldbeconsulted.
Apersonal data breach may,if not addressed inanappropriate andtimelymanner, resultinphysical, materialornon-materialdamagetonaturalpersonssuchaslossofcontrolovertheirpersonaldataor limitationoftheirrights,discrimination,identitytheftorfraud,financialloss,unauthorisedreversalof pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Thereareseveralcoursesofactionthatcanbefollowedfollowingadatabreach.Advicemaybegivento the individual staff member specifically and/or to school staff in general. This may also result in additionaltrainingforanindividual,teamorwholestaff.Inthemostseriouscasesand/orwhenthereis evidencetosuggestdisregardforproceduresthenthiscouldresultinstaffreceivingaverbalwarning,a writtenwarningorpotentiallydismissal
Iftheschoolbelievethatadatabreachhasoccurred,thentheymustreportthistotheDataProtection Officerwithimmediateeffect.Adecisionwillbemadeonhowtohandlethebreach,thepriorityforthe schoolistoensurethatthebreachiscontained.IfthebreachisdeemedseriousenoughthentheData Protection Officer may contact the ICO for further advice. Following ICO advice the school as data controllermayberequiredtoreportthebreachofficiallytotheICO.
If reporting is required, then this must happen within 72 hours of the personal data breach being identified(thisincludesweekendsandholidays).
TheDPOwillcommenceworkonthedatabreachlog.Ifthebreachisdeemedcomplex,thentheschool will be required to complete the log. The DPO will give advice to the school on whether the person affectedbythebreachshouldbeinformed. Regardlessofthisthefinaldecisionwillbemadebytheschool. Whentheindividualisinformed,dependingontheirresponse,theschoolmayaskiftheindividualwishes tocomplaintothegoverningbodyorfortheschooltoconsiderself-reportingtotheICO.Shouldarequest bemadetoself-reporttotheICO,theDPOwilldiscussthiswiththeschool,whowillhavethefinaldecision regardingself-reporting.
TheschoolwilladoptaListen,LogandLearnapproach.Listentothepersonwhohashadthebreach,log allthedetailsaboutthebreach,andLearnfromthebreachtoensurethatitdoesnothappenagain.
Vital Interests
UKGDPRhasthefollowinglawfulbasesforprocessingdata:
(d) Vital interests: the processing is necessary to protect someone’s life.
ThisisoneofthelawfulbasesthattheschoolusesforprocessingdatawithinUKGDPR.Itisrequiredas theschoolprocessesthepersonaldatatoprotectsomeone’slife
Thisprocessingisnecessaryaswithoutittheschoolwouldnotbeabletoprotectaperson’svitalinterests in any other less intrusive way. The school rely onthis basis to store medical and special educational needsdatatoassisttheschoolinprotectingsomeone’slife.
Article6(1)(d)providesthelawfulbasisforprocessingwhere:
‘Processingisnecessaryinordertoprotectthevitalinterestsofthedatasubjectorofanothernatural person’
Recital46providesfurtherguidance:
‘The processing of personal datashouldalso be regarded as lawful where itis necessaryto protectan interestwhichisessentialforthelifeofthedatasubjectorthatofanothernaturalperson.Processingof personal data basedonthe vitalinterestof another natural personshouldin principle take place only wheretheprocessingcannotbemanifestlybasedonanotherlegalbasis.’
This lawful basis generally only applies to matters of life and death. This is likely to be relevant for emergencymedicalcare.Whiletheschoolwilluselawfulbasis (a) consent: the individual has given clear consent for you to process their personal data for a specific purpose, forthemajorityofits medicalandspecialeducationneedsprocessing.Itmayberequiredtousevitalinterestsinthecaseofa lifeanddeathmatter.
UKGDPR Individual Rights
TheUKGDPRprovidesthefollowingrightsforindividuals:
1.Therighttobeinformed
2.Therightofaccess
3.Therighttorectification
4.Therightoferasure
5.Therighttorestrictprocessing
6.Therighttodataportability
7.Therighttoobject
8.Rightsinrelationtoautomateddecisionmakingandprofiling
Theschoolwillensurethatallparents/carersandschoolstaffareawareoftheserightsviatheschool privacy notices. Also, the school will ensure that should any parent/carer or member of school staff requesttoinvokeanyoftherightslistedabove,thattheywilltreattherequestinthecorrectmannerand assisttheindividualanywayitcan.
However,someoftherightslistedwillnotapplyduetootherconditionsset,asthesearenotabsolute rights.Anexamplewouldbetherighttoerasure,asiftheindividualrequestedthistohappentoarecord, thenthiscouldhampertheschool’sabilitytoperformitspublictask.Assuch,anyrequeststhataremade willbeconsideredonacase-by-casebasis,andtherequesterwillbekeptinformedatalltimesaround thedecisionsthattheschoolmakeregardingtheirrequest.
Belowisabriefguidetowhateachoftherightsare:
1. The right to be informed – The right to be informed encompasses yourobligation to provide ‘fair processinginformation’,typicallythroughaprivacynotice.Itemphasisestheneedfortransparencyover howyouusepersonaldata.
2. The right of access – Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
3. The right to rectification –TheUKGDPRgivesindividualstherighttohavepersonaldatarectified. Personaldatacanberectifiedifitisinaccurateorincomplete.
4. The right to erasure – The right to erasure is also known as the ‘right to be forgotten’. The broad principleunderpinningthisrightistoenableanindividualtorequestthedeletionorremovalofpersonal datawherethereisnocompellingreasonforitscontinuedprocessing.
5. The right to restrict processing – Individuals have the right to ‘block’ or suppress processing of personaldata.Whenprocessingisrestricted,youarepermittedtostorethepersonaldata,butnotfurther processit.Youcanretainjustenoughinformationabouttheindividualtoensurethattherestrictionis respectedinfuture.
6. The right to data portability –The right to data portabilityallowsindividuals to obtainandreuse their personal data for their own purposes across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrancetousability.
7. The right to object –Individualshavetherighttoobjecttoprocessingbasedonlegitimateinterests or the performance of a task in the public interest/exercise or official authority (including profiling). DirectMarketingandprocessingforpurposesofscientific/historicalresearchandstatistics.
8. Rights related to automated decision-making including profiling – This is not applicable to schools. However, shouldanindividual challenge the school inanywayregarding automated decision making,thentheschoolwillcarryoutaninvestigation.
3rd Party Processing Agreement
(FORUSEBYDATACONTROLLERSANDDATAPROCESSORSINACCORDANCEWITHARTICLE28(3)UK GDPR
THISAGREEMENTismadeon(entermonthandyear)BETWEEN:
(1)(SchoolName)(incorporatedin,orexistingandestablishedunderthelawsof,(entercountry)whose registeredofficeisat(Schooladdress)(the“Controller”);and
(2) (Enter company name) (incorporated in, or existing and established under the laws of, (Enter country)whoseregisteredofficeisat(Entercompanyaddress)(the“Processor”).
BACKGROUND
(A) TheControllerprocessesPersonalDatainconnectionwithitsbusinessactivities;
(B) TheProcessorprocessesPersonalDataonbehalfofotherbusinessesandorganisations;
(C) TheControllerwishestoengagetheservicesoftheProcessortoprocesspersonaldataonitsbehalf;
(D) Article 28(3) of the UK GDPR states that, where processing of personal data is carried out by a processoronbehalfofadatacontrollerthecontrollerhasanobligationtochooseaprocessorwhocan provideappropriatesecuritymeasures,andmustensurecompliancewiththosemeasures;
Both controllers and processors are obliged to put in place appropriate technical and organisational measurestoensurethesecurityofanypersonaldatatheyprocesswhichmayinclude,asappropriate:
• encryptionandpseudonymisation;
• theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessing systemsandservices;
• theabilitytorestoreaccesstopersonaldataintheeventofanincident;and
• processesforregularlytestingandassessingtheeffectivenessofthemeasures.
Adherencetoanapprovedcodeofconductorcertificationschememaybeusedasawayofdemonstrating compliance with security obligations. Codes of conduct and certification may also help processors to demonstratesufficientguaranteesthattheirprocessingwillcomplywiththeUKGDPR.
(E) Article28(3)statesthatwhereprocessingiscarriedoutbyaprocessoronbehalfofacontrollersuch processingshallbegovernedbyacontractorlegalactbindingtheprocessortothecontrollerstipulating, inparticular,thattheprocessorshallactonlyoninstructionsfromthecontrollerandshallcomplywith the technical and organisational measures required under the appropriate national law to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosureoraccessandagainstallotherunlawfulformsofprocessing;
(F)Incompliancewiththeabove-mentionedprovisions,theControllerandProcessorwishtoenterinto thisprocessingAgreement.
THEPARTIESHEREBYMUTUALLYAGREEASFOLLOWS:
3. SubjectMatter–Enterabriefdescriptionofroleoftheprocessor.
3.1Natureandpurposeofthe processing–Enterabriefdescriptionofdutiestobecarriedoutbythe processor.
3.2Typeofpersonaldata–EnterXwhererequired:
Children Children –Special Category SchoolStaff School Staff –Special Category Other Other –Special Category
4.DEFINITIONSANDINTERPRETATION
InthisAgreementthefollowingwordsandphrasesshallhavethefollowingmeanings,unlessinconsistent withthecontextorasotherwisespecified:
“nationallaw”shallmeanthelawofthecountryinwhichtheProcessorisestablished;
“Processor”shallmeanallstaffintheemploymentofthecompanynamedinsection2.
“personaldata”shallmeananyinformationrelatingtoanidentifiedoridentifiablenaturalperson('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental,economicculturalorsocialidentity;
“processing of personal data” shall mean any operation or set of operations which is performed upon personaldata,whetherornotbyautomaticmeans,suchascollection,recording,organization,storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwisemakingavailable,alignmentorcombination,blocking,erasureordestruction;
“sub-contract”and“sub-contracting”shallmeantheprocessbywhicheitherpartyarrangesforathird party to carry out its obligations under this Agreement and “Sub Contractor” shall mean the party to whomtheobligationsaresubcontracted;and
“Technicalandorganisationalsecuritymeasures”shallmeanmeasurestoprotectpersonaldataagainst accidentalorunlawfuldestructionoraccidentalloss,alternation,unauthoriseddisclosure,oraccessand againstallotherunlawfulformsofprocessing.
5.CONSIDERATION
InconsiderationoftheControllerengagingtheservicesoftheprocessortoprocesspersonaldataonits behalftheProcessorshallcomplywiththesecurity,confidentialityandotherobligationsimposedonit underthisAgreement.
6. SECURITYOBLIGATIONSOFTHEPROCESSOR
6.1TheProcessorshallonlycarryoutthoseactionsinrespectofthepersonaldataprocessedonbehalf oftheControllerasareexpresslyauthorisedbytheController.Asperpart3ofthisdocument.
7.CONFIDENTIALITY
7.1TheProcessoragreesthatitshallmaintainthepersonaldataprocessedbytheProcessoronbehalfof theControllerinconfidence.Inparticular,theProcessoragreesthat,savewiththepriorwrittenconsent oftheController,itshallnotdiscloseanypersonaldatasuppliedtotheProcessorby,for,oronbehalfof, theControllertoanythirdparty.
7.2TheProcessorshallnotmakeanyuseofanypersonaldatasuppliedtoitbytheControllerotherwise thaninconnectionwiththeprovisionofservicestotheController.
7.3 Nothing in this agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriateresponsetoanyrequestfromaregulatororcourtfordisclosureofinformation.
8.SUB-CONTRACTING
the processor should not engage another processor (a sub-processor) without the controller’s priorspecificorgeneralwrittenauthorisation;
• ifasub-processorisemployedunderthecontroller’sgeneralwrittenauthorisation,theprocessor shouldletthecontrollerknowofanyintendedchangesandgivethecontrollerachancetoobject tothem;
• iftheprocessoremploysasub-processor,itmustputacontractinplaceimposingthesameArticle 28(3) data protection obligations on that sub-processor. This should include that the subprocessor will provide sufficient guarantees to implement appropriate technical and organisationalmeasuresinsuchawaythattheprocessingwillmeettheUKGDPR’srequirements. The wording of these obligations does not need to exactlymirror those set out in the contract betweenthecontrollerandtheprocessor,butshouldofferanequivalentlevelofprotectionfor thepersonaldata;and
• theprocessorisliabletothecontrollerforasub-processor’scompliancewithitsdataprotection obligations.
9.DataSubjectRights
Under Article 28(3)(e) the contractmustprovide for the processor to take“appropriate technical and organisational measures” to help the controller respond to requests from individuals to exercise their rights.
ThisprovisionstemsfromChapterIIIoftheUKGDPR,whichdescribeshowthecontrollermustenable datasubjectstoexercisevariousrightsandrespondtorequeststodoso,suchassubjectaccessrequests, requestsfortherectificationorerasureofpersonaldata,andobjectionstoprocessing.
10.Assistingthecontroller
UnderArticle28(3)(f)thecontractmustsaythat,takingintoaccountthenatureoftheprocessingand theinformationavailable,theprocessormustassistthecontrollerinmeetingitsobligationsto:
• keeppersonaldatasecure;
• notifypersonaldatabreachestotheICO;
• notifypersonaldatabreachestodatasubjects;
• carryoutdataprotectionimpactassessments(DPIAs)whenrequired;and
• consultICOwhereaDPIAindicatesthereisahighriskthatcannotbemitigated.
11.Endofcontractprovisions
• at the controller’s choice, delete or return to the controller all the personal data it has been processingforit;and
• deleteexistingcopiesofthepersonaldataunlessUKlawrequiresittobestored.
Itshouldbenotedthatdeletionofpersonaldatashouldbedoneinasecuremanner,inaccordancewith thesecurityrequirementsofArticle32. itisultimatelyforthecontrollertodecidewhatshouldhappen tothepersonaldatabeingprocessed,onceprocessingiscomplete.
12.Auditandinspections
TheProcessorshallallowforauditsofitsDataProcessingactivitybytheschool
13. TERMANDTERMINATION
13.1 This Agreement shall continue in full force and effect for so long as the Processor is processing personaldataonbehalfoftheController.
13.2 Within (enter number) days following termination of this Agreement the Processor shall, at the directionoftheController,(a)complywithanyotheragreementmadebetweenthepartiesconcerning thereturnordestructionofdata,or(b)returnallpersonaldatapassedtotheProcessorbytheController for processing, or (c) on receipt of instructions from the Controller, destroy all such data unless prohibitedfromdoingsobyanyapplicablelaw.
14.Additional
Thisisoptional.
School can request further information from the processor – This could be around storage/security, retention,etc,andanyotherdetailsthattheschoolasthecontrollerwouldliketoensureareinplace. Thisistosatisfythecontrollerthattheprocessoristakingcareoftheirdata.
Whilethismayencompasssomeofthepointsinthisdocument,thissectionwouldgointomoredetail.
AS WITNESS this Agreement has been signed on behalf of each of the parties by its duly authorised representativeonthedayandyearfirstabovewritten.
SIGNEDonbehalfof[CONTROLLER]
(Authorisedsignatory)
(Printnameandtitle)
SIGNEDonbehalfof[PROCESSOR]
(Authorisedsignatory)
(Printnameandtitle)
Data Protection by design and default
UndertheDataProtectionAct2018(UKGDPR),theschoolhasageneralobligationtoimplementtechnical andorganisationalmeasurestoshowthatyouhaveconsideredandintegrateddataprotectionintoyour processingactivities.
Privacybydesignshouldbeakeyconsiderationintheearlystagesofanyprojectandshouldcontinue throughout its lifecycle. This allows schools to minimise privacy risks and builds trust. By designing projects,processes,productsandsystemswithprivacyinmindattheoutsetitcanleadtobenefitswhich include:
• Potentialproblemsareidentifiedatanearlystage.
• Increasedawarenessofprivacyanddataprotectionacrosstheschool.
• TheschoolaremorelikelytomeettheirlegalobligationsandlesslikelytobreachUKGDPR.
• Actionsarelesslikelytobeprivacyintrusiveandhaveanegativeimpactonindividuals.
Thereare7foundationalprinciplesofprivacybydesign
• Proactivenotreactive
• Privacyasthedefaultsetting
• Privacyembeddedintodesign
• Fullfunctionality–Positive-sum,nozero-sum
• End-to-Endsecurity–Fulllifecycleprotection
• Visibilityandtransparency
• Respectforuserprivacy
1. Proactive not reactive
ThePrivacybydesignapproachischaracterisedbybeingproactiveratherthanreactive.Byusingthis approach, the school will anticipate and prevent privacy invasive events before they happen. This approach means that the school are not waiting for a privacy risk to materialise, nor does it offer remediesforresolvingprivacyinfractionsoncetheyhaveoccurred –itaimstopreventthemfrom occurring.Inshortprivacybydesigncomesbeforethefact,notafter.
2. Privacy as the default setting
Privacybydesignseekstodeliverthemaximumdegreeofprivacybyensuringthatpersonaldata areautomaticallyprotected.Ifanindividualdoesnothing,theirprivacyremainsintact.Noactionis requiredonthepartoftheindividualtoprotecttheirprivacy.
3. Privacy embedded into design.
Privacybydesignisembeddedintothedesignofschoolpractices.Itshouldnotbeaboltedaddon, after the fact. The result is that privacy becomes an essential component of the core functionality beingdelivered.Privacybecomesintegraltoschoolpractices.
4. Full Functionality – Positive-Sum, not Zero-Sum
Privacybydesignseekstoaccommodatealllegitimateinterestsandobjectivesinapositive-sumwinwin manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by design avoids the pretence of false dichotomies, such as privacy vs. security –demonstratingthatitispossibletohaveboth.
5. End-to-End security – Full lifecycle protection
Privacy by design, having been embedded into the project prior to anything else extends securely throughouttheentirelifecycleofthedatainvolved–strongsecuritymeasuresareessentialtoprivacy fromstarttofinish.Thisensuresthatalldataaresecurelyretained,andthensecurelydestroyedat theendoftheprocess,inatimelyfashion.Thus,privacybydesignensurescradletograve,secure lifecyclemanagementofinformation,end-toend.
6. Visibility and transparency
Privacy by design seeks to assure everyone that whatever the practice of the school regarding personaldatathatitisinfact,operatingaccordingtothestatedpromisesandobjectives,subjectto independent verification. Its component parts and operations remain visible and transparent, to usersandprovidersalike.Remember,trustbutverify.
7. Respect for user privacy
Aboveall,privacybydesignrequirestheschooltheprotecttheinterestsoftheindividualbyoffering suchmeasuresasstrongprivacydefaults,appropriatenotice,andempoweringuser-friendlyoptions. Keepitusercentric.
Privacy Impact Assessments
PrivacyImpactAssessments(PIA’s)areanintegralpartoftakingaprivacybydesignapproach.PIA’sare atoolthattheschoolcanusetoidentifyandreducetheprivacyrisksofaproject.APIAcanreducethe riskofharmtoindividualsthroughmisuseoftheirpersonalinformation.Itcanalsohelptheschooldesign amoreefficientandeffectiveprocessforhandlingpersonaldata.
YoucanintegratethecoreprincipalsofthePIAprocesswithyourexistingprojectandriskmanagement policies.Thiswillreducetheresourcesnecessarytoconducttheassessmentandspreadsawarenessof privacythroughouttheschool.
An effective PIA will allow the school to identify and fix problems at an early stage and PIA’s are an integralpartofprivacybydesign.PIAsareoftenappliedtonewprojects.However,aPIAcanalsobeused iftheschoolareplanningchangestoanexistingprocess.
Privacy Risk
PIA’sshouldassisttheschoolinidentifyingprivacyrisk,whichistheriskofharmthroughanintrusion intoprivacy.Thisistheriskofharmthroughuseormisuseofpersonalinformation.Somewaysthatthis riskcanarisearethroughpersonalinformationbeing:
• Inaccurate,insufficientoroutofdate;
• Excessiveorirrelevant;
• Keptfortoolong;
• Disclosedtothosewhothepersonitisaboutdoesnotwanttohaveit;
• Usedinwaysthatareunacceptabletoorunexpectedbythepersonitisabout;or
• Notkeptsecurely.
TheoutcomeofaPIAshouldbetominimiseprivacyrisk.Theschoolshoulddevelopanunderstandingof howitwillapproachthebroadtopicsofprivacyandprivacyrisk.
Benefits
The benefits of a PIA are that it allows individuals to be reassured that the school which uses their informationhavefollowedbestpractice.AprojectwhichhasbeensubjecttoaPIAshouldbelessprivacy intrusive and therefore less likely to affect individuals in a negative way. A PIA should also improve transparencyandmakeiteasierforanindividualtounderstandwhytheirinformationisbeingused. TheschoolshouldalsobenefitfromusingPIA’s.Theprocessofconductingtheassessmentwillimprove how the school use information which impacts on individual privacy. This should in turn reduce the likelihoodthattheschoolwillfailtomeetitslegalobligations. ConductingandpublishingaPIAwillhelptheschoolbuildtrustwiththepeopleusingtheirservices.The actions taken during and after the PIA process can improve the schools understanding of its stakeholders.
ConsistentuseofPIA’swillincreasetheawarenessofprivacyanddataprotectionwithintheschooland ensurethatallstaffinvolvedindesigningprojectsthinkaboutprivacyattheearlystages.
When should we use PIAs?
The core principals of PIA can be applied to any project thatinvolves the use of personal data, or any otheractivitywhichcouldhaveanimpactontheprivacyofindividuals. APIAshouldbeusedonnewprojectsorwhenmakinganamendmenttoacurrentproject.ThePIAshould bebuiltintotheprojectmanagementstructure.
Who should carry out the PIA?
Itistheschool’sdecisionwhoisbestplacedtocarryoutthePIA.TheDataProtectionOfficer(DPO)upon requestwillcompletethePIAonbehalfoftheschool.Thiswillinformtheschoolofanyconcernsthatthe DPOmayhave.However,thefinaldecisiononwhethertoproceedistobetakenbytheschoolasdata controller.
Theschoolmustbesatisfiedthattheyhavealltherelevantpaperwork(ifrequired),andtoensurethat alldatasenttocompaniesisdonesointhecorrectmanner.ForthePIAtobeeffectiveitshouldinclude some involvement from various people within the school, who will each be able to identify different privacyrisksandsolutions.
What should the PIA do?
ThePIAshouldbeflexiblesothatitcanbeintegratedwiththeschoolsexistingapproachtomanaging projects.ThePIAshouldincorporatethefollowing:
• IdentifytheneedforaPIA
• Describetheinformationflows
• Identifytheprivacyandrelatedrisks
• Identifyandevaluatetheprivacysolutions
• SignoffandrecordthePIAoutcomes
• Integratetheoutcomesintotheprojectplan
• Consultwithinternalandexternalstakeholdersasneededthroughouttheprocess.
Consent Process
Sought
• Fornewpupilsaconsentformshouldbegiventoparents/carersbeforethechildbeginsatthe school.
• Theschooladoptsapositiveoptinapproachtoitsconsent.Thismeansthatshouldaparent/carer notreturnaconsentformorleaveanyaspectoftheconsentformincompletethentheschoolwill takethisasano.
Recorded
• Whenaparent/carerreturnstheirconsentform.Thisinformationshouldbeenteredintoyour SchoolMIS.
• Theconsentformshouldthenbefiledawayinasecurelocationforfuturereferenceifrequired.
• Theconsentformisbeingkeptowingtoithavingtheparent/carerssignaturewhichwillallow theschooltoverifyconsentshouldtheybechallenged.
Managed
• Consentwillbereviewedwhentheschoolbelievethisisappropriate.
• Ifaparent/carerdoesnotreturnanupdatedconsentformwhenrequested,thentheschoolwill continuetousethepreviousversion.
• Theschoolwillaskforveryclearandspecificconsentforinformationnotontheschoolconsent form,shouldtheyrequireit,e.g.one-offevents.Thiswillbecarriedoutusingthesameprocesses withinthisdocument.
• Anythird-partywhotheschoolseekconsentonbehalfofwillbenamed.
• Ifaparent/carerwishestowithdrawconsent,theywouldcontacttheschoolandrequestanew consent form. This form will be sent out in a timely manner, and the School MIS updated accordingly.
• Thenewconsentformwillbefiledwithpreviousversions,shouldtheschoolfeelthisisnecessary. Previousversionsarebeingkeptowingto themhavingtheparent/carerssignaturewhichwill allowtheschooltoverifyconsentshouldtheybechallenged.
• Consentformswillbedestroyedinaccordancewiththeschooldisposalguidanceissuedwithin thisdocument.
• The school will avoid making consent a precondition of a service unless there is a lawful requirementtodoso.
Subject Access Requests
TheschoolasthedatacontrollerareresponsibletoensurethatallSubjectAccessrequestsareactioned inthecorrectwayandaccordingtoUKGDPR.
If the school receive a Subject Access Request (SAR) from an individual, they will action this with immediateeffectandwithoutunduedelay.Thismayincludetheschoolbeingsatisfiedthattheindividual whoisrequestingthedataiswhotheysaytheyare.Iftheschoolarenotsatisfied,thentheywillrequest identificationwhichwillbeproportionate.
TheschoolareundernoobligationtocontacttheDPOiftheywishtofulfilarequestthemselves.Ifthisis case, then the DPO will have no input in the SAR process. If the school choose to carry out a request independentlyoftheDPO,theyarestillabletocontacttheDPOforadviceshouldthisberequired.Any advicegivenshouldbeloggedforfuturereference.
However,iftheschoolasthedatacontrollerinformtheDPOandrequestfullassistancethentheywillbe expectedtofollowtheprocessandtimescalessetbytheDPO.Failuretosocouldmeanthattimescales aremissed,andtheschoolcouldbecomesubjectofaninvestigationbytheICO.Thisprocesswillinform the school of what is required, in what format and by when. Once the DPOreceives the data from the school,thenanassessmentwillbecarriedoutandtheschoolwillbeinformedofanyissues.
TheDPOwillendeavourtocompletetheSARonbehalfoftheschool.This mayrequireassistancefrom theschoolwhennecessary.Thismayincludeansweringquestionsorassistinginthecompletionofthe requestiftherearelargequantitiesofdatainvolved.
TheschoolareawarethattheSARmustbecompletedwithinonecalendarmonthfromthedateofthe request. The timescales are created by using the same date in the following month. Where this is not possiblee.g.,31st August,thisbecompletebythe30thof September.Theschoolunderstandthatthistime scalecanbeextendedbyafurthertwomonthsshouldtherequestbeofacomplexnature.Ifthisisthe casethiswillbejustifiable,andtherequestorwillbeinformedwithoutunduedelayandnolaterthanthe initialenddategiven.Theenddateforarequestcanbemovedifthefinaldayfallsonaweekendorbank holidaytothenextworkingday.
Theschoolcanclarifyarequest,asweprocessalargeamountofdata.Wemayaskarequestortospecify theinformationtheyrequirebeforewerespondtoarequest.Thismeansthatwedonothavetoprovide anydatauntilwehaveobtainedclarification.However,weareawarethatwecannotforceanindividual tonarrowthescopeoftheirrequest.Ifaresponseisreceived,thenwewillaction.Ifaresponseisnot received,wewillwaitareasonableperiodbeforeconsideringtherequestclosed.
IftheDPOcarriesoutcompletionoftheSARitwillbereturnedtotheschoolwithacoveringletterforthe requestor,andaletterforschooluse.
Theschoolasdatacontroller:-
• have the right to refuse a SAR should they deem the request to be manifestly unfounded or excessive.
• have the right to charge a reasonable fee in certain circumstances. However, the school understandthatinmostcasesnofeewouldapply.
• Will not amend or delete any data during a subject access request period, that it wouldn’t otherwisehavedonesoinitsday-to-dayoperations.
• WillrespondtotheSARinanintelligibleform.Thismeansthatitwillbeprovidedinawaythat iscapableofbringunderstoodbytheaverageperson.
• Considertherightsofachildwhenarequestismadefortheirdata.Iftheschoolbelievethatthe childisoldenoughandmatureenoughtounderstandtheprocessanddata,thentheywillrespond tothechildunlesspermissionisgivenfromthechildtoprovidethisdatatoathirdparty.
• Will not comply to a SAR if by doing so would mean disclosing information about another individualwhocouldbeidentifiedfromtheinformationprovided.Unlessconsenthasbeengiven or it is reasonable in the circumstances to comply with the request without the individual’s consent. When deciding to not seek consent we will balance the data subjects right of access againsttheotherindividual’srightsrelatingtotheirownpersonaldata.Whereadecisionismade thatconsentisnotrequiredthenjustificationwillberecorded.However,wherepossibledatawill beeditedtoprotecttheidentityofathirdparty.
Education Records
Aneducationrecordisdifferenttoasubjectaccessrequest.However,someinformationheldaspartof aneducationrecordwouldcrossoverintoaSAR.
Those with parental authority only can request access to a child’s education record under education regulationslistedbelow:-
In England, schools are regulated by The Education (Pupil Information) (England) Regulations 2005. Those with parental authority can apply to the school to view an education record or receive a copy.
In England, this right only applies to all local authority schools, and all special schools, including those which are not maintained by a local authority.
Independent schools, academies and free schools are NOT OBLIGED to respond to a request for access to a pupil’s education record under this legislation.
Access to education records is a separate right and is not covered by Data Protection legislation. Unlike the right to access under Data Protection legislation, this right does not extend to pupils.
In broad terms an education record would be information that the school holds on a child, which is informationallaboutthechildandwouldrequirenoredaction.Aneducationrecordcoversinformation thatcomesfromateacherorotheremployeeofalocalauthorityorschool,thepupiloryouasaparent, andisprocessedbyorfortheschool’sgoverningbodyorteacher.Thisislikelytocoverinformationsuch as the records of the pupil’s academic achievements as well as correspondence from teachers, local educationauthorityemployeesandeducationalpsychologistsengagedbytheschool’sgoverningbody.It mayalsoincludeinformationfromthechildandfromyou,asaparent,carer,orguardian.
Informationprovidedbytheparentofanotherchildorinformationcreatedbyateachersolelyfortheir ownusewouldnotformpartofachild’seducationrecord.
Theschoolmustrespondwiththeinformationwithin15workingschooldays.
CCTV
1. Introduction
1.1 AllBBCETschoolsuseclosedcircuittelevision(CCTV)imagestomonitorschoolbuildingsto provideasafeandsecureenvironmentforpupils,staffandvisitors,andtopreventthelossor damagetoschoolproperty.
1.2 SchoolCCTVsystemsarenotmonitoredcentrallybutfootageisavailableforwarrantedrequests fromtheschoolsITNetworkManager(orequivalent).Thisdataisheldfor28daysunlesstheyare requiredforanongoinginvestigation.
1.3 TheintroductionofanychangestoCCTVmonitoringwillbesubjecttoconsultationwithstaffand theschoolcommunity.
1.4 Allauthorisedoperatorsandemployeeswithaccesstoimagesareawareoftheproceduresthat needtobefollowedwhenaccessingtherecordedimagesandsound(ifapplicable).Allschool operatorsaretrainedbytheschooldatacontrollerintheirresponsibilitiesundertheCCTVCodeof Practice.Allemployeesareawareoftherestrictionsinrelationtoaccessto,anddisclosureof, recordedimages.
1.5 AllschoolCCTVinformationisloggedinaccordancewiththeschool’sUKGDPRpersonaldata ecosystem.
2. Statement of Intent
2.1 BBCETschoolsmustcomplywiththeInformationCommissioner’sOffice(ICO)CCTVguidanceto ensureitisusedresponsiblyandsafeguardsbothtrustandconfidenceinitscontinueduse. https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/cctv-code-of-practice-revised/
2.2 CCTVwarningsignsshouldbeclearlyplacedattheexternalentrancetotheschool,orother appropriatearea
3. Siting the Cameras
3.1 Cameraswillbesitedsotheyonlycaptureimagesrelevanttothepurposesforwhichtheyare installed,andcarewillbetakentoensurethatreasonableprivacyexpectationsarenotviolated. BBCETschoolswillensurethatthelocationofequipmentiscarefullyconsideredtoensurethat imagescapturedcomplywithUKGDPR.
3.2 BBCETschoolswillmakeeveryefforttopositioncamerassothattheircoverageisrestrictedto schoolpremises,whichmayincludeoutdoorareas.
3.3 CCTVwillonlybeusedinclassroomsforhealthandsafetyreasons.Theywillalsobeusedinother areaswithintheschoolthathavebeenidentifiedasnotbeingeasilymonitored.
3.4 SchoolstaffshouldhaveaccesstodetailsofwhereCCTVcamerasaresituated,exceptforcameras placedforthepurposeofcovertmonitoring.
4. Covert Monitoring
4.1 BBCETschoolsmayinexceptionalcircumstancessetupcovertmonitoring.Forexample:
4.1.1 Wherethereisgoodcausetosuspectthatanillegalorunauthorisedaction(s),istakingplace,or wheretherearegroundstosuspectseriousmisconduct;
4.1.2 Wherenotifyingtheindividualsaboutthemonitoringwouldseriouslyprejudicethereasonfor makingtherecording.
4.2 Inthesecircumstances,authorisationmustbeobtainedfromamemberoftheseniorleadership team.AdvicewillalsobesoughtfromourDataProtectionOfficer.
4.3 Covertmonitoringmustceasefollowingcompletionofaninvestigation.
4.4 Camerassitedforthepurposeofcovertmonitoringwillnotbeusedinareaswhicharereasonably expectedtobeprivate,forexampletoiletcubicles.
5. Storage and Retention of CCTV images
5.1 Allrecordeddatawillnotberetainedforlongerthanisnecessary.Allimageswillbekeptin accordancewiththeinformationheldontheschool’spersonaldataecosystem.Whileretained,the integrityoftherecordingswillbemaintainedtoensuretheirevidentialvalueandtoprotectthe rightsofthepeoplewhoseimageshavebeenrecorded.
5.2 Allretaineddatawillbestoredsecurely.
6. Access to CCTV images
6.1 Accesstorecordedimageswillberestrictedtothosestaffauthorisedtoviewthemandwillnotbe mademorewidelyavailable.
7. Subject Access Requests and Freedom of Information Requests
7.1 IndividualshavetherighttorequestaccesstoCCTVfootagerelatingonlytothemselvesunder UKGDPR.
7.2 SchoolsreservetherighttorefuseaccesstoCCTVfootagewherethiswouldprejudicethelegal rightsofotherindividualsorjeopardiseanon-goinginvestigation.
7.3 CCTViscoveredbytheFreedomofInformationAct2000.
8. Access to and Disclosure of Images to Third Parties
8.1 Therewillbenodisclosureofrecordeddatatothirdpartiesotherthantoauthorisedpersonnel suchasthePoliceandserviceproviderstotheschoolwherethesewouldreasonablyneedaccessto thedata(e.g.investigators).
8.2 SchoolswillneverdiscloseCCTVimagestothemediaorplaceCCTVimagesontheInternet.
8.3 Thedatamaybeusedwithintheschool’sdisciplineandgrievanceproceduresasrequiredandwill besubjecttotheusualconfidentialityrequirementsofthoseprocedures.
8.4 Ifthefootageincludesotherpeople,theschoolneedstoredactitsootherscan’tbeidentified. Iftheschoolcan’tredactthethirdpartyfootage,theymustaskforconsentbeforereleasingit. Wherethisisn’tpossibleorappropriate,theschoolmustbalancetherequester’srightsagainstany third-partyrightstoprivacyanddecideifit’sreasonabletosharethefootagewithouttheirconsent.
9. Complaints
9.1 ComplaintsandenquiriesabouttheoperationofCCTVwithintheschoolshouldbedirectedtothe Headteacherinthefirstinstance.
Photographs and videos
Theschoolwillensurethatanyphotographs/videosusedbytheschoolwillonlybedonesowithexplicit consentfromtheparent/carerofthechild,oranyadultincludedinthephotograph/video.Itisassumed by the school that this consent will only cover the image of the individual and does not include the publication of names, and any special category data such as gender and date of birth. The school will obtainfurtherconsenttousenames,andspecialcategorydata.
Thiswillincludephotographs/videos;
usedinschoolpublicationssuchasnewsletters,prospectus; usedontheschoolwebsite; usedonsocialmediasuchasFacebook,twitter; onschoolpremises; externalvenues.
Theschool willmake parents/carers aware thatwhile theyare permittedto takephotographs/videos during school performances/events, that these are for private use only, as long as they are not of an indecentnature.
Should any photographs/videos be shared without consent from the individuals within the photograph/videothentheyarebreakingdataprotectionlaws,andtheschoolreservetherighttoreport thebreachofdataprotectiontotheInformationCommissionersOffice(ICO)
Parents/carerswillbeinformedofthispolicyateveryperformance/eventwheretheschoolbelievethat thereisapossibilitythatphotographs/videoscouldbetaken.Theschoolreservetherighttorequestthat nophotographs/videosaretakenduetosafeguardingconcerns,whichsurpassestheparents/carerright totakephotographs/videosfortheirownpersonaluse.
Livestreamingofschoolperformancesisstrictlyprohibited.
The above also includes performances/events that are not on the school site but include children and adultswhoattendtheschool.
Clear Desk & Protecting Data
Theschoolwillprotectpersonaldataandkeepitsafefromunauthorisedaccess. Theschoolwillusea combinationofsoftwareandhardwarecontrolswhichmayincludepasswordsandencryption.
Also,toimprovethesecurityandconfidentialityofinformation,weencouragestafftoadoptaClearDesk Policyapproachthroughouttheschool.
This will ensure that all Personal data, is secured when not in use. This will reduce the risk of unauthorisedaccess,lossofanddamagetoinformationduringandoutsideofschoolhours.
Thisappliestoanyoneworkingwithintheschool.
1. Paperdocumentsshouldberemovedfromthearea,andnotleftlyingaround.
2. Itemsonwallsanddesksshouldbejustifiableandonlydoneasalastresort.Always,remember thatifadocumentisonawalloradeskthenotherpeoplecanseeit,andthiscouldleadtoadata breach.
3. Paper documents must be disposed of in accordance with the school’s disposal and retention guidancewithinthisdocument.
4. Keysforaccessingdrawersshouldnotbeleftunattended.
5. Computersshouldalwaysbelockedwhenunoccupied.
6. Computerequipmentwhichholdspersonaldatawillbeheldsecurelywhennotinuse.
7. Care should be taken when printing to ensure that documents are not left on the printer unnecessarily.Choosetimestodothiswhentheprintermaybelessbusysothedocumentscan becollectedimmediately.Undernocircumstancesshoulddocumentsnotbecollectedandlefton theprinter.
8. Useofmemorysticksinaccordancewiththeschoolpolicy,whichisavailableuponrequest.
Emails
Introduction
Emailsandattachmentsmaybeconfidentialandareintendedsolelyfortheuseoftheindividualtowhom itisaddressed. Anyviewsoropinionsexpressedaresolelythoseoftheauthoranddonotnecessarily representthoseoftheschool.Communicationsbye-mailarenotguaranteedtobeprivateorsecure.
Usage
Allstaffhavearesponsibilitytoensuretheymakeappropriateandproperuseofemailsandtobeaware thatitispossiblethatyouremailmaybeviewedbyindividualsotherthantheintendedrecipient.Staff should also be aware that not all emails are genuine and that they should not access any emails that appearsuspicious.Iftheyareindoubt,theyshouldreporttotheHeadTeacherortheirICTteam.
Staffarerequiredtocheckemailsonaregularbasisandrespondwherenecessaryinatimelymanner. Whenforwarding emails staff will consider the rights of all individuals included inthe email and only forwardonemailswhenappropriate.
IfanyEmailsaresentbytheschooltomorethanoneindividual,thentheschoolwilluseBCC.Thisensures that the names of the recipients are kept private and no one within that Email will receive the email addressesofanyoneelse.However,theschoolreservetherighttouseCCformultipleemailrecipients shouldtheybelievethisisnecessary.WhereCCisusedincorrectlythenthestaffmemberwillreportthis asadatabreachtotheHeadTeacher.
Anydatathatisprotectedbycopyrightshouldnotbeincludedinemails.
Staffwillalwaystakecaretoensurethatemailsaresenttothecorrectemailaddress.Shouldanemailbe sentincorrectlythenthestaffmember will report this as adata breach to the HeadTeacher. Shoulda staffmemberreceiveanemailinerrorthentheywillreportthistothesenderimmediatelyanddelete frombothinboxanddeletedfolder.
Inappropriateuseofemailwhichincludes butnotlimitedto,bringingtheschoolintodisrepute,useof offensive,obscene/indecentimagesordata,hatecrimes,defamatory/deceptivecomments,harassment, andsendingunsolicitedemails.
No Emails containing confidential or sensitive information will be sent by the staff unless this is by a securemanner.Thiswillincludeitemssuchaschildren’snamesandanydatathatissubjecttoSpecial Category protection under UKGDPR.Confidential and sensitive information excluding the above list wouldbedeterminedbytheschool.
Marketingemailswillnotbesentbythestafftoanypartywhohasnotopted-intoreceivesuchEmails.
Failuretodosocouldleadtodisciplinaryaction.
Email Accounts
If a staff member has unexpected or prolonged absence, then the school has the right to access email accountstoensurethattheschoolisnotadverselyaffectedbythisabsence.Theschoolmayalsoaccess anemailaccounttofulfilllegalrequirementsundertheDataProtectionAct2018(UKGDPR),andunder othercircumstancessuchasbutnotlimitedto;preventanddetectcrimeandprotecttheschoolnetwork. ShouldthisoccurthenapprovalwillbegivenbytheHeadTeacheroftheschoolandbejustifiable.When appropriatetheowneroftheemailaccountwillbeadvisedoftheactionstakenbytheschool.
Wheretheschoolallowsuseofschoolemailforpersonaluseindividualswillbeinformedthattheyshould beawarethattheschoolhavetherighttoaccesssaidemailshouldtheyfeelthisisnecessaryandinthe bestinterestoftheschool.Wherethisisthecasethenthiswillbeloggedandbejustifiable.Personaluse oftheirownemailsystemmaytakeplaceinanemployee’sowntimeprovideditdoesnotinterferewith thesmoothrunningoftheschoolordenyresourcestootherusers
Retention of Emails
AllEmailswillbekeptbytheschoolnolongerthanisnecessaryforthepurposeofwhichthepersonal dataareprocessed.
Emailswillbedeletedbytheschoolafteroneacademicyearaftertheyhavebeenreceivedorsent.This willbecarriedoutbythestaffmemberorcentrallyshouldtheschoolhavethisfacility.However,certain Emailsmaybekeptforlongerperiods(includingindefinitely,ifthisisinthebestinterestofthe school) andwillbestoredcorrectlyandbejustifiable.Eachdeletionperiodwilloccuratthebeginningofeach month.
TheschoolemailserviceisprovidedbyMicrosoftOffice365.
Social Media
Definition
SocialMediaisdefinedaswebsitesandapplicationsthatenableuserstocreateandsharecontentorto participate insocial networking. This includes but not limited to platforms such as Facebook, Twitter, Instagram,Wikipedia.
Social Media Use
Staffareexpectedtokeeptheirpersonalandprofessionalsocialmediauseseparate.Thisistonotonly protectthem,butthechildrenandparent/carersoftheschool.
Basic Principles
Staffshouldensurethatdataprotectionprincipalsarealwaysadheredto,andnoinformationrelatingto personaldatashouldbeuploadedtoanysiteunlessexplicitconsenthasbeengiven.
Personaldataisclassifiedasanyinformationthatcanidentifyalivingindividualormaybepossibleto identifyalivingindividual.Thiswouldincludeimagesandvideos.
Specialcategorydatashouldneverbeenteredoruploadedtosocialmedia.Thisisdatathatcanbeclassed assensitiveandcouldalsoleadtodiscriminationagainstanindividual.
Noinformationthatthestaffmemberisprivytoregardingtheirroleattheschoolshouldbeenteredor uploadedtosocialmedia.Thiswouldincludeidentifyingpupils,parent/carers,orstaffattheschool.
Personal social media
• Staffshouldnotidentifythemselvesasbeingemployeesoftheschoolorengageinanyactivities thatbringtheschoolintodisrepute,thisincludesrepresentingyourpersonalviewsasthoseof theschool.
• Staffshouldnothavesocialmediacontactwithanypupilunlesstheyareafamilymember.Unless consenthasbeengivenbytheschool.
• Whereverpossiblestaffshouldnothavecontactwithapupil’sfamilymemberifthatcontactcould constituteaconflictofinterestorcallintoquestiontheirobjectivity.
• Any personal data as identified in the basic principles section of this document, which in turn identifiestheindividualasbeinglinkedtotheschoolshouldnotbeuploaded.
• Schoolemailaccountsshouldnotbeusedincreationofsocialmediaaccounts.
• Socialmediasitesshouldnotbeaccessedbyastaffmemberduringworkinghours.
School Social Media
• Staff should only use social media sites approved by the senior leadership team and used as definedbytheseniorleadershipteam.
• Socialmediasiteswillbemonitoredbytheseniorleadershipteam.
• Whenusingsocialmediasitesonbehalfoftheschool,staffmembersmustalwaysactinthebest interestsofthechildren/parent/carersandoftheschool.
Misuse
Anybreachofthispolicywouldleadtotheschooldatabreachpolicybeinginvoked.
Other
Iftheschoolbecomeawareofcommentsonsocialmediasitesthatwebelieveconstitutesahatecrime, thentheschoolreservetherighttoreportthistothepoliceforaction.Ahatecrimeisanycrimethatis targetedatapersonoragroupofpeoplebecauseorprejudiceorhostilityabout:-
Race
Religionorbelief
Sexualorientation
Transgender identity – including anyone who is transsexual, transgender, transvestite or who holds a genderrecognitioncertificate.
Disability–includingphysicalormentalimpairmentorlearningdisability.
Biometric Recognition systems
Where the school uses such systems, a full separate policy will be in use and can be obtained upon request.
Data security and storage
Theschoolwillprotectpersonaldataandkeepitsafefromunauthorised access.Computerequipment whichholdspersonaldatawillbeheldsecurelywhennotinuse.
Retention
Theschoolwillonlykeepdocumentswhenwehavealawfulreasontodoso.TheDFErecommendthat school use the IRMS toolkit for retention guidance. This or any other retention information can be obtainedfromtheschooluponrequest.
Anydocumentsthatarenolongerrequiredwillbedestroyedinaccordancewiththe school’sdisposal guidancebelow.
School Disposal Guidance
Allpersonaldatawillbedestroyedinarobustfashion.Thiswillincludeshreddingpaperdocumentson sitebyschoolstaff,orwhereapplicablethedatabeingremovedbyaprofessionalcompanyanddestroyed
bythemeitheronsiteoroffsite.Wherea3rd partycompanyisusedthentheschoolwillensurethatthe correctpaperworkisobtained.
Datathatisdeletedfromourcomputersystemswillbedestroyedusingthetechnicalfacilitiesavailable tous.Staffmemberswillensurethatdataisdeletedfullyfromcomputersystems
Freedom of Information (FOI)
TheschoolisrequiredtohaveaFOIpublicationscheme.Thisliststhedocumentstheschoolareexpected to holdinaccordance with ICOmodel template, and howanindividual canobtain these documents.It alsolistsiftheschoolchargeforanyofthisinformation.
The school is under no obligation to have a Freedom of information policy. However, the school will adheretothelegislationregardingFOIasprovidedbytheICOandrespondwithin20schooldaysor60 workingdaysifthisisshorter.
Guidetofreedomofinformation|ICO
Staff Processing Agreement/Acceptable use
All staff members will adhere to the school’s staff processing/acceptable use agreement in relation to personaldata.Thisdocumentcanbeobtaineduponrequest.
Bring your own device (BOYD)
Wheretheschoolallowsastaffmembertousetheirowndevicetoprocesspersonaldatawhichbelongs totheschool,thenthestaffmemberwilladheretotheguidanceissuedbelowfromtheICO.
https://ico.org.uk/media/fororganisations/documents/1563/ico_bring_your_own_device_byod_guidance.pdf