General Data Protection Regulation (GDPR) April 2019
- POLICY STATEMENT
- This is the Data Protection Policy of Stoneyholme Community Primary School (“the School”)
- We are committed to processing Personal Information fairly and lawfully in accordance with the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 (“The DPA”) and other related legislation which protects Personal Information. We recognise the importance of this and have updated our Policy to ensure that it gives effect to these important changes in the law.
- As a School, it is necessary for us to process Personal Information about our staff, pupils, parent(s) / guardian(s) and other individuals who we may come into contact with. In doing so, we recognise that the correct and lawful treatment of Personal Information is critical to maintaining the confidence of those connected with our School.
- This Policy has been updated to reflect our ongoing commitment to promoting a strong culture of data protection compliance in accordance with the law.
2. ABOUT THIS POLICY
- This Policy, and any other documents referred to in it, sets out our approach to ensuring that we comply with data protection laws. It is critical that staff and governors understand their responsibilities to handle Personal Information in accordance with the law and support the School in meeting its aim of maintaining a strong data protection culture.
- This Policy does not form part of any employee’s contract of employment and may be amended at any time.
- This Policy has been approved by the Governing Body.
3. DEFINITION OF DATA PROTECTION TERMS
We have set out below some of the terms used in this policy along with a brief explanation about what they mean.
- Data Subjects means an identified or identifiable natural person. For example, we process personal information about parents, staff members and pupils each of whom is a data subject.
- Personal Information means any information about a data subject. Examples of personal information could include information about a pupil’s attendance, medical conditions, Special Educational Needs requirements or photographs.
- Privacy Notices are documents provided to data subjects which explain, in simple language, what information we collect about them, why we collect it and why it is lawful to do so. They also provide other important information which we are required to provide under data protection laws.
- Data Controllers determine the purpose and means of processing personal information. They are responsible for establishing practices and policies in line with the GDPR. The School is a ‘Data Controller’.
- Data Users are those of our staff members whose work involves processing personal information. Data users must protect the data they handle in accordance with this Policy and any applicable data security procedures at all times.
- Processing means when personal information is used in a particular way. For example, we may need to collect, record, organise, structure, store, adapt or delete personal information. When we do this, we will be ‘Processing’.
- Special Category of Personal Information means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data concerning a data subject’s sex life or sexual orientation. These types of personal information are regarded as being more ‘sensitive’ and the law requires increased safeguards to be in place if we are to process this type of data.
4. DATA PROTECTION PRINCIPLES
- When we Process Personal Information, we will do so in accordance with the ‘data protection principles’. In this regard, we will ensure that Personal Information is:-
- Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
- Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
- Accurate and where necessary kept up to date (Accuracy).
- Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
- Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
- We recognise that not only must we comply with the data protection principles, we must also demonstrate our compliance with these principles (Accountability).
5. DATA PROTECTION OFFICER
- The GDPR requires certain organisations, including schools, to appoint a ‘Data Protection Officer’ (“DPO”). The DPO must have expert knowledge in data protection law and practices. Our appointed DPO who fulfils these requirements is HY Professional Services, who can be contacted by telephone on 0161 804 1144 or email at DPO@wearehy.com
- The DPO will carry out a number of important tasks which will include: -
- monitoring compliance with data protection laws and our data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits.
- advising on, and monitoring, data protection impact assessments.
- cooperating and being the first point of contact with the Information Commissioner’s Office, members of staff, parents and pupils.
- The DPO will be independent of the School to avoid any conflict of interest.
- The DPO will report to the highest level of management in the School which is to include the Headteacher and the Governing Body.
6. LAWFULNESS, FAIRNESS, TRANSPARENCY
- Personal Information must be Processed lawfully. Under data protection laws, there are a number of grounds which make it lawful to Process Personal Information. We will only Process Personal Information if one or more of the following apply: -
- the Data Subject has given his or her consent.
- the Processing is necessary for the performance of a contract with the Data Subject.
- the Processing is necessary to meet our legal obligations.
- the Processing is necessary to protect the Data Subject’s vital interests.
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (often referred to as Public Task).
- We recognise that some categories of Personal Information are more sensitive and further conditions must be satisfied if we are to Process this information (Special category and criminal conviction data). Where we Process these categories of Personal Information, we will ensure that we do so in accordance with the additional conditions for Processing set out under the GDPR and the DPA.
- Where it is necessary for us to obtain consent to process Personal Information, we will ensure that we do so in accordance with data protection laws.
- Generally, we will only obtain consent where there is not another lawful ground (see 6.1) for Processing. Some examples as to when we will obtain your consent is if we want to place a photograph of a pupil in the newspaper, on social media or in other publications to celebrate their achievements.
- We recognise that under data protection laws, there are stricter rules as to how consent is obtained. We will ensure that when we obtain consent, we: -
- take steps to ensure that we make it clear to Data Subjects what they are being asked to consent to.
- ensure that the Data Subject, either by a statement or positive action, gives their consent. We will never assume that consent has been given simply because a Data Subject has not responded to a request for consent.
- never use pre-ticked boxes as a means of obtaining consent.
- ensure that a Data Subject is informed that they can withdraw their consent at any time and the means of doing so.
- keep appropriate records evidencing the consents we hold.
- We are required to provide information to Data Subjects which sets out how we use their Personal Information as well as other information required by law. We will provide this information by issuing Privacy Notices which will be concise, transparent, intelligible, easily accessible, and in clear, plain language.
7. PROCESSING FOR LIMITED PURPOSES
We will only collect and Process Personal Information for specified, explicit and legitimate reasons. We will not further Process Personal Information unless the reason for doing so is compatible with the purpose or purposes for which it was originally collected.
8. ADEQUATE, RELEVANT AND LIMITED PROCESSING
We will only collect Personal Information to the extent that it is necessary for the specific purpose notified to the Data Subject.
9. ACCURATE DATA
- We will ensure that Personal Information we hold is accurate and kept up to date.
- We will take all reasonable steps to ensure that Personal Information that is inaccurate is either erased or rectified without delay.
- In supporting the School to maintain accurate records, staff, parents and other individuals whose Personal Information we may Process are responsible for: -
- Checking that any information that they provide to the School is accurate and up to date; and
- Informing the School of any changes to information that they have provided.
- We will not keep Personal Information for longer than is necessary for the
purpose or purposes for which they were collected. We will take all reasonable steps to destroy and erase from our systems, all data which is no longer required.
- We will maintain a records retention schedule which will assist the School
to destroy Personal Information once it is no longer necessary and in a safe and secure manner.
11. INDIVIDUAL RIGHTS
- We will Process all Personal Information in line with a Data Subject’s rights,
in particular, their right to:
- Request access to any data held about them by the School.
- Rectification of inaccurate information.
- Erasure of Personal Information.
- Restrict the Processing of Personal Information.
- Object to the Processing of Personal Information.
- To receive Personal Information in a commonly used format (known as data portability) and have this transferred to another controller without hindrance.
- We will maintain a clear procedure detailing how such requests will be
12. DATA SECURITY
- We will implement appropriate technical and organisational measures to
guard against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
- We will develop, implement and maintain safeguards appropriate to our size,
scope, our available resources and the level of risk identified.
13. PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS
13.1 We will integrate privacy by design measures when Processing Personal Information by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with data privacy principles.
13.2 We will utilise Data Protection Impact Assessments (“DPIAs”) which will be used when introducing new technologies or the Processing is likely to result in a high risk to the rights and freedoms of Data Subjects.
14.1 As a Data Controller, we are responsible for, and must be able to demonstrate, compliance with the data protection principles. Examples of how we will demonstrate compliance include (but are not limited to): -
- appointing a suitably qualified DPO.
- implementing policies and procedures e.g. a data protection policy, data breach procedures and subject access procedures.
- undertaking information audits and maintaining a record of our processing activities in accordance with Article 30 of the GDPR.
- preparing and communicating Privacy Notices to Data Subjects.
- providing appropriate training at regular intervals.
- implementing privacy by design when Processing Personal Information and completing data protection impact assessments where Processing presents a high risk to the rights and freedoms of Data Subjects.
15. DISCLOSURE AND SHARING OF PERSONAL INFORMATION
- Where it is necessary to share Personal Information outside of the School, we will inform you about this in accordance with this policy.
- Examples of who we may share Personal Information with include other schools, the Local Authority and the Department of Education.
16. DATA BREACHES
All data breaches must be handled in accordance with the School’s internal breach reporting procedure.
17. CHANGES TO THIS POLICY
We reserve the right to change this policy at any time and notification of any changes will be communicated accordingly.