General Data Protection Regulation
Date Protection Policy
Introduction
Farsley Springbank Primary School will comply with the demands of the General Data Protection Regulation (GDPR) to be known as the Data Protection Act 2018.
Members of staff will gain familiarisation with the requirements of the GDPR either in a staff briefing or as part of their induction.
This policy follows guidance issued by the Information Commissioner’s Office (ICO) and the Department for Education (DfE).
The school is a Data Controller as data is processed that is the personal information of pupils, families, staff, visitors and other school users.
The School is a Data Processor as it processes data on behalf of other public bodies such as the DfE.
Definitions
Data processing
The acquisition, storage, processing and transmission of data
Data subject
Any identifiable person whose data is processed
Consent
Must be freely given, specific and an unambiguous indication of the subject’s wishes. It must be recorded and available to an audit. A person must be 13 years old in order to record their consent.
Cross-border processing
The GDPR covers all EU states and will remain part of UK law. Data cannot be stored beyond the EU and UK borders (the exact borders are those of the European Economic Area)
Sensitive data
The GDPR/ICO requires that particular care is taken with the following data
Filing system
Any structured set of personal data, however stored in any format (physical or digital) that can be processed
Personal data breach
A breach of data security leading to the accidental or unlawful destruction, loss, theft, alteration, unauthorised disclosure, destruction, sale or access to any processed data. Data subjects affected by a data breach must be informed of the breach within 72 hours. Breaches must be reported to the ICO within 72 hours.
Pseudonymisation
The act of making data anonymous. There must be security between pseudonymised data and any data that could re-identify a person.
Password protection
The act of ‘locking’ a device or document. The information remains readable beyond the password.
Encryption
The act of encoding all the information beyond a password or code.
Legal basis
The school decides, and registers with the ICO, upon which legal basis it processes data. As a public body with set duties the school uses the following bases for processing and controlling data
Legal basis: Public Task
Legal basis: Consent
Legal basis: Contract
Personal data
Anything that might lead to the identification of a person: name, number, characteristics, photograph, correspondence.
Data portability, data subject access request
Data subjects (or a child’s parents) may request access to a copy of all their data. The school has established an efficient means of accomplishing this task which may not carry a charge and will be completed within 15 working days. Data subjects may request that data is brought up-to-date or made more accurate.1
Principles
Roles and Responsibilities
The school’s Privacy Statements set out in detail how the school will maintain the security of school users’ data. The Acceptable Use Policies set out the duties of the staff and other school users in supporting data security.
Within school the security of data is coordinated by Miss S Percival and Mrs E Goddard
The governor with special responsibility for data security is Mr S Bradshaw
The school has appointed a Data Protection Officer who has responsibility for overseeing the implementation of this policy and all GDPR related documents. The DPO will monitor compliance, report to the school leadership and support the school with updates and interpretations as the GDPR develops.
The DPO will liaise between the school and the ICO and must be informed as soon as is practicable of any personal data security breach.
The DPO will support the school in its communication with schools users (pupils, families, parents, governors, contractors and visitors) about the school’s GDPR procedures. This will include the drafting of privacy statements, acceptable use policies and data subjects rights.
Data subject requests should be made in writing to the DPO. The DPO might have to respond to any or all of the following
Children below the age of 13 do not have the right to make a subject access request, so requests must be made by parents. The school may take into account the views of a pupil.
The school’s DPO is
Richard Lewis-Ogden
Carr Manor Community School
Carr Manor Road
Leeds
LS17 5DJ
Telephone 0113 3368400
Email dataprotection@carrmanor.org.uk
Data Audit
The school will carry out a data audit with support from the DPO and their technical support company. Within the audit the school will record all third parties’ compliance with the GDPR if those third parties process data for any school users. Such confirmation will, from now on, be an essential part of any contract with third parties when the processing of school users’ data is involved. The school will not share data, or have any data processed, by any third parties who do not confirm their compliance with GDPR requirements.
Preferably companies that process school users’ data will have certification to ISO27001.
The audit will also check the security of physical and digital records and devices.
Processing Records
To meet the ICO’s recommendation that ‘scrupulous records’ are developed the school will record its processing of data and the results of its data audit. It will record the ongoing security measures for physical and digital filing systems. Confirmation of compliance by third parties accessing any school user data will be recorded.
In broad terms the school will record which data has been processed (including deletions when data should no longer be stored) on which legal basis.
Consent replies are recorded within the system.
Sharing Data
Personal data may be shared with third parties to
CCTV
CCTV is used to support the safety and security of school users. We adhere to the ICO’s code of practice* for its use. Although consent is not required for its use prominent notices inform school users that CCTV is used within the school site.
*In the picture: A data protection code of practice for surveillance cameras and personal information
Photographs and moving images
Consent is requested from parents and staff for the use of images. Letters requesting consent outline the choices that pupils and staff may make for the use of their images.
The school may seek consent to use photographs for the following purposes:
The school’s specific data security measures - data protection by design
Data breaches
All staff must report to a member of the SLT or the DPO any suspected data breaches (the loss, theft, unauthorised access to data etc.) immediately. It will be for the SLT/DPO to decide whether to the suspected data breach warrants reporting to the ICO. NB a data breach would include the accidental sharing of personal data via a wrongly addressed email.
Training
All staff will receive basic training in the requirements of the GDPR. The training will be recorded in the data audit and/or the data processing records. Governors will also receive a briefing. Data protection will form a part of pupils’ e-safety education. The school will keep staff and governors up to date with guidance, changes and interpretations to data protection law.
Data Protection Impact Assessment
For the school’s most sensitive data processing activities the school will have completed a DPIA to ensure that the risk to individuals of a data breach is minimised, as should be the risk to the school’s reputation. Staff involved in processing the school’s most sensitive data will have to record their reading and understanding of the relevant DPIA.
Monitoring
The DPO will lead the formal monitoring of the school’s compliance with the GDPR. Every member of staff and governor shares a responsibility to monitor compliance and to report any suspected failures to comply.
Footnotes
1. Data subjects’ rights include
2. In deciding whether to pass on a suspected data breach to the ICO the DPO will consider whether the data breach might affect a person’s
Policy approved by the Governing Body
Date: 25th June 2019
To be reviewed annually