Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery

Transcription

1 Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery Date approved by the Board of Directors: 7 July 2017 Date adopted by Essa Academy Local Governing Body: 19 September 2017 Date adopted by Essa Primary Academy Local Governing Body: 20 September 2017 Date adopted by Essa Nursery Management Committee- 19 September 2017 Date for review: July 2018 Policy written by: Berny Sansome Policy revised/ updated by: Justine Hatter - May 2017 Data Protection Act Policy, EFAT Version 6 Final, May Draft 1

2 Contents Page 3-7: The Policy Page 8-9: Annex 1 Privacy Notice/ Fair Processing Notice for Essa Academy- to be given to parents/ carers Page 10-1: Annex 2 Privacy Notice/ Fair Processing Notice for Essa Primary Academy- to be given to parents/ carers Page Annex 3 Privacy Notice/ Fair Processing Notice for Essa Nursery- to be given to parents/carers Page 14 : Annex 4 Making a Request for Information (subject access request)- by a parent/carer or a student Page 15-16: Annex 5 Privacy Notice/ Fair Processing Noticeto be given to employees and agency staff, directors, governors, other volunteers, and contractors Page 17: Annex 6 Making a Request for Information - (subject access request) by employees, contractors, directors, governors and other volunteers Page 18-20: Annex 7 handlers Operational Procedures- all data Page 21 : Annex 8 Flow Chart-Subject Access Request Data Protection Act Policy, EFAT Version 6 Final, May Draft 2

3 INTRODUCTION: THE POLICY Essa Foundation Academies Trust (EFAT) collects and uses personal information about staff, nursery children, pupils/ students, parents/ carers, directors and governors of the trust, and other individuals who come into contact with the trust and its academies and nursery. This information is gathered in order to enable EFAT academies and nursery to provide education and other associated functions. In addition there may be a legal requirement to collect and use information to ensure that the trust, and its academies and nursery, complies with statutory obligations. The trust has a duty to be registered as a data controller with the information Commissioners Office (ICO) detailing the information held and its use. These details are then available on the ICO s website. EFAT academies and nursery, on behalf of the trust, also have a duty to issue a Fair Processing Notice (privacy notice) to all parents/carers that summarises the information held on nursery children and pupils/ students and their families, why it is held, and the other parties to whom it may be passed on. Employees, directors and governors, other volunteers, and other individuals are also notified, by a fair processing notice, about information held about them on appointment. The Data Protection Act (DPA) 1998 sets out the safeguards that ensure that personal information is handled correctly however it is collected, recorded and used (whether on paper, stored on computer, or recorded in any other format or on any other material). The Data Protection Act (DPA) also gives people rights over their personal data. The Act applies in relation to current, past or prospective contacts with Essa Foundation Academies Trust (EFAT) and/ or its academies and nursery and covers members, directors and governors; other volunteers, all employees; nursery children, pupils/students, parents/carers; and suppliers/ contractors. The Protection of Freedoms Act 2012 covers the use of biometric systems in schools/academies e.g. cashless catering systems using finger print technology. This policy should be read in conjunction with the trust s Freedom of Information Act Policy. POLICY STATEMENT: EFAT will treat personal information lawfully and correctly in compliance with the DPA and the associated Codes of Practice. The trust regards the proper treatment of personal information as very important in maintaining confidence with Data Protection Act Policy, EFAT Version 6 Final, May Draft 3

4 employees, nursery children, pupils/students and their families, directors, governors, other volunteers, and suppliers/ contractors. EFAT will achieve compliance through ensuring that responsibility and accountability is clear, robust procedures exist, and appropriate training is provided. EFAT will: Comply with individuals rights; Process data in accordance with the eight Data Protection Principles; and Meet any notification requirements of the Information Commissioner. RESPONSIBILITIES: EFAT as the corporate body is the Data Controller and will be registered with the ICO. The name of each academy and Essa Nursery will appear in the public register of data collectors. The trust has overall responsibility for ensuring that records are maintained, including security and access arrangements in accordance with regulations. The trust s Board has delegated to Local Governing Bodies (LGBs) responsibility for ensuring that this Data Protection Policy is implemented throughout each academy. The Trust s Board has delegated to the Management Team Director (MTD) responsibility for ensuring that this Data Protection Policy is implemented throughout Support Services. The Nursery Management Committee is responsible for ensuring that this Data Protection Policy is implemented throughout the nursery. The trust has delegated operational responsibility for ensuring that the DPA requirements are enforced, and the trust s DPA policy and procedures are implemented, in all academies, in Essa Nursery, and the across the trust to the Data Manager within Support Services. The Data Manager will also deal with the day-to-day matters relating to data protection. Across EFAT, all data users must be identified. include: These will be numerous and will Teaching staff Nursery staff Some support staff SENCOs Administrators Data Protection Act Policy, EFAT Version 6 Final, May Draft 4

5 The Data Manager will ensure that appropriate training is provided / sourced for all data processors in their area of responsibility. The Data Manager will also provide periodic information sessions for the Board of Directors, Local Governing Bodies, the Nursery Management Committee, and senior leaders throughout the trust to ensure that they are aware of the importance of processing personal information properly and observing individual access rights. NOTIFICATIONS: The Data Manager is responsible for completing any notifications required by the Information Commissioner. In each academy/ nursery data processors are required to support this process by promptly providing information requested to complete the notification. DATA PROCESSING: Processing includes obtaining, recording, organising, amending, retrieving, using, disclosing, erasing, destroying or transferring the data. The data processors must ensure that any processing of personal data within their area of responsibility including where this is processed by a third party on behalf of the trust or an individual academy/ nursery complies with DPA requirements as follows: PERSONAL DATA: The Information Commissioner interprets the term personal data widely as relating to a living individual, who can be identified from the data or other available data. Personal data includes facts, opinions or intentions relating to the individual when held on a relevant filing system, accessible record or computer. Opinions might include performance appraisal data. Personal data tends to be biographical, affects the person s privacy, or be primarily about the individual. Examples include: Name; Address; Date of Birth; Marital Status. INFORMING PARENTS/CARERS ABOUT HOW THEIR DATA IS USED. A standard fair processing/ privacy notice for each academy and the nursery is attached as Annexes 1, 2, and 3 to this policy and should be given to the Data Protection Act Policy, EFAT Version 6 Final, May Draft 5

6 parent/carer of each child at their point of entry to the academy/ nursery. If the purpose for processing the data changes: parents/carers must be informed. MAKING A REQUEST FOR INFORMATION- BY A PARENT/CARER OR STUDENT Requests to see information that is held about parents/carers and/or your child should be made in writing to the Principal of the academy or to the Nursery Manager, as applicable. Information about this is set out in Annex 4. INFORMING EMPLOYEES, DIRECTORS, GOVERNORS, OTHER VOLUNTEERS, AND CONTRACTORS/SUPPLIERS ABOUT HOW THEIR DATA IS USED All employees will be informed about how their personal data is used via data protection clauses in their contracts of employment. The type of information that an employer can keep and how it could be used is set out in Annex 5. Publication of Academy/ Nursery information- some information about some staff may be published on the Academy s/ Nursery s website to meet the legitimate needs of parents/ carers and others seeking to make contact with the Academy/ Nursery. Directors, governors, and other volunteers will be informed about what data may be kept and how it could be used on induction. All contractors/ suppliers will be informed through their contracts. MAKING A REQUEST FOR INFORMATION- BY AN EMPLOYEE AND AGENCY STAFF Requests to see information that is held about employees should be made in writing to the Principal of the academy in which you work, to the Nursery Manager, or to the Management Team Director for employees working in the Support Services. Information about this is set out in Annex 6. MAKING A REQUEST FOR INFORMATION- BY A DIRECTOR/GOVERNOR, OTHER VOLUNTEERS AND CONTRACTORS Requests to see information that is held about directors/ governors, other volunteers, and contractors should be made in writing to the Management Team Director or the Data Manager. Information about this is set out in Annex 6. COMPLAINTS: Complaints will be dealt with in line with the trust s complaints procedure. A copy of the complaints procedure is available on the trust s/ academy s/ nursery s website or from the academy/ nursery. All complaints should be directed to the Principal/Nursery Manager or Chair of the Local Governing Body/ Nursery Data Protection Act Policy, EFAT Version 6 Final, May Draft 6

7 Management Committee for investigation and resolution where possible under the trust s complaints procedure. Employees should raise their concerns with the Principal/ Nursery Manager or Management Team Director, as appropriate, for investigation and resolution under the trust s grievance procedures. Directors, governors, other volunteers and contractors should raise any concerns with the Management Team Director or Data Manager for investigation and resolution under the trust s Code of Practice for Members, Directors, and Governors. The Information Commissioner is responsible for monitoring and enforcing the DPA, and he / she can investigate, where necessary issue an advisory or enforcement notice, and in some cases prosecute. The Information Commissioner requires that complaints are first brought to the attention of the trust/ academy/ nursery, to provide an opportunity for investigation and resolution. A parent/carer who wishes to pursue the complaint further should contact the Information Commissioner s Office at or call the ICO s helpline- telephone Data Protection Act Policy, EFAT Version 6 Final, May Draft 7

8 ANNEX 1 PRIVACY NOTICE & FAIR PROCESSING NOTICE FOR STUDENTS, PARENTS AND CARERSTO BE GIVEN TO ALL PARENTS/CARERS WHEN A STUDENT FIRST ENTERS THE ACADEMY The Essa Foundation Academies Trust is the Data Controller for the purposes of the Data Protection Act Essa Academy collects information from you and your child and may receive information from your child s previous school/ academy and other agencies. We hold this personal data and use it to: Support teaching and learning; Monitor and report on progress; Provide appropriate pastoral care; and Assess how well your child s academy is doing. This information includes contact details, national curriculum assessment results, attendance information, where they go after they leave us and personal characteristics such as ethnic group, special educational needs and any relevant medical information. If your child is enrolling for post 14 qualifications we will be provided with their unique learner number by the Learning Records Service and may also obtain from them details of any learning or qualifications undertaken Once your child is aged 13 or over, we are required to pass on certain information to providers of youth support services in our area. This is the local authority support service for young people aged 13 to 19 in England. We must provide your address and that of your child, together with their name and date of birth and any further information relevant to the support services role. However, you or your child (if they are over 16) can ask that no information beyond their name, address, date of birth and your address, be passed to the support service. Please inform Essa Academy if you wish to opt-out of this arrangement. For more information about young peoples services, please go to the National Careers Service page at Essa Academy has numerous CCTV cameras located on our site, both internally and externally. These cameras are used solely for the purposes of safety, security and crime prevention. Recorded images are stored and viewed securely and data is not retained for any longer than is necessary for the purposes stated. Data Protection Act Policy, EFAT Version 6 Final, May Draft 8

9 Parents will be asked to give their permission if photographs/ videos are to be taken of students. Essa Academy also shares some personal information with ParentPay and Easitrace acting as data processors to provide a cashless catering system for the academy. This organisation is registered as a data processor with the Information Commissioner s Office. Essa Foundation Academies Trust remains the data controller and personal information will only be used for the purpose of the cashless catering system. We will not share any other personal details without your permission. We will not give any information to anyone outside the trust/academy without your consent unless the law requires us to do so. We may pass on personal information for child protection reasons or to other relevant agencies or partners. We are required by law to pass some information to the Department for Education (DfE), the Local Authority (LA) and other statutory bodies. If you want to see a copy of the information we hold and share then please contact the Principal. If you require more information about how the Local Authority (LA) and/or DfE store and use the information, then please go to the following website: or If you are unable to access these websites please contact the LA or DfE as follows: Information Management Unit Children s and Adult Services Bolton Council, 1 st Floor, Town Hall Bolton, BL1 1UA Website: ec.imu@bolton.gov.uk Telephone: Ministerial and Public Communications Unit Department for Education Piccadilly Gate Store Street Manchester M1 2WD Website: Tel: Data Protection Act Policy, EFAT Version 6 Final, May Draft 9

10 ANNEX 2 PRIVACY NOTICE & FAIR PROCESSING NOTICE FOR PARENTS AND CARERS- TO BE GIVEN TO ALL PARENTS/CARERS WHEN A PUPIL FIRST ENTERS THE ACADEMY The Essa Foundation Academies Trust is the Data Controller for the purposes of the Data Protection Act Essa Primary Academy collects information from you and your child and may receive information from your child s previous school/ academy and other agencies. We hold this personal data and use it to: Support teaching and learning; Monitor and report on progress; Provide appropriate pastoral care; and Assess how well your child s academy is doing. This information includes contact details, national curriculum assessment results, attendance information, where they go after they leave us and personal characteristics such as ethnic group, special educational needs and any relevant medical information. Essa Primary Academy also shares some personal information with ParentPay acting as data processors for the academy. This organisation is registered as a data processor with the Information Commissioner s Office. Essa Foundation Academies Trust remains the data controller and personal information will only be used for the purpose stated in the academy. We will not share any other personal details without your permission. Parents will be asked to give their permission if photographs/ videos are to be taken of students. We will not give any information to anyone outside the Trust/Academy without your consent unless the law requires us to do so. We may pass on personal information for child protection reasons or to other relevant agencies or partners. We are required by law to pass some information to the Department for Education (DfE), the Local Authority (LA) and other statutory bodies. If you want to see a copy of the information we hold and share then please contact the Principal. Data Protection Act Policy, EFAT Version 6 Final, May Draft 10

11 If you require more information about how the Local Authority (LA) and/or DfE store and use the information, then please go to the following website: or If you are unable to access these websites please contact the LA or DfE as follows: Information Management Unit Children s and Adult Services Bolton Council, 1 st Floor, Town Hall Bolton, BL1 1UA Website: ec.imu@bolton.gov.uk Telephone: Ministerial and Public Communications Unit Department for Education Piccadilly Gate Store Street Manchester M1 2WD Website: Tel: Data Protection Act Policy, EFAT Version 6 Final, May Draft 11

12 ANNEX 3 PRIVACY NOTICE & FAIR PROCESSING NOTICE FOR PARENTS AND CARERS- TO BE GIVEN TO ALL PARENTS/CARERS WHEN A CHILD FIRST ENTERS THE NURSERY The Essa Foundation Academies Trust is the Data Controller for the purposes of the Data Protection Act Essa Nursery collects information from you and your child and may receive information from your child s previous nursery and other agencies. We hold this personal data and use it to: Support teaching and learning; Monitor and report on progress; Provide appropriate pastoral care; and Assess how well your child s nursery is doing. This information includes contact details, attendance information, where they go after they leave us and personal characteristics such as ethnic group, special educational needs and any relevant medical information. Essa Foundation Academies Trust remains the data controller and personal information will only be used for the purpose stated in the nursery. We will not share any other personal details without your permission. Parents will be asked to give their permission if photographs/ videos are to be taken of students. We will not give any information to anyone outside the Trust/Nursery without your consent unless the law requires us to do so. We may pass on personal information for child protection reasons or to other relevant agencies or partners. We are required by law to pass some information to the Department for Education (DfE), the Local Authority (LA) and other statutory bodies. If you want to see a copy of the information we hold and share then please contact the Principal. Data Protection Act Policy, EFAT Version 6 Final, May Draft 12

13 If you require more information about how the Local Authority (LA) and/or DfE store and use the information, then please go to the following website: or If you are unable to access these websites please contact the LA or DfE as follows: Information Management Unit Children s and Adult Services Bolton Council, 1 st Floor, Town Hall Bolton, BL1 1UA Website: ec.imu@bolton.gov.uk Telephone: Ministerial and Public Communications Unit Department for Education Piccadilly Gate Store Street Manchester M1 2WD Website: Tel: Data Protection Act Policy, EFAT Version 6 Final, May Draft 13

14 ANNEX 4 MAKING A REQUEST FOR INFORMATION (A SUBJECT ACCESS REQUEST) - BY A PARENT/ CARER OR STUDENT Requests must be made in writing to the Principal/ Nursery Manager. You will be asked to provide proof of identity- by providing for example, a passport, birth certificate, marriage certificate, utility bills for current address. Requests can be made by a parent/carer. Requests can be made by a pupil/student dependent on age and if he/she is deemed capable of making and understanding the request and the nature of the request. You can make the request through a solicitor or adviser provided that you have signed an authorisation for this person to act for you. The academy/ nursery will make a charge of for the provision of information. This should be paid at the time the request is made. If the information requested is only the educational record viewing will be free but a charge, not exceeding the cost of copying information can be made by the academy/ nursery. A response will be made within 40 days. The academy/ nursery is permitted to withhold some information- all information requests will be reviewed in line with this before being provided. You will be informed if the information is exempt and cannot be provided. The academy/nursery may need to get permission for a third party, e.g. the LA or police before it can disclose some information. You can ask for the information to be given to you at the academy/nursery, or for a member of staff to explain it to you, or you can ask for it to be posted to you. Data Protection Act Policy, EFAT Version 6 Final, May Draft 14

15 ANNEX 5 PRIVACY NOTICE & FAIR PROCESSING NOTICE FOR EMPLOYEES The Essa Foundation Academies Trust is the Data Controller for the purposes of the Data Protection Act The trust collects information from you as your employer and may receive information from your previous employers, education and training providers, and other agencies. Employees personal data will be kept safe and secure and up to date. Records will not be kept any longer than is necessary and will follow the rules on data protection. Publication of academy/ nursery information- some information about some staff may be published on the academy / nursery s website to meet the legitimate needs of parents/ carers and others seeking to make contact with the academy/nursery. If you ask about the information/ data kept about you the trust will have 40 days to provide a copy of the information. Data kept by the trust as an employer includes, but is not exhaustive: Name Address Date of birth Sex Education and qualifications Work experience National insurance number Tax code Details of any known disability Emergency contact details Employment history with the trust Employment terms and conditions( e.g. pay, hours of work, holidays, benefits, absence) Any accidents connected to work Any training undertaken Any disciplinary action Checks on fitness to work with children Employees have the right to be told; What records are kept and how they are used The confidentiality of the records How these records can help with their training and development at work. We will not give any information about you to anyone outside the trust/academy/nursery without your consent unless the law requires us to do so. We are required by law to pass some information to the Department for Education (DfE). Data Protection Act Policy, EFAT Version 6 Final, May Draft 15

16 If you require more information about how DfE store and use the information, then please go to the following website: If you are unable to access this website please contact the DfE as follows: Ministerial and Public Communications Unit Department for Education Piccadilly Gate Store Street Manchester M1 2WD Telephone: Data Protection Act Policy, EFAT Version 6 Final, May Draft 16

17 ANNEX 6 MAKING A REQUEST FOR INFORMATION (A SUBJECT ACCESS REQUEST) - BY AN EMPLOYEE, DIRECTOR, GOVERNOR, OTHER VOLUNTEERS, AND CONTRACTORS Requests must be made in writing to the Principal/ Nursery Manager or Management Team Director, as appropriate. You may be asked to provide proof of identity- for example, by providing a passport, birth certificate, marriage certificate, utility bills for current address etc. You can make the request through a solicitor or adviser provided that you have signed an authorisation for this person to act for you. The trust may make a charge of for the provision of information. This should be paid at the time the request is made. If the information requested is only the employment record viewing will be free but a charge, not exceeding the cost of copying information can be made by the trust. A response will be made within 40 days. The trust is permitted to withhold some information- all information requests will be reviewed in line with this before being provided. You will be informed if the information is exempt and cannot be provided. The trust may need to get permission for a third party, e.g. the LA or police before it can disclose some information. You can ask for the information to be given to you at the trust s premises, or for a member of staff to explain it to you, or you can ask for it to be posted to you. Data Protection Act Policy, EFAT Version 6 Final, May Draft 17

18 ANNEX 7 OPERATIONAL PROCEDURES- ALL DATA HANDLERS 1. Implementing a risk based range of data security measures. Advice and support should be sought from the Data Manager where necessary. However the following is considered to be best practice: Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows: Confidentiality means that only people who are authorised to use the data can access it. Integrity means that personal data should be accurate and suitable for the purpose for which is it processed. Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the trust s central / networked computer system instead of individual PCs. Security procedures include: Entry controls. Any stranger seen in entry-controlled areas should be reported. Computerised data should be coded, encrypted, or password protected, and backed up. If electronic removable storage media is used this should be kept in lockable drawers/cupboards. Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.) Methods of disposal. Paper documents should be shredded. Computer discs/ memory sticks/ hard drives should be physically destroyed when they are no longer required. Equipment. Data users should ensure that passers-by cannot see confidential information on their screens and that they log off from their PC when it is left unattended. 2. Ensuring that where personal data is shared with third parties or processed by them on behalf of EFAT or an academy/ nursery, appropriate agreements are in place to secure DPA compliant processing. Advice and support should be sought from the Data Manager where necessary. Retention of data the trust/ academy has a duty to retain some personal information/ data about employees and nursery children/pupils/students for some time after leaving the academy/ nursery, or the trust s employment, mainly for legal reasons or to provide references or academic transcripts. Data Protection Act Policy, EFAT Version 6 Final, May Draft 18

19 3. All personal data is processed in accordance with the eight data protection principles: Data to be fair and lawful Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Kept no longer than is necessary In line with individuals rights (cannot be supplied to any third party for direct marketing purposes) Secure against unlawful processing and accidental loss / damage Only transferred outside the EU in limited circumstances. 4. In the case of sensitive data, it can only be processed where the individual has given specific consent, it is essential for employment purposes, it is necessary to protect the vital interests of an individual (where life is at risk) or is necessary for medical, legal, justice or government reasons. Sensitive data includes: Racial / ethnic origin TU membership Criminal convictions and offences Political opinions Religious beliefs Sexual life Physical and mental health 5. Responding to requests for information-subject Access Requests: (See flowchart at Annex 8) Individuals have a number of rights with regards to their personal data including the right to know what is kept, inspect and / or be given a copy of their data, to correct any inaccurate information held and prevent any processing likely to cause distress to themselves or anyone else. They can claim compensation for distress caused by breaches of the DPA. Under the DPA individuals may submit a formal written request- see Annexes 4 & 6 for access to their personal data which might be limited to specific documents / areas or which may require a full search for information held. They may make this request through a solicitor or adviser provided that they have signed an authorisation for this person to act on their behalf. N.B: Telephone callers requesting information under the DPA should be asked to put their request in writing. Data Protection Act Policy, EFAT Version 6 Final, May Draft 19

20 Where such a request is made, the individual has a right to the following within 40 calendar days of their request: A description of the data held Told what the data is used for and who it may be given to Provided with a copy of their personal information held on a computer and in most manual filing systems Permitted to see their data and correct any errors in it. A fee of 10 is payable by the individual and should be requested before copies of the data are supplied. If the request is unclear, then the individual should be asked for clarification and the 40 day timeline is suspended until clarification is received. Before supplying personal data in response to a request, ensure that proof of identity is supplied e.g. passport / driving license to avoid identity fraud. An address is not proof of identity. The applicant is actually entitled to the information requested and not to specific documents containing it. It is therefore preferable to extract the information where the documents contain third party personal data which should not be disclosed unless it is already in the public domain or they have consented to its release. In responding to requests, personal data should not be ed. The necessary security of its transfer will vary according to the sensitivity of the data. Where the request will require an overseas search for information, where it appears unreasonable, or it is a repeated request, advice should be sought from the Data Manager. EXEMPTIONS: There are a small number of exemptions which may apply to requests in limited circumstances where a response may lead to prejudice to any of the following Negotiations with the requester; Management forecasts; Confidential references given by the trust/academ/ nursery (but not ones provided to the trust/academy/ nursery); Information used for research, historical or statistical purposes; Information covered by legal professional privilege; Crime prevention and detection. If you think that any of these exemptions might apply to a request received, then contact the Data Manager for advice. Data Protection Act Policy, EFAT Version 6 Final, May Draft 20

21 ANNEX 8 Data Protection Act Policy, EFAT Version 6 Final, May Draft 21