St Mark s Church of England Academy Data Protection Policy

Transcription

1 St Mark s Church of England Academy Data Protection Policy 1

2 Contents Purpose:... Error! Bookmark not defined. Scope:... Error! Bookmark not defined. Procedure:... Error! Bookmark not defined. Definitions:... Error! Bookmark not defined. Revision:... Error! Bookmark not defined. Distribution:... Error! Bookmark not defined. 2

3 Author Claire Wilkins Target Owner CfBT Schools Trust group Issued September 2017 Next review due All employees, consultants and volunteers September 2018 This policy applies to the whole of CfBT Schools Trust (CST), including all schools. Introduction The law around data protection is changing. Current legislation is within the Data Protection Act 1998 (DPA). In May 2018, the General Data Protection Regulation (GDPR) will come into force. This policy will be updated ready for the GDPR in early 2018 and CST will provide information and updates to schools in preparation for these changes. For now, the DPA, and this template policy, continues to apply. The DPA places obligations on organisations that use personal information (Personal Data), including schools, and gives individuals certain rights. The DPA states that those who record and use personal information must be open about how the information is used and must follow the eight principles of good information handling. The Information Commissioner s Office (ICO) is the regulating body and they maintain a public register of data controllers. CST has registered with the ICO as a data controller. This registration covers all CST schools and schools do not need to register separately. Please follow this link to view the registration: CCTV and biometrics are included on our registration. All schools are required to keep CST informed of any changes in how data is processed by the school, so that we can notify the ICO within 28 days of the change (notification@ico.gsi.gov.uk - there is no charge for this). Please note that failure to comply with the above is a criminal offence. Further Information You can find out more about notifying the ICO (and the associated costs) via this page of the ICO website: There is lots of other useful information for schools on data protection on the ICO website: 3

4 Main education page: This page includes the latest ICO guidance notes on the following topics: on biometrics; taking photos in schools; use of CCTV in schools; lesson plans on data protection and many other useful topics. Claire Wilkins, CST Legal and HR Lead is also available to help with any data protection queries. Data Protection tips: Parents and pupils can request to see any personal data held by the school which relates to them this may include s between staff and handwritten notes. Ensure all staff are aware that what they write may be seen. Both the Data Protection Act and the Freedom of Information Act apply to academies do not confuse the two as the requirements and timescales are different. The Data Protection Act applies to academies in a different way to state schools. For example academies have 40 calendar days in which to respond to requests for personal data rather than the 15 days that state schools usually have. The charges are also different. Include a data protection statement or privacy notice in the school prospectus or welcome book as well as on any forms used to collect personal data. It is important to inform parents and pupils what personal information you are collecting and why (including for example telephone numbers, photos of pupils and CCTV images) Schools can take photos of pupils for inclusion in the prospectus or website so long as you have informed parents and pupils of your intentions. Images captured by individuals for personal or recreational use with a mobile phone, digital camera or camcorder are exempt from the DPA (i.e. parents can take photos of pupils in a school play). The rules on data protection are complicated and there are often exceptions to a rule. Seek advice from the Trust s Legal and HR Lead if you are unsure, especially when responding to a data subject access request. 4

5 Biometric Data Since September 2013, there are no circumstances in which a school can lawfully process, or continue to process, a pupil s biometric data (i.e. fingerprints, palm scans) without having notified each parent of a child and received the necessary consent. Schools must obtain the written consent of at least one parent before the biometric data are taken from the child and used. This applies to all pupils in schools under the age of 18. In no circumstances can a child s biometric data be processed without written consent. Schools and colleges must not process the biometric data of a pupil (under 18 years of age) where: a) the child (whether verbally or non-verbally) objects or refuses to participate in the processing of their biometric data b) no parent has consented in writing to the processing; or c) a parent has objected in writing to such processing, even if another parent has given written consent. Schools must provide reasonable alternative means of accessing services for those pupils who will not be using an automated biometric recognition system. All biometric information is legally regarded as personal data as defined by the Data Protection Act 1998; this means that it must be obtained, used and stored in accordance with that Act, as with all other personal data. Data Protection In order to operate efficiently CfBT Schools Trust (CST) has to collect and use information about people. This may include current, past and prospective pupils, parents, members of the public, staff and suppliers. We are committed to ensuring personal data is properly managed and the Data Protection Act 1998 (DPA) is complied with. We will make every effort to meet its obligations under the legislation. This policy, and our processes, will be updated when the new General Data Protection Regulation (GDPR) comes into force in May Scope and Publication This policy applies to all staff, Local Governors, contractors, agents and representatives working for or on behalf of the Trust, including in all schools and the CST central team, and is available via the website and on request. This policy can be made available in large print or other accessible format if required. This policy applies to all personal data processed by the Trust and held electronically or manually. Images captured by individuals for personal or recreational use with a mobile phone, digital 5

6 camera or camcorder are exempt from the DPA (i.e. parents are allowed to take photos of pupils in a school play). Responsibilities CST is the data controller for the purposes of the act and therefore have overall responsibility for compliance with the DPA. CST have delegated responsibility to the Headteacher in each school for ensuring compliance with the DPA and this policy within the day-to-day activities of the school. The Headteacher has appointed a Data Protection Officer (DPO). The DPO is responsible for: notifying CST about any change in the school s use of data to allow CST to keep the ICO up to date with changes in how the school processes data obtaining consent for disclosure of personal data, including routine consent from parents and pupils for using photographs for general school purposes ensuring data protection statements are included on forms that are used to collect personal data acting as a central point of advice for staff on data protection matters coordinating requests for personal data arranging appropriate data protection training for all staff keeping up to date with the latest data protection legislation and guidance ensuring adequate systems are in place for compliance with this policy working with CST to update processes in line with the GDPR. Definitions Personal data: information which relates to an identifiable living individual that is processed as data. Examples would be names of staff and pupils, dates of birth, addresses, national insurance numbers, school marks, medical information, exam results, SEN assessments and staff development reviews. Processing data: collecting, using, disclosing, retaining, or disposing of information. Sensitive personal data: information that relates to race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality and criminal offences. 6

7 The Requirements The DPA stipulates that anyone processing personal data must comply with eight principles of good practice. The principles require that personal data: 1. Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met. 2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. 4. Shall be accurate and where necessary, kept up to date. 5. Shall not be kept for longer than is necessary for that purpose or those purposes. 6. Shall be processed in accordance with the rights of data subjects under the Act. 7. Shall be kept secure i.e. protected by an appropriate degree of security. 8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection. Notification As required under the DPA, CST will ensure that the ICO is notified that we are processing personal data and in what ways and will ensure the registration is renewed annually. Data Gathering Whenever we collect new information about individuals we will ensure individuals are made aware: that the information is being collected of the purpose that the information is being collected for of any other purposes that it may be used for who the information will or may be shared with; and how to contact the data controller. 7

8 We will only obtain relevant and necessary personal data for lawful purposes and will only process the data in ways which are compatible with the purpose for which it was gathered. Data protection statements will be included in the school prospectus and on forms that are used to collect personal data. Data Storage Personal data will be stored in a secure and safe manner. The following measures are taken to help ensure this: Electronic data will be protected through secure password, encryption software and firewall systems. Computer workstations in administrative areas will be positioned so that they are not visible to casual observers. Manual personal data will be stored securely where it is not accessible to anyone that does not have a legitimate reason to view or process the data. Particular attention will be paid to the need for security of sensitive personal data, for example health and medical records will be kept in a locked cupboard. Personal data will not be left out visible on desks. The physical security of buildings and storage systems will be regularly reviewed. Staff will be trained on this policy and related data protection procedures. Data Checking Systems will be put in place to ensure the personal data that we hold is up to date and accurate. For example, the school will ensure that parents are asked at least once a year to confirm their contact details. Any inaccuracies discovered or reported will be rectified as soon as possible. Disclosing Data Personal data will only be disclosed to organisations or individuals for whom consent has been given to receive the data, or organisations that have a legal right to receive the data without consent being given. When requests to disclose personal data are received by telephone, we will ensure that the caller is entitled to receive the data and that they are who they say they are. In some circumstances, we may call the caller back to check the identity of the caller. 8

9 Personal data will not be included on the website, in newsletters or other media without consent of the individual (or his/her parents where appropriate). Routine consent may be requested from parents to avoid the need for frequent, similar requests for consent being made by the school. Personal data will only be disclosed to the Police if they are able to supply sufficient authority which notifies of a specific, legitimate need to have access to specific personal data. Data Subject Access Requests Any person whose personal data is held by CST is entitled, under the DPA, to ask to access this information. The request must be in writing. The right is to view or be given a copy of the personal data, rather than to the whole document which contains the personal data. There are some exceptions to the rights of access to information in certain records (for example in relation to examination scripts, legal advice). When a request is received by a member of staff, this should be passed to the school s Data Protection Officer without delay. The request must be dealt with promptly; a response must be provided as soon as possible and no later than within 40 calendar days from the date the request was received. We may make a charge of 10 for responding to a request for personal data under the DPA and will need to confirm the requester s identity. Parents can make data subject access requests on their child s behalf if their children are deemed too young to look after their own affairs. If a request is made by a parent for personal data relating to their child and the child is aged 12 years or older, written consent will need to be sought from the child before the data is disclosed to the parent. A record will be kept of all data subject access requests made that require formal consideration. Destroying Data Out-of-date information will be discarded if no longer relevant. Personal data will only be kept as long as reasonably needed, for legal or business purposes. 9

10 Breach of the Policy Non-compliance of this policy and data protection legislation by a member of staff is considered a disciplinary matter which, depending on the circumstances, could lead to dismissal. Monitoring, Evaluation and Review The DPO will monitor the implementation and effectiveness on this policy and report his/her evaluation to the Headteacher on an annual basis. The Headteacher will report back to CST on this policy and its implementation and effectiveness every two years, who will then review the policy, making amendments where necessary. This policy will be reviewed in early 2018 in readiness for the GDPR coming into force in May

11 Indication of Parent s Preference Student Name Date of Birth Address Parent s Declaration of Preference Please insert tick or info. here I agree to photographs or film of my child appearing in any publication or form approved by the Headteacher including the school website. I agree to photographs or film of my child appearing only in the following publications or circumstances (give details). I do not agree to photographs or film of my child appearing in any circumstances. I agree to the following information being associated with my child's photograph or image at the discretion of the Headteacher (please specify e.g. name, age, class, home location, prizes won etc) or say ALL or NONE as appropriate. I consent to the school taking and using information from my child s [insert biometric e.g. fingerprint] by as part of an automated biometric recognition system. This biometric information will be used by the school for the purpose of [describe purpose(s) for which this data will be used, e.g. administration of school library/canteen]. Once your child ceases to use the biometric recognition system, his/her biometric information will be securely deleted by the school. I do not consent to the school taking and using information from my child s [insert biometric e.g. fingerprint] by as part of an automated biometric recognition system. If you wish to withdraw or amend your consent for the above at any time, this must be done in writing and sent to the school. Parents/legal guardians Signed Name (block capitals) Signed Name (block capitals) Signed Student (where applicable) Name (block capitals) 11