Data Protection Policy

Transcription

1 THE CIPPENHAM SCHOOLS TRUST Data Protection Policy *Date for revision: Summer Term 2018 Responsibility for policy: Responsibility for operational: Trustees Trustees Reviewed by Directors: *subject to any relevant changes in legislation or other appropriate guidelines

2 Statement of Intent We acknowledge that to function properly we need to collect and use certain types of information about staff, pupils and other individuals who come into contact with our schools. We are also obliged to collect and use data to fulfil our obligations to the Local Authority (LA), Department for Education (DfE) and other bodies. We deal with information properly in whatever way it is collected, recorded and used on paper, electronically, in the cloud or any other way. We regard the lawful and correct treatment of personal information as very important to successful operations and to maintaining confidence between those with whom we deal and ourselves. We are conscious that much of the data we hold is classified as sensitive personal data and we are aware of the extra care this kind of information requires. We ensure that all personal information is treated lawfully and correctly. To this end, we fully endorse and adhere to the data protection principles as contained in the Data Protection Act 1998 (DPA). Data Protection Principles All members of staff employed in our schools are required to adhere to the eight enforceable data protection principles as set out in the Data Protection Act Data shall be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met. 2. Personal data shall be obtained only for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and where necessary, kept up-to-date. 5. Personal data shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under the DPA. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data whether it is held internally or cloud based. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

3 There is stronger legal protection for more sensitive information such as: - Ethnicity - Background - Political opinions - Health - Religious beliefs - Sexual health - Criminal records Cloud Services We are responsible for: Ensuring that the processing carried out by any cloud service provider/s complies with the DPA requirements by means of a contract and data processing agreement. Ensuring the accuracy of the self-certification statements made by any cloud services suppliers by using the self-certification checklists facilitated by the DFE. School Practice We will apply the following criteria and controls. These are to: Notify the Information Commissioners Office (ICO) that we process personal data and re-notify if procedures change or are amended. Observe fully the conditions regarding the fair collection and use of information. To achieve this we have in place and use a privacy notice, sometimes called a fair processing notice (Appendices A and B) Meet our legal obligations to specify the purposes for which information is used. Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements. Ensure the quality of information used. Apply strict checks to determine the length of time information is held. Ensure that the rights of the persons about whom information is held can be fully exercised under the Act. These include the right to be informed that processing is being undertaken, the right to access to one s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information which is regarded as wrong information. Take appropriate technical and organisational security measures to safeguard personal information. We will review the physical security of buildings and storage systems as well as access to them. All portable electronic devices must be kept as securely as possible on and off school premises.

4 Ensure that all Disclosure and Barring Service (DBS), formerly Criminal Records Bureau (CRB) records (recruitment and vetting checks), are kept in a safe central place and that no unnecessary certification information is kept longer than six months. Ensure that personal information in not transferred abroad without suitable safeguards. Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information. Set out clear procedures for responding to requests for information (Appendix C). Have in place secure methods for safely disposing of all electronic and paper records. Be sure that photographs of pupils are not included in any school publication or on the school website without specific consent. Ensure that biometric data concerning pupils are not obtained or used without the knowledge of the child and parents and without permission being obtained from them as appropriate. Take care that CCTV that captures or processes images of identifiable individuals is done in line with the data protection principles. We shall also ensure that: There is a named person with specific responsibility for data protection within the school. All persons managing and handling personal information understand that they are contractually responsible for following good data protection practice. All persons managing and handling personal information are trained to do so. Anyone wanting to make enquiries about handling personal information knows what to do. Anyone managing and handling personal information is appropriately supervised. Queries about handling personal information are properly and courteously dealt with. Methods of handling personal information are clearly described. A regular review and audit is made of the way personal information is held, managed and used. Methods of handling personal information are regularly assessed and evaluated. Performance with handling personal information is regularly assessed and evaluated. A breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against the members of staff concerned. On occasions when information is authorised for disposal, it is done appropriately.

5 Appendix A PRIVACY NOTICE The Data Protection Act 1998 School Workforce: those employed or otherwise engaged to work at a school We process personal data relating to those we employ to work at, or otherwise engage to work at, our school. This is for employment purposes to assist in the running of the school and/or to enable individuals to be paid. The collection of this information will benefit both national and local users by: improving the management of workforce data across the sector enabling development of a comprehensive picture of the workforce and how it is deployed informing the development of recruitment and retention policies allowing better financial modelling and planning enabling ethnicity and disability monitoring; and supporting the work of the School Teachers Review Body This personal data includes identifiers such as names and National Insurance numbers and characteristics such as ethnic group, employment contracts and remuneration details, qualifications and absence information. We will not share information about you with third parties without your consent unless the law allows us to. We are required, by law, to pass on some of this personal data to our Local Authority (LA) and the Department for Education (DfE). If you wish to request information please complete our Subject Access Request Form and contact:- Andrea Bown, Data Manager, Cippenham Primary School Tel: Sandra McCarroll, School Business Manager, Cippenham Infant School Tel:

6 Appendix B PRIVACY NOTICE The Data Protection Act 1998 Pupil Data / Information Schools, Local Authorities, and the Department for Education all hold data on pupils in order to run the education system. In so doing, all have to follow the Data Protection Act The main implication of this is that data held about pupils may only be used for specific purposes permitted by law. This notice is to inform you what types of data we hold, why it is held and to whom it may be passed on. We hold information on pupils in order to support their teaching and learning, to monitor and report on their progress, to provide appropriate pastoral care and to help us assess how the school is performing overall. This data will include contact details, national curriculum assessment results, attendance information, characteristics such as ethnicity, SEN and any relevant medical information. The school may include images of or information about pupils on the school website. If this is a problem to you for any reason, please let us know and we will ensure that this information is not included. However, parents do need to know that at times we may be legally bound to disclose information to other bodies such as the police which the school will try to do with the knowledge of the relevant parent(s). From time-to-time, we are required to pass on information to the LA, DFE, to another school to which your child may be transferring, and to the Standards and Testing Agency which is responsible for the national curriculum and associated assessment arrangements. The government may require the school to share information with other agencies such as health, other LA departments and other relevant public bodies. The school will inform parents when this type of processing occurs and seek consent where this is necessary. For further information about how our local authority and/or DfE store and use your personal data please visit: If you wish to request information please complete our Subject Access Request Form and contact:- Andrea Bown, Data Manager, Cippenham Primary School Sandra McCarroll, School Business Manager, Cippenham Infant School

7

8 Dealing with a Subject Access Request Appendix C Requests for information must be made in writing (which includes the use of ) using the Subject Access Request Form (Appendix D) and be addressed to the relevant school headteacher. If the initial request does not clearly specify the information required, then the school will make further enquiries. The headteacher must be confident of the identity of the individual making the request. When the request concerns data about a pupil, checks will also be carried out regarding proof of relationship to the child. Original documentation will be required as evidence of identify. Any individual has the right of access to information held about them. However, in the case of children this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The headteacher should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent, an individual with parental responsibility or guardian shall make the decision on behalf of the child. The school may make a charge for the provision of information, depending on the following: - No charge can be made if the requester simply wants to view the educational record of a child. - Should the information requested require a copy of the educational record, then the amount charged will be dependent upon the number of pages provided. This type of record is available to all parents until the child becomes an adult with or without the consent of the child. The school is required to respond within 15 school days. - Should the information requested be personal information that is not an educational record, schools can charge up to 10 to provide it. The response time for subject access requests, other than for educational records, is 40 days from receipt (this refers to calendar days irrespective of school holiday periods). The DPA allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure.

9 Third party information is information that has been provided by another person such as the LA, the police, a health care professional or another school. It is normal good practice to seek the consent of the third party before disclosing information. Even if the third party does not consent, or consent is explicitly not given, the data may be disclosed. (There is no need in the case of third party requests to adhere to the 40-day statutory timescale.) Any information that could cause serious harm to the physical, emotional or mental health of a pupil or another person may not be disclosed, nor should information that would reveal that the child is at risk of abuse. The same stricture applies to information relating to court proceedings. If there are concerns about the disclosure of information, then additional advice should be sought, usually from the Information Commission s Office. When redaction (blacking out or obscuring of data) has taken place, then a full copy of the information provided will be retained in order to establish, if a complaint is made, what was redacted and why. Information disclosed should be clear, with any codes, technical terms, abbreviations or acronyms explained. If information contained within the disclosure is difficult to read or illegible, it will be retyped. Information can be provided at the school with a member of staff on hand to assist if requested, or provided at face-to-face handover. The views of the applicant will be taken into account when considering the method of delivery. If postal systems have to be used, then registered or recorded mail will be used. Complaints will be dealt with in accordance with the school complaints procedure, which is available from the school office. Should the complainant wish to take the matter further, it may be referred to the Information Commissioner

10 Appendix D SUBJECT ACCESS REQUEST FORM The Information supplied in this form will be used only for the purposes of identifying the personal data you are requesting. You should complete this form if you want the Trust or a specific Trust school to supply you with a copy of any personal data which we hold about you. You are entitled to receive this information under the Data Protection Act We will endeavour to respond promptly and in any event within 40 days of receipt of the latest: a) Our receipt of this request; or b) Our receipt of any further information we request from you, which we need to enable us to comply with your request. SECTION 1 Details of the person requesting the information: Full name: Address (including postcode): Telephone / Mobile contact number: address: If this data subject request relates to you, please also tell us of any change of name, address, contact or other details which may have happened during your period of contact with us to help us ensure we can identify all relevant data. Are there any previous names or details to take into account? Yes*/ No *If Yes, please tell us about change(s) of details below (e.g. Previous name/s, addresses, contact details or any other relevant change/s you want to tell us about)

11 SECTION 2 Does the data subject request relate to you? Please select the appropriate answer below:- YES If the data subject request relates to you, please supply evidence of your identity. This needs to be your driving licence, passport, or national identity card, together with a recent letter or bill from a utility company (within the last 3 months) as evidence of address. If you send us original documents, we will aim to return them by special delivery within 5 working days. (Please go to Section 4) NO Are you acting on behalf of someone else to whom the data relates? If so, you need to have written authority a letter from the person in question, a power of attorney document, for example- and that authority must be enclosed. You must also supply evidence of your own identity, i.e. a driving licence, passport, national identity card, a recent letter or utility company bill (within the last 3 months) as evidence of address. If you send us original documents, we will aim to return them by special delivery within 5 working days. (Please go to Section 3) We cannot grant your request if we do not receive sufficient evidence of identity. SECTION 3 Details of the data subject (the data subject is the person whose information you wish to obtain - please complete if different from Section 1) Full name: Address (including postcode): Telephone / Mobile contact number: address: Please also tell us of any change of name, address, contact or other details for the data subject which may have happened during their period of contact with the LGA, to help us ensure we can identify all relevant data. Are there any previous names or details to take into account? Yes*/ No *If Yes, please tell us about change(s) of details below (e.g. Previous name/s, addresses, contact details or any other relevant change/s you want to tell us about)

12 SECTION 4 What information are you seeking? Please describe the information you seek in as much detail as possible together with any other relevant information. This will help us to identify the information you require and respond to you quickly. SECTION 5 Which of the following do you wish to receive information about? a) Why we are processing your personal data Yes/No (delete as appropriate) b) To whom your personal data is disclosed Yes/No (delete as appropriate) c) The source of your personal data Yes/No (delete as appropriate) Please note that if the information you request reveals details directly or indirectly about another person, we will have to seek the consent of that person before we can let you see that information. In certain circumstances we may not be able to disclose the information to you. In this case we will inform you promptly and give full reasons for our decision, or the information will be redacted. In most cases we will be happy to provide you with copies of the information you request. However, in accordance with section 8(2) of the Data Protection Act, if to do so would take disproportionate effort we will not be able to provide you with copies of information requested. In these circumstances, we will make every effort to provide you with a satisfactory form of access or summary of information if suitable and give you an explanation of why we were not able to provide you with your requested information. DECLARATION Please note that any attempt to mislead by providing false information may result in prosecution I confirm that I have read and understood the terms of this subject access form and certify that the information given is true and accurate. I understand that it is necessary for the Trust / School to confirm my/the data subject s identity and it may be necessary to obtain more detailed information in order to locate the correct personal data. Signed Date... Print Name... Please return the completed form and identification to the relevant Headteacher by or post. Contact details are available on the CST website

13 Documents which must accompany this application: 1. Evidence of your identity (Section 2) (if different from above) 2. Evidence of the data subject s identity 3. Authorisation from the data subject to act on their behalf (if applicable) If, when you have received the requested information, you believe that: the information is inaccurate or out of date; or we should no longer be holding that information; or we are using your information for a purpose of which you were unaware; or we may have passed inaccurate information about you to someone else please notify the relevant Headteacher as soon as possible.