Data Protection Policy No. E11

Transcription

1 Data Protection Policy No. E11 Last Reviewed: May 2015 Next Review: May of 5

2 Contents 1. Policy Statement... 3 Our Commitment... 3 Aims... 3 The Brunts Academy Data Protection Policy... 4 Scope of the Policy... 4 Monitoring... 4 Criteria for monitoring... 4 Requests and charges... 5 Review and appeal... 5 Making a request (Trust staff)... 6 Linked policies and documents... 6 Review... 6 Equality Act 2010 (Amendment) Order 2012 Impact Assessment... 2 Last Reviewed: May 2015 Next Review: May of 5

3 1. Policy Statement The Trust is committed to the eight principles of the Data Protection Act 1998: 1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes 3. Personal data shall be adequate, relevant and not excessive 4. Personal data shall be accurate and, where necessary, kept up to date 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 6. Personal data shall be processed in accordance with the rights of data subjects under this Act 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Our Commitment Aims The Trust will implement the requirements of the Data Protection Act 1998 and any subsequent amendments or regulations on protecting data, and the Trust s controls and procedures will ensure integrity and security of data. The Trust will maintain a Data Protection register entry with the Information Commissioner, and ensure that all personal data obtained, held, used or disclosed conforms to the details recorded within that registration. In addition The Trust will ensure that: A member of the senior management team has overall responsibility for the implementation of Data Protection. This is currently the Chief Operating Officer. Staff are aware of their responsibilities under the Data Protection Act. Staff are trained and supported to deal effectively with the requirements of the Act, including the need to deal with subject access requests, in whole or in part, in accordance with the Act. Last Reviewed: May 2015 Next Review: May of 5

4 The Brunt s Academy Data Protection Policy The requirements of the Act are considered in decision making processes, such as the development of policy and procedures and the design and the implementation of information systems. The operations of the organisation are developed to meet the highest standards of openness and accountability. Scope of the Policy The policy statement of commitment and the ensuing controls and procedures arising from the policy are applicable to all members of the Trust, including students. Those with responsibility for handling or processing information are particularly affected. Monitoring The Chief Operating Officer will maintain a register of all requests made for information under the Data Protection Act that do not fall within the remit of the Data Protection Registration with the Information Commissioner, and the action taken on each application. It will identify reoccurring requests for the same or similar information and provide information for the reviews of the Data Protection Registration. The Trust will register all complaints received about its Data Protection arrangements and will ensure learning points that arise from such complaints are used to improve related policies, procedures and guidance. The Chief Operating Officer will annually review this policy and its associated procedures and arrangements to ensure it remains up to date, effective and takes account of emerging good practice. Where new legal directions come into force, the policy will be reviewed in line with the commencement of that legislation. Criteria for monitoring The Policy and associated procedures and arrangements will be monitored within the context of legislation, including: Data Protection Computer Misuse Human Rights Equal Opportunities Telecommunications Health & Safety Last Reviewed: May 2015 Next Review: May of 5

5 Requests and charges Requests should be made in writing, by letter to the address below or by to with Data Protection Request as the subject line: Mr. A S Hughes (Chief Operating Officer) Data Protection Request THE EVOLVE TRUST THE BRUNTS ACADEMY THE PARK PARK AVENUE MANSFIELD NOTTINGHAMSHIRE NG18 2AT Proof of identity (normally a driving licence, passport or utility bill or corporate identification in the case of organisations) will be required before the request can be met. Requests by an individual for their educational record will be dealt with within the required response time of 15 School days any other request will be dealt with within the required response time of 40 calendar days. All Request response times are subject to any extensions as stated within the Data Protection Act and the payment of any fees related to the request in advance of the request being processed. If the request is too general the Trust will offer advice and assistance to determine the information required. The Trust does not have the right to ask why information is being sought, but the information can be volunteered to assist the Trust in meeting the request. The Trust s Charging Policy details the current costs charged for retrieval of information. Review and appeal If an applicant is dissatisfied with the handling of a request, they have the right to ask for an internal review. Internal review requests should be submitted no later than 40 working days after the date on which the applicant believes that the Trust has failed to comply with the requirement, and should be addressed to: The Board of Directors Data Protection review THE EVOLVE TRUST THE BRUNTS ACADEMY THE PARK PARK AVENUE MANSFIELD NOTTINGHAMSHIRE NG18 2AT Last Reviewed: May 2015 Next Review: May of 5

6 If not content with the outcome of the internal review, an applicant has the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Making a request (Trust staff) No member of the Trust staff whilst acting within their respective role should make a request under the Data Protection Act 1998 without first receiving the authorization of the Chief Executive Officer or the Chief Operating Officer. Linked policies and documents: Our Finance policy defines the controls and procedures currently in place to ensure the integrity and security of data along with our data security policy. These will be subject to review in line with the requirements of the Finance policy and may be reviewed more regularly should legislation or the requirements of the Trust change. At any time the current authoritative versions will be published on the Trust Intranet. Other relevant documents include: Data Protection Register entry details Charging Policy In addition the policy will be subject to control through the arrangements for: Trust Staff ICT Acceptable Use Individual academy Student ICT Acceptable Use Individual academy Parent Portal Acceptable Use Trust CCTV Policy Trust Freedom of Information policy Clear desk and screen policy Legal issues Review The Trust s Board of Directors will review this policy every three years (or earlier should there be legislative change to Data Protection legislation) to assess its implementation and effectiveness. Reviewed and approved by the Board of Directors May 2015 Last Reviewed: May 2015 Next Review: May of 5

7 Last Reviewed: June 2012 Next Review: June 2013 Page 1 of 9

8 Name of Policy: Date Analysis Undertaken: General Duty Eliminate unlawful discrimination, victimisation and harassment and other prohibited conduct. Advance equality of opportunity between people who share a protected characteristic and those who do not Foster good relations between people who share a protected characteristic and those who do not Equality Act 2010 (Amendment) Order 2012 Impact Assessment Policy Name Date Current Provision Current policy for Data Protection. Helps to ensure compliance N/A: Policy is Neutral impact against protected characteristics. Task to be completed / Undertaken Ensure Policy agreed by Leadership and Directors and then shared with all stakeholders. Ensure policy reviewed regularly As above. As above. Policy Document Last reviewed Month YYYY Support needed / Date for action / Lead Keep abreast of statutory requirements. Ongoing ASH Keep abreast of statutory requirements. Ongoing ASH Keep abreast of statutory requirements. Ongoing ASH Page 2 of 9 Audience: Staff / Public

9 Policy Document Last reviewed Month YYYY Protected Characteristic Race Religion or Belief Gender / Gender Reassignment Template for self-assessment and action planning: Equality Act 2010 (Amendment) Order 2012 Engagement Evidence and action Positive Impact Negative Impact Neutral Impact undertaken taken/outcome Sexual Orientation Disability Age Other (please specify) Summary: Undertaken by: (PRINT NAME) Signature Alan S Hughes Date: 27 th April 2015 QA: (PRINT NAME) QA Signature: Page 3 of 9 Audience: Staff / Public