Data Management and Protection Policy

Transcription

1 Data Management and Protection Policy Approved by Governor committee: Finance and Audit Date to be reviewed: June 2018 Responsibility of : Director of Finance and Operations Date ratified by Governing Board: 14th July 2016

2 Aims of this policy To outline Chelsea Academy s approach to the collection and management of personal and sensitive personal data, and compliance with legislation involving the protection of that data; To describe the procedures that seek to ensure the integrity and security of that data. Scope of this policy Personal data is any information that relates to a living individual who can be identified from the information. This includes any expression of opinion about an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings. Sensitive personal data is defined in the Data Protection Act as that relating to an individual s racial or ethnic origin, po litical opinions, religious beliefs or beliefs of a similar nature, me mbership of a trade union, physical or mental health or condition, sexual life, commission or alleged commission of an offence or proceedings for any offence or alleged offence, or court sentence. Chelsea Academy collects a large amount of personal and sensitive personal data every year including staff and student records, examination marks and references. In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of Local Authorities (LAs), government agencies and other bodies. The Data Protection Act 1998 is the law that protects personal privacy and upholds individual s rights. It applies to anyone who handles or has access to people s personal data. It applies to information regardless of the way it is used, recorded and stored and whether it is held in paper files or electronically. Registration with the Information Commissioner s Office (ICO) The Academy has a legal responsibility to comply with the Act and is the named data controller under the Act. Data Controllers are people or organisations who hold and use personal information. They decide how and why the information is used and have a responsibility to establish workplace practices and policies that are in line with the Act. The Academy as a data controller is registered with the Information Commissioner s Office for the processing of personal data. This information is included in a public register which is available on the Information Commissioner s website at the following link : Data Protection procedures The Academy Registrar is the Data Protection Officer and is the member of staff responsible for monitoring Chelsea Academy s compliance with the Data Protection Act. This will include staff training, handling subject access requests and an annual self audit as recommended by the Information Commissioner s Office. Chelsea Academy will ensure compliance with the Data Protection Act 1988, and any subsequent legislation and guidance, by adopting the 8 data protection principles: 1

3 1. Data will be processed fairly and lawfully. Anyone providing personal data or sensitive personal data will receive a Privacy Notice setting out how their data will be used and shared. A copy of the Privacy Notice will be published on the Academy website, and can be found at Annex B to this policy. All staff will confirm that they have read, understood and will abide by this policy. To ensure that processing is fair and lawful it will be done in accordance with one of the following grounds in the Act: The individual has given his or her consent The processing is necessary for the performance of a contract with the individual The processing is required under a legal obligation to which Chelsea Academy is subject The processing is necessary to protect the vital interests of the individual The process is necessary to carry out public functions The processing is necessary in order to pursue the legitimate interests of the Academy or third parties provided that that is balanced against the rights, freedoms and legitimate interests of the data subject The processing of sensitive personal data can only be carried out if one of the following additional conditions is also met (in addition to the conditions for processing set out above): The explicit consent, in writing, of the individual is obtained The data is required by law for employment purposes or the administration of justice or legal proceedings The processing is necessary for protection of the vital interests of the data subject or another The individual has already deliberately made the information public The processing is necessary for medical purposes, and undertaken by a health professional or someone who is subject to an equivalent duty of confidentiality The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of the individual. 2. Personal data will be obtained only for one or more specific and lawful purposes, and will only be used for the purposes for which it was obtained. No Chelsea Academy employee will knowingly mislead or deceive any other person about the purpose for which information is being collected. 3. Personal data will be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed. Personal data will only be processed for the purposes of managing the Academy, providing education and guidance for the students and submitting statutory returns. 4. Personal data will be accurate and where necessary kept up to date. They will be reviewed regularly and amended as required. The subject of such data may be asked to confirm that what has been recorded is accurate. 5. Personal data processed for any purpose(s) will not be kept for longer than is necessary for that purpose 2

4 We will retain records only for as long as they may be required under relevant legislation, and ensure that when information is authorised for disposal it is done appropriately and securely. Faculties and departments will carry out an annual review of the data they hold and where it is not necessary it will be disposed of securely. 6. Personal data will be processed in accordance with the rights of data subjects under the 1998 Data Protection Act. We will only share personal information with others when it is necessary and legally appropriate to do so. Parents will have access to key information about their child s progress, attainment, attendance, punctuality and behaviour in real time via a secure internet connection, through the Chelsea Academy Learning Cloud (CALC). They will be entitled to receive a copy of their child s record upon request. Subjects will have the right to know what information we hold about them, how we process it and who we share it with. We will deal with subject access requests in line with the ICO Code of Practice, as set out in Annex A. Young people themselves also have the right of access. The Academy reserves the right to discuss with parents/carers any request, from a student under the age of 16 years of age, before complying with the request. However, the normal position will be, that secondary aged students have sufficient understanding of their rights for any request they make to be honoured. Chelsea Academy will also hold records on Academy staff members to inform recruitment, performance management, continuous professional development and financial management procedures. Staff have the right to access all the data that the Academy holds on them. All staff requests for access should be made through the Director of Finance and Operations following the procedures set out in Annex A. 7. Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Academy will ensure and maintain an appropriate level of security of access to its premises, equipment, network, programs, data and paper records. Such access will be restricted to the appropriate staff. All staff who have access to personal information will receive training on data protection procedures. The Data Protection Policy will operate alongside the Academy s E Safety and Acceptable Use Policy. 8. Personal data will not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Training Training is a key requirement to ensure DPA compliance. The Academy is committed to ensuring that training is provided for all new staff as part of their induction process. There will also be regular refresher training for all existing staff. The Data Protection Officer will be responsible for managing the provision of training. Policy review The policy will be reviewed every 2 years as part of the Academy s programme of policy review. Any breach of this Data Protection policy will be treated as a disciplinary matter. 3

5 Annex A: Procedure for responding to subject access requests made under the Data Protection Act 1998 Rights of access to information There are two distinct rights of access to information held by schools about pupils: 1. Under the Data Protection Act 1998 any individual has the right to make a request to access the personal information held about them. 2. The right of those entitled to have access to curricular and educational records as defined within the Education Pupil Information (Wales) Regulations These procedures relate to subject access requests made under the Data Protection Act Actioning a subject access request 1. Requests for information must be made in writing, which includes , and be addressed to the Registrar. If the initial request does not clearly identify the information required, then further enquiries will be made. 2. The identity of the requestor must be established before the disclosure of any information, and checks will be carried out regarding proof of relationship to the pupil. Evidence of identity can be established by requesting production of: passport driving licence utility bills with the current address Birth / Marriage certificate P45/P60 Credit Card or Mortgage statement This list is not exhaustive. 3. Any individual has the right of access to information held about them. However with children, this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The Registrar should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent an individual with parental responsibility or guardian shall make the decision on behalf of the child. 4. The school may make a charge of up to 10 for the provision of paper information. If the information requested is only the educational record viewing will be free. 5. The response time for subject access requests, once officially received, is 40 days (not working or school days but calendar days, irrespective of school holiday periods). However the 40 days will not commence until after receipt of fees or clarification of information sought. 6. The Data Protection Act 1998 allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure. 7. Third party information is that which has been provided by others, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party information 4

6 consent should normally be obtained. There is still a need to adhere to the 40 day statutory timescale. 8. Any information which may cause serious harm to the physical or mental health or emotional condition of the student or another should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court proceedings. 9. If there are concerns over the disclosure of information then additional advice should be sought. 10. Where redaction (information blacked out/removed) has taken place, then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and why. 11. Information disclosed should be clear, thus any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped. 12. Information can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at face to face handover. The views of the applicant should be taken into account when considering the method of delivery. If postal systems have to be used, then registered/recorded mail must be used. Complaints Complaints about the above procedures should be made to the Principal who will decide whether it is appropriate for the complaint to be dealt with in accordance with the school s complaint procedure. Complaints which are not appropriate to be dealt with through the school s complaint procedure can be dealt with by the Information Commissioner. Contact details of both will be provided with the disclosure information. Contacts If you have any queries or concerns regarding these policies / procedures then please contact the Director of Finance and Operations in the first instance Further advice and information can be obtained from the Information Commissioner s Office, or telephone

7 Annex B: Privacy notice Data Protection Act 1998: How we use your information We process personal information relating to our pupils and may receive information about them from their previous school or college, employer, local authority, the Department for Education (DfE) and the Learning Records Service. We hold this personal data to: support our pupils learning monitor and report on their progress provide appropriate pastoral care; and assess the quality of our services Information that we hold will include their contact details, national curriculum assessment results, attendance information, any exclusion information, where they go after they leave us and personal characteristics such as their ethnic group, any special educational needs they may have as well as relevant medical information. Some of this information may also be shared with an Independent Careers Adviser, who operates within the Academy. Chelsea Academy also uses CCTV to monitor its premises and adjacent areas in order to maintain security and to prevent and investigate crime. Images are recorded, kept for up to 30 days and then securely destroyed in accordance with the Data Protection Act. We will not give information to anyone without consent unless the law and our policies allow us to. If you want to see a copy of the information we hold and share about you then please contact the Director of Finance and Operations. If you require more information about how the LA or DfE store and use this data please see their websites or contact them as follows: Data Protection Officer Information Governance Team Information Systems Division (ISD) The Royal Borough of Kensington and Chelsea The Town Hall, Hornton Street, London W8 7NX dataprotection@rbkc.gov.uk Web: Department for Education Telephone: Web: EPIC Youth CEIAG Service : Once a student is aged 13 or over we are required to pass on certain information to the EPIC Youth CEIAG Service, RBKC s information and advice service for all young people aged 13 to 19. We must provide both the student s and parents /carers names and addresses, and any further information relevant to the EPIC Youth CEIAG Service role. However, you (if you are over 16) or your parents can ask that no information beyond name and address be passed to EPIC. Please inform the Academy Registrar if you wish to opt out of this arrangement. For more information about EPIC Youth CEIAG Service, please contact the Local Authority as shown above. This information sheet can also be found on our website. 6