Similar documents

SHENLEY BROOK END SCHOOL DATA PROTECTION POLICY Linked Policies: CCTV Review Information Reviewed by Finance Pay and Personnel Committee 15 May 2012 Reviewed by Policy Committee August 2013 Adopted by full governing body on 13 June 2012 The term school is used throughout this policy. Shenley Brook End School is registered as an academy under the Academies Act 2010

Policy Statement Shenley Brook End School (the School) is registered as a Data Controller with the Information Commissioner s Office (ICO) and the school recognises and accepts its Legal responsibility as set out in the current Data Protection Act. It is our policy is to take all reasonable steps to meet this responsibility and to promote good practice in the handling and use of personal information. The school will always seek to ensure its actions are in accordance with relevant current legislation. The Data Protection Act gives all data subjects a right of access to their own personal data. Complaints will be dealt with in accordance with the school s complaints policy. In addition, the school is required by law to collect and use certain types of information to comply with the requirements of Government departments. This personal information will be dealt with correctly and securely regardless of how it is collected, recorded and used, and irrespective of whether it is held on paper or electronically. Policy Governance The Business Manager, as Data Controller, will ensure that the Data Protection Principles are adhered to and follow current legislation and provide a written statement stating adherence or exceptions to PPFA Committee on an annual basis. Signed: R Malpass Chair of Governors Date 13 June 2012 Data Protection Policy April 2012 Page 2

The following paragraphs provide a brief guide to the Data Protection Act 1998. 1. Main Provisions of the current Legislation (a) Ensuring Data Controllers notify their processing of personal data with the Information Commissioners Office. The School must supply certain information to the Commissioner who maintains a public register of the types of information organisations process, where it gets it from and what it does with it. (b) Observing the eight Data Protection Principles. (c) Allowing the data subject to exercise his/her rights and have a right of access to the personal information held about them. 2. Definitions Data Controller Personal Data: Any individual or organisation who determines the purposes for which and the manner in which any personal data are, or are to be, processed. Information or data which relates to a living individual who can be identified from that data, or other information held. Sensitive Personal Data: Personal data relating to an individual s race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life and commission of offences or alleged offences and any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings. Relevant Filing System: A file or system which is structured in such a way which allows ready access to information about individuals. Data Subject: Processing: Accessible Records An individual who is the subject of the personal data. Obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including organising, adapting, altering, retrieving, consulting, using, disclosing, disseminating, transmitting, aligning, blocking, combining, erasing or destroying the data. Any educational records which are kept as part of a statutory duty. Data Protection Policy April 2012 Page 3

Policy Implementation 1. Data Protection Principles Specifically, the Principles require that: Personal data shall be processed fairly and lawfully; Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes; Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed; Personal data shall be accurate and, where necessary, kept up to date; Personal data shall not be kept for longer than is necessary for that purpose or those purposes; Personal data shall be processed in accordance with the rights of the data subject under the 1998 Act; Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 2. Commitment The School will, through appropriate management and application of criteria and controls: observe fully the conditions regarding fair collection and use of information; meet its legal obligations to specify the purposes for which information is used; collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements; ensure the quality and accuracy of information used; ensure that information is not retained for longer than necessary; set out the procedures to ensure compliance with the duty to respond to requests for access to personal information; take appropriate technical and organisational security measures to safeguard personal information; and ensure that personal information is not transferred abroad without suitable safeguards. Data Protection Policy April 2012 Page 4

3. Compliance In addition, the School takes steps to ensure that: there is someone with specific responsibility for data protection in the organisation. (Currently, the nominated person is the Business Manager); everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice; everyone managing and handling personal information is appropriately trained to do so; everyone managing and handling personal information is appropriately supervised; anybody wanting to make enquiries about handling personal information knows what to do; queries about handling personal information are promptly and courteously dealt with; methods of handling personal information are clearly described; methods of handling personal information are regularly assessed and evaluated; performance of handling personal information is regularly assessed and evaluated; and it disseminates to employees, information on good practice in respect of handling, using and storing personal information. Signed by: Mr Martin Headteacher Date: 13 June 2012 Data Protection Policy April 2012 Page 5