Data Protection Policy

Similar documents
Data Protection Policy

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

DATA PROTECTION POLICY 2016

Data Management and Protection Policy

Data Protection Policy

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Data Protection Policy

Data Protection Policy

DATA PROTECTION POLICY

DATA PROTECTION POLICY

Data Protection Policy for the Grimsby Institute of Further & Higher Education

HOLY TRINITY CE PRIMARY SCHOOL PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS

Sir William Perkins s School Data Protection Policy

PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING Greenside School

Parents / Carers of Pupils Attending St Catherine s C of E Primary School Privacy Notice

Data Protection. Policy

Data Protection Policy

PRIVACY NOTICE FOR PARENTS/CARERS OF PUPILS ATTENDING WARREN DELL PRIMARY SCHOOL

Little Gaddesden C. of E. Primary School

DATA PROTECTION POLICY

PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING: St Luke s School

Data Protection Policy

Roundwood Primary School. Privacy Notice Parents

General Optical Council. Data Protection Policy

DATA PROTECTION POLICY

Data protection (GDPR) policy

St Michael s CE Primary School Data Protection Policy

The template uses the terms students / pupils to refer to the children or young people at the institution.

St Mark s Church of England Academy Data Protection Policy

DATA PROTECTION POLICY

Research on school subject choices

Bulkington, Nuneaton & Bedworth (BNB) BNB U3A Data Protection Policy

VMS Software Ltd- Data Protection Privacy Policy

Queen s Croft High School DATA PROTECTION POLICY AND PRIVACY NOTICE

Brasenose College Data Protection Policy Statement v1.2

GENERAL DATA PROTECTION REGULATION Guidance Notes

HITCHIN GIRLS SCHOOL PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING HITCHIN GIRLS SCHOOL

Data Protection Policy

Data Protection/ Information Security Policy

DATA PROTECTION POLICY 2018

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

Data Protection Policy

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

DATA PROTECTION POLICY

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

DATA PROTECTION POLICY

Norton Community Primary School. Data Protection Policy. September Vision Statement. Nothing is beyond our reach!

A Parish Guide to the General Data Protection Regulation (GDPR)

PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING GRAVELEY PRIMARY SCHOOL

Functional area. F Hallinan, C Abad, W Andrews Approver (s) Version 001 Effective date 25 May Privacy Notice for Emergency Contacts

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

Nissa Consultancy Ltd Data Protection Policy

CHANNING SCHOOL DATA PROTECTION POLICY

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

General Personal Data Protection Policy

Data Protection Policy

Sample Data Management Policy Structure

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

BROOKS PERSONAL TRAINING

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

RAW MARKETING DATA PROTECTION POLICY

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

University for the Creative Arts Application Declaration. Data Protection Privacy Notice

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Tourettes Action Data Protection Policy

The Galway Clinic (GC) has implemented this document to demonstrate its commitment to the

Privacy notice for parents/carers

Data subject access policy

Data Protection Policy

Baptist Union of Scotland DATA PROTECTION POLICY

Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

Humber Information Sharing Charter

Privacy Policy PURPOSE SCOPE POLICY. Data Collection

W h i t t l e s C h a r t e r e d A c c o u n t a n t s

N.A.P.P.I. (UK) Limited - Course Participant Data Protection Statement

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

DATA PROTECTION POLICY

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

Human Resources Directorate

Information Sharing Policy

Information Governance Clauses Clinical and Non Clinical Contracts

The General Data Protection Regulation (GDPR) A Brief Guide for Scottish Episcopal Church Congregations

Guidance on the General Data Protection Regulation: (1) Getting started

UK Research and Innovation (UKRI) Data Protection Policy

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

DIOMED DEVELOPMENTS LIMITED DATA PRIVACY NOTICE FOR APPLICANTS

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

We have prepared a general privacy notice covering all subject data and including use of our website at

ARTICLE 29 Data Protection Working Party

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

POLICY ON INFORMATION, SECURITY & DATA PROTECTION

Data Protection Policy & Procedures

Transcription:

Policy Current Status Operational Last Review: May 2018 Responsibility for Review: Director of Administration, Contracts and Health Next Review: September 2019 Internal Approval: & Safety SLT Originated: June 2010 The purpose of this policy is to state the principles adopted by Suffolk One to ensure that all personal data collected about staff, students, parents/carers and visitors is stored and processed in accordance with the General Regulations (GDPR) 25 th May 2018. The policy applies to all personal data, regardless of whether it is in paper or electronic format and describes the responsibilities of staff towards personal information. It also defines the rights of staff and students and their families to access their own records. 1. Introduction Our college processes personal information relating to students, staff and visitors and therefore is a data controller and a data processor for many types of data. Suffolk One is registered as a data controller with the Information Commissioner s Office and we renew this registration annually. Suffolk One complies fully with the following Act principles, which state that personal data must be: Fairly and lawfully processed Processed for limited, necessary and lawful purposes Adequate, relevant and not excessive Accurate Not kept longer than is necessary Processed in accordance with an individual s rights Processed and kept in a secure manner Not transferred without adequate protection Suitable and sufficient technological and organisational methods of maintaining the integrity of a data subjects personal data is at the heart of achieving these principles. 2. Roles and Responsibilities 2.1. The Chair of the Local Governing Body (LGB) is ultimately responsible for the adherence to the articles of law with regard to data protection processes. The Chair may will act as the highest point of escalation with regards to this adherence. The Chair will delegate the day to day functions for data protection to the Principal who in turn can nominate other staff to coordinate the necessary functions within the college. The Principal has the responsibility of ensuring compliance with policies and procedures agreed. 2.2. All managers are responsible for ensuring that staff are aware of and abide by this policy and associated procedures. 2.3. The Officer (DPO) will conduct data audits, support staff with Data Protection Impact Assessments and monitor compliance across the college. The DPO 1

will act in the interest of the data subject; cooperate and act as a point of contact with the supervisory body, as well as grant Subject Access Requests and oversee the breach reporting process. 2.4. All staff are responsible for ensuring that any personal data which they hold is kept securely, and personal information is not disclosed in any way and to any unauthorised third party. They must also report breaches and model best practice. 2.5. Suffolk One will keep a record of staff authorised to access, process or use any personal information on staff or students. 2.6. The LGB of Suffolk One has adopted Department for Education (DfE) guidelines on the disclosure of student records under the General Regulations (GDPR). 2.7. The college will make all parents/carers and all students attending Suffolk One aware of a summary version of the Privacy Notice and draw attention to this through notices to students and other home/college communications. 2.8. Suffolk One will place a copy of the full Privacy Notice on the non-password protected area of its website with a notice explaining that a paper copy is available on request. 2.9. Suffolk One staff will be formally trained in suitable and sufficient data protection awareness and best practice for the organisation. This will be refreshed annually. 3. Legislative Framework The Act 1998; Freedom of Information Act 2000; The Education (Student Information) (England) Regulations 2005; (Subject Access Modification) (Education) Order 2000. The Children s Act 1989. Education Act 2005 Learning and Skills Act - 2000 Children Act 2004 and subsequent orders Every Child Matters: Change for Children 2004 4. Responsibilities of Staff 4.1. Information about Staff All staff are responsible for: Checking that any information they provide to One in connection with their employment is accurate and up-to-date. Informing One of any changes to information which they have provided, i.e. change of address. The college cannot be held responsible for any errors unless the staff member has informed us of them. 4.2. Information about students All staff must comply with the following guidelines: All staff will process data about students on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or academic supervisory role. One will ensure through the enrolment process that all students give their consent to this process and are notified of the categories of the process, as required by the 2

1998 Act. The information that staff deal with on a day-to-day basis will be standard and will cover categories such as: General personal details such as name and address. Details about class attendance, course work marks and grades and associated comments. Notes of personal supervision, including matters about behaviour and discipline. 4.3 Information about Others All staff must exercise the same robust considerations to data that may be retained, processed or shared, when this involves other individuals who are not directly employed staff or students. Examples of these could include: Parents, Carers, relatives, etc. Contractor Staff information Governors Visitors and Guests 4.4 Security of Information Staff will be responsible for ensuring that all personal data is kept securely and in accordance with the One Acceptable use of ICT Equipment policy if held on electronic media. Staff must ensure that personal data is: Placed in lockable storage if on physical media. Passwords to any electronic media should conform to the requirements of the above Policy Unattended ICT equipment should be left logged out or locked. ICT equipment used off-site must be password protected. Data files on removable storage or within email attachments used off-site and containing personal data must be password-protected. 5. Subject Access Requests 5.1. The College will comply with requests for access to personal information as quickly as possible but will ensure that it is provided within the specified allowed time of 30 days unless there is good reason for delay. 5.2. All individuals have the right to request access to information the college holds about them. This can be requested via the Subject Access Request form located on our website. 6. Educational Record Requests 6.1. Students are entitled to have their educational records disclosed to them within 15 college days of making a written request. 6.2. Parents are entitled to have their child's educational records disclosed to them, free of charge, within 15 college days of making a written request. 3

7. Material Exempt from Disclosure 7.1. A Subject Access Request may be refused or items that fall under this request may be withheld in certain circumstances; Where an individual who is not the intended data subject is referred to; If information might result in serious harm physically or, The mental health of the individual or another may be seriously affected; If information would reveal that a child is at risk of abuse; If the information is not in the individuals best interests; If information contains adoption of parental order records; If the information may form part of that given to a court for proceedings, e.g. a report. 7.2. Data held under the Education Act may be transferred to another educational establishments. They also allow, in some cases, for a record about a student from a third party, such as a letter from a parent or another student or a local shopkeeper, to be disclosed. Disclosure is permissible if the record does not allow for identification of the third party. If the record does allow the third party to be identified, it may still be disclosed if the third party gives consent or, in the circumstances, it is reasonable to allow disclosure without seeking that consent. 8. Breaches The DPO will receive breach reports, and act on these in line with the Breach procedure. This may result in a formal report to the ICO depending on the level of breach that has occurred. Currently this threshold is defined as the breach is likely to result in a risk to the rights and freedoms of individuals. Final judgement on if a breach should trigger a formal report is made by the DPO acting on behalf of the best interests of the data subject. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. 9. Third Party Contractors Suffolk One engages with a wide range of suppliers and supplies personal data to these organisations or other bodies and individuals who process this as needed for the purposes of delivering their service. All such entities must be compliant with current GDPR practice to authorise them to be in receipt of and engage in processing of same. A process of ratification is used to provide a list off approved suppliers. New entities must undergo this test to assure Suffolk One of their full intentions to safely and securely access and process this data. A Third-Party Contractor Procedure exists to detail how this takes place. Only European Economic Area (EEA) states and a handful of other countries are bound by GDPR. Business and others outside these territories must be carefully scrutinised to ensure compliance to the correct standard. The DPO should advise on permissible companies depending on the location of their base of operations. Subcontractors in the chain of operations must also be fully complaint. A full list of organisations whom Suffolk One sends data to is attached to the privacy notice. 4

10. Data Mapping Suffolk One will map all flows of data into, around and out of the organisation to ensure its legal requirement to do so is fulfilled. This will be achieved under the Data Privacy Impact Assessment (DPIA) procedure. Audits and Risk Analysis form a key part of this procedure. How third-party companies will be involved with the data map is also incorporated and is available on request. 11. Privacy Notice/ Fair Processing Notice A public notification is available known as a Privacy Notice/ Fair Processing Notice. This will describe why, how, where and who else uses specific types of data processed and controlled by Suffolk One. This document is available on request and as the primary focus of the organisation is education a shorten student version is posted on the website detailing only the aspects of data control and processing relating to students, parents/carers and directly associated entities. 12. Requests for Removal and Rectification The website hosts an online form that allows individuals who wish to have their data removed or updated this opportunity. Where the capabilities exist to grant these requests, this will be actioned in line with the college Retention procedure. 13. Retention A Retention procedure details how long personal data of any kind is stored for. Originators or acceptors of data in the college must set a reasonable period of retention if data is required to be stored. A general rule of good practice should be followed to ensure that data is removed, anonymised and redacted after the shortest period of time possible. Suitable retention periods can be discussed with the DPO. Some data may have restrictions on retention periods relating to specific pieces of legislation e.g. the Education Act. 14. Data Controllers and Data Processors Suffolk One is a both a Data Controller and Data Processor based on the requirements of its operations. Control of data extend outside the physical boundaries of its sites of operations. Data may be under joint control with some of its Third-Party Suppliers. Suffolk One will receive data from individuals who are not the Controllers of that data or from various Controllers themselves. If Suffolk One and its staff intend to take control of this data, they must formally document and gain permission from the original Data Controller. Suffolk One and its staff may pass on personal data to other bodies and its responsibilities for data control must be handed to this body, providing authorisation has been sought from the individuals whose data is being transferred where authorisation is required. 15. Legal Basis for Legitimate Use Six major conditions are available to validate the need to be able to process a data type and Suffolk One will assign a legal basis or reason for each data set it controls or processes from these six or others that become incorporated into the Act. 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback