Data Protection Policy Name of Chair: Mr David Mann Name of Headteacher: Mrs Eileen Bissell Name of person Responsible: Mrs Eileen Bissell Adopted and Agreed on: October 2015 Date of Review: October 2018 Ref No: A5
The Governing Body of the school has overall responsibility for ensuring that records are maintained, including security and access arrangements, in accordance with Education Regulations and all other statutory provisions. The Headteacher and Governors of this School intend to comply fully with the requirements and principles of the Data Protection Act 1984 and the Data Protection Act 1998. All staff involved with the collection, processing and disclosure of personal data are aware of their duties and responsibilities within these guidelines. Introduction The Data Protection Act The Data Protection Act 1998 regulates how personal information relating to living individuals is dealt with. It applies to anyone holding data about individuals on computer and/or manual records. The Act lays down detailed conditions for the processing of personal data and gives individuals (referred to as the Data Subject ) the right to access information held about them and to have inaccurate data corrected or erased. Statement of Policy Oakdale Junior School needs to collect and use certain types of information about people with whom it deals in order to operate. These include Pupils past or present, current, past and prospective employees, suppliers and others with whom it communicates. In addition, Oakdale Junior School may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of central government departments. Oakdale Junior School regards the correct treatment of personal information as very important to its successful operations, and to maintaining confidence between those with whom we deal and ourselves. We ensure that our organisation treats personal information lawfully and correctly however it is collected, recorded and used and regardless of whether it is in hard or electronic format. The Data Protection Act 1998 provides safeguards to ensure that this is done correctly. To this end Oakdale South Road Middle School fully endorses and adheres to the Principles of Data Protection, as set out in the Data Protection Act 1998. The Principles of Data Protection The Data Protection Act requires that organisations which handle personal information comply with eight key principles regarding privacy and disclosure. The Principles require that personal information: 1. Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met; 2. Shall be obtained only for specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes; 3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed; 4. Shall be accurate and where necessary, kept up to date; 5. Shall not be kept for longer than is necessary; 2
6. Shall be processed in accordance with the rights of data subjects under the Act; 7. Shall be kept secure (i.e. protected by an appropriate degree of security); 8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection. Definition of Personal and Sensitive Personal Data Personal Data means data that relates to a living individual whereby they can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Sensitive personal data means personal data consisting of information as to: The racial or ethnic origin of the data subject, Their political opinions Their religious beliefs or other beliefs of a similar nature Their physical or mental health or condition Their sexual life The commission or alleged commission by them of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Handling Personal/Sensitive Data. Oakdale Junior School will, through appropriate management and strict application of criteria and controls: Observe fully conditions regarding the fair collection and use of information; Meet its legal obligations to specify the purposes for which information is used; Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements; Ensure the quality of information used; Apply strict checks to determine the length of time information is held; Ensure that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one s personal information; the right to prevent processing in certain circumstances; the right to correct rectify, block or erase information which is regarded as wrong information.); Take appropriate technical and organisational security measures to safeguard personal information; Ensure that personal information is not transferred abroad without suitable safeguards. Identification of Roles and Responsibilities Oakdale Junior School Oakdale Junior School is the data controller under the Act and is therefore ultimately responsible for implementation. It is also the school s responsibility as a data controller to make all employees aware of their individual responsibilities. 3
In particular, the school will ensure that: There is someone with specific responsibility for data protection in the organisation; Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice; Everyone managing and handling personal information is appropriately trained to do so; Everyone managing and handling personal information is appropriately supervised; Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do; Queries about handling personal information are promptly and courteously dealt with; Methods of handling personal information are regularly assessed and evaluated; Performance with handling personal information is regularly assessed and evaluated; Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures. Lead Officer A lead officer has been assigned to manage Data Protection within the School/Borough on a day-to-day basis. This officer will: Maintain a Register of manual personal records and process records for the National Register of electronic personal records. Provide guidance to departmental representatives on the responsibilities of their departments and any specific procedures that need to be followed. Arrange for Subject Access Requests to be carried out within departments. Arrange provision of cascade data protection training, for staff within the council. For carrying out compliance checks to ensure adherence, throughout the authority, with the Data Protection Act. Have the right to waive the fee for Subject Access Requests. Unit Representatives Designated officers have also been identified in all Units. These officers will be responsible for ensuring that the Policy is implemented within their Unit and for: Identifying and recording officers who keep personal data within their Unit. Disseminating guidance received from the DPO to officers within their Unit. Ensuring that officers are aware of the principles of the Act and the procedures for implementation. Ensure that changes or amendments to the Borough s Notification are reported. All staff of Oakdale Junior School It is not the responsibility of the Lead Officer or Unit Representatives to apply the provisions of the Data Protection Act. This is the individual responsibility of all officers who use, keep or collect personal data. Therefore, all managers and staff within the School/Borough s service units will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that: Paper files and other records or documents containing personal/sensitive data are kept in a secure environment; 4
Personal data held on computers and computer systems is protected by the use of secure passwords. Individual passwords should be such that they are not easily compromised. Personal information is transferred only by secure means of communication Personal information is not disclosed deliberately or accidentally either orally or in writing to any unauthorised third party They adhere to the school s ICT Security and Access Control Policies and Guidelines for the Remote use of ICT equipment and information. They inform their Unit representative and the Lead Officer about any existing records or any proposals to keep personal information and to supply information in the appropriate format. Contractors All contractors, consultants, partners or other servants or agents of the college must: Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of Oakdale Junior School, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the Act. Any breach of any provision of the Act will be deemed as being a breach of any contract between Oakdale Junior School and that individual, company, partner or firm; Allow data protection audits by the school of data held on its behalf (if requested); Indemnify the school against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation. All contractors who are users of personal information supplied by the school will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by the school. Notification to the Information Commissioner It is a basic principle of data protection that the public should know (or be able to find out) who is carrying out the processing of personal information as well as other details about the processing (such as for what reason it is being carried out). Notification is the process by which the Borough of Poole informs the Information Commissioner of certain details about its processing of personal information. These details are available to the public for inspection via the ICO s Register of Data Controllers. It is a statutory requirement that the Borough renews its notification on an annual basis and, in the interim, notifies the Information Commissioner of any amendments within 28 days. Failure to do so is a criminal offence. Responsibility for submitting notifications to the Information Commissioner has been designated to the Borough s Legal and Democratic Services Unit. To this end, any changes made between reviews must immediately be brought to the attention of the Head of Legal and Democratic Services. Dealing With Subject Access Requests. Individuals have a right under the Data Protection Act to make a request in writing for a copy of the information that the Borough holds about them on computer and in some manual filing systems. This is called a subject access request. They are also entitled to be given a description 5
of the information, what it is used for, who it might be passed on to, and any available insight into the source of the information. Subject to a number of exemptions, the Borough of Poole will comply with a subject access request within a maximum of forty days of receipt, provided that: The request is made in writing. The correct fee, currently 10, has been paid in advance Sufficient information is provided to identify the person making the request and the information that is being sought. The Borough has made available a Subject Access Request Form available on request or via our website (www.boroughofpoole.com), in order to enable individuals to access their data and ensure requests are processed effectively. Policy Review This policy will be reviewed on a two yearly basis to ensure that it continues to meet the requirements of the Borough and the current legislation. The Corporate Information Management Compliance Officer will carry out this review. Any changes to the policy will be notified to the Senior Management Team. CCTV The school operates a CCTV system which is in operation 24/7. In order to provide security to property and persons, a number of cameras are in operation throughout the school. The cameras are owned by the school and the system is operated by a small number of school staff, which includes the Business Manager and Site Staff. A written request for copies of a person s appearance in the recordings should be addressed to the Headteacher. Written permission from all persons present in the recording should be received before any viewing is allowed. The school reserves the right to refuse any individual access to the recordings, if this is in protection of its students and staff. The school will always provide recordings at the request of the BOP and the Police. The cameras operate so that images are saved to the hard drive this is overwritten every month. All persons entering into a letting agreement with Oakdale Junior School must inform all persons attending that a CCTV is in operation throughout the school. The school will be compliant with the Code of Practice for CCTV, Information Commissions Office. (2008). October 2015 6