St Mark s Church of England Academy Data Protection Policy

Similar documents
DATA PROTECTION POLICY 2016

Data Protection Policy

DATA PROTECTION POLICY

Data Protection Policy

Data Protection Policy & Procedures

Data Protection Policy

Data Protection Policy

DATA PROTECTION POLICY 2018

DATA PROTECTION POLICY

DATA PROTECTION POLICY

Data Protection Policy. UK Policy May 2018

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Regulates the way data controllers process personal data

Queen s Croft High School DATA PROTECTION POLICY AND PRIVACY NOTICE

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

Data Management and Protection Policy

Data Protection Policy

Baptist Union of Scotland DATA PROTECTION POLICY

St Michael s CE Primary School Data Protection Policy

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Data Protection Policy

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

VMS Software Ltd- Data Protection Privacy Policy

Data protection (GDPR) policy

DATA PROTECTION POLICY

The template uses the terms students / pupils to refer to the children or young people at the institution.

General Optical Council. Data Protection Policy

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

POLICY ON INFORMATION, SECURITY & DATA PROTECTION

Data Protection. Policy

Tourettes Action Data Protection Policy

Data Protection Policy

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

DATA PROTECTION POLICY

RAW MARKETING DATA PROTECTION POLICY

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

CHANNING SCHOOL DATA PROTECTION POLICY

Nissa Consultancy Ltd Data Protection Policy

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Parent / Carer Privacy Notice

GENERAL DATA PROTECTION REGULATION Guidance Notes

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

Data Protection/ Information Security Policy

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

Data Protection Policy for Staff DJJK. Apr of 10

Data Protection Policy.

DATA PROTECTION POLICY

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

Little Gaddesden C. of E. Primary School

EDWARDS COMMERCIAL CLEANING SERVICES LTD and EDWARDS COMMERCIAL CLEANING (NORTH) LTD Data Protection Policy for Employees, Workers and Consultants

SHENLEY BROOK END SCHOOL

General Personal Data Protection Policy

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

Data Protection Policy

This personal information must be dealt with properly, with appropriate safeguards in place to ensure the rights and freedoms of data subjects.

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

DATA PROTECTION POLICY

HITCHIN GIRLS SCHOOL PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING HITCHIN GIRLS SCHOOL

How employers should comply with GDPR

Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

Privacy notice for the school workforce (all staff) The personal data we hold

Data Protection Policy, including Key Procedures

Data Protection Policy

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Trinity is committed to protecting the privacy and security of personal data.

PRIVACY NOTICE FOR PARENTS/CARERS OF PUPILS ATTENDING WARREN DELL PRIMARY SCHOOL

Data protection policy including staff and student privacy notices March 2017

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

Security of Personal Data Policy and Guidelines

PRIVACY NOTICE FOR JOB APPLICANTS

Data Protection Policy

PRIVACY NOTICE 1. PERSONAL INFORMATION

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

DATA PROTECTION POLICY

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

THE COURTYARD Privacy Notice Policy

THE PORTSMOUTH GRAMMAR SCHOOL

Data Protection Employee Privacy Notice

DATED: 25/05/2018 GDPR PRIVACY NOTICE FOR HOPES & DREAMS LTD FOR EMPLOYEES, CHILDREN ATTENDING A GROUP NURSERY AND THEIR PARENTS

Brasenose College Data Protection Policy Statement v1.2

Privacy Notice: for staff, trustees, governors and all who are engaged to work within The Evolve Trust

Privacy Notice: All staff

Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR)

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Data Protection Policy

Roundwood Primary School. Privacy Notice Parents

Norton Community Primary School. Data Protection Policy. September Vision Statement. Nothing is beyond our reach!

Ark Schools Data Protection & Freedom of Information Policy

Dixons Academies Charitable Trust. Pupils, parents and staff privacy notice

DATA PROTECTION POLICY VERSION 1.0

DATA BREACH NOTIFICATION POLICY. Last Updated: Review Date:

LPC Law Recruitment Privacy Notice

PRIVACY NOTICE FOR OUR MEMBERS

Data subject access policy

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:

Transcription:

St Mark s Church of England Academy Data Protection Policy 1

Contents Purpose:... Error! Bookmark not defined. Scope:... Error! Bookmark not defined. Procedure:... Error! Bookmark not defined. Definitions:... Error! Bookmark not defined. Revision:... Error! Bookmark not defined. Distribution:... Error! Bookmark not defined. 2

Author Claire Wilkins Target Owner CfBT Schools Trust group Issued September 2017 Next review due All employees, consultants and volunteers September 2018 This policy applies to the whole of CfBT Schools Trust (CST), including all schools. Introduction The law around data protection is changing. Current legislation is within the Data Protection Act 1998 (DPA). In May 2018, the General Data Protection Regulation (GDPR) will come into force. This policy will be updated ready for the GDPR in early 2018 and CST will provide information and updates to schools in preparation for these changes. For now, the DPA, and this template policy, continues to apply. The DPA places obligations on organisations that use personal information (Personal Data), including schools, and gives individuals certain rights. The DPA states that those who record and use personal information must be open about how the information is used and must follow the eight principles of good information handling. The Information Commissioner s Office (ICO) is the regulating body and they maintain a public register of data controllers. CST has registered with the ICO as a data controller. This registration covers all CST schools and schools do not need to register separately. Please follow this link to view the registration: http://www.ico.org.uk/esdwebpages/dosearch?reg=213819 CCTV and biometrics are included on our registration. All schools are required to keep CST informed of any changes in how data is processed by the school, so that we can notify the ICO within 28 days of the change (notification@ico.gsi.gov.uk - there is no charge for this). Please note that failure to comply with the above is a criminal offence. Further Information You can find out more about notifying the ICO (and the associated costs) via this page of the ICO website: http://www.ico.gov.uk/for_organisations/data_protection/notification.aspx There is lots of other useful information for schools on data protection on the ICO website: 3

Main education page: http://ico.org.uk/for_organisations/sector_guides/education This page includes the latest ICO guidance notes on the following topics: on biometrics; taking photos in schools; use of CCTV in schools; lesson plans on data protection and many other useful topics. Claire Wilkins, CST Legal and HR Lead is also available to help with any data protection queries. Data Protection tips: Parents and pupils can request to see any personal data held by the school which relates to them this may include emails between staff and handwritten notes. Ensure all staff are aware that what they write may be seen. Both the Data Protection Act and the Freedom of Information Act apply to academies do not confuse the two as the requirements and timescales are different. The Data Protection Act applies to academies in a different way to state schools. For example academies have 40 calendar days in which to respond to requests for personal data rather than the 15 days that state schools usually have. The charges are also different. Include a data protection statement or privacy notice in the school prospectus or welcome book as well as on any forms used to collect personal data. It is important to inform parents and pupils what personal information you are collecting and why (including for example telephone numbers, photos of pupils and CCTV images) Schools can take photos of pupils for inclusion in the prospectus or website so long as you have informed parents and pupils of your intentions. Images captured by individuals for personal or recreational use with a mobile phone, digital camera or camcorder are exempt from the DPA (i.e. parents can take photos of pupils in a school play). The rules on data protection are complicated and there are often exceptions to a rule. Seek advice from the Trust s Legal and HR Lead if you are unsure, especially when responding to a data subject access request. 4

Biometric Data Since September 2013, there are no circumstances in which a school can lawfully process, or continue to process, a pupil s biometric data (i.e. fingerprints, palm scans) without having notified each parent of a child and received the necessary consent. Schools must obtain the written consent of at least one parent before the biometric data are taken from the child and used. This applies to all pupils in schools under the age of 18. In no circumstances can a child s biometric data be processed without written consent. Schools and colleges must not process the biometric data of a pupil (under 18 years of age) where: a) the child (whether verbally or non-verbally) objects or refuses to participate in the processing of their biometric data b) no parent has consented in writing to the processing; or c) a parent has objected in writing to such processing, even if another parent has given written consent. Schools must provide reasonable alternative means of accessing services for those pupils who will not be using an automated biometric recognition system. All biometric information is legally regarded as personal data as defined by the Data Protection Act 1998; this means that it must be obtained, used and stored in accordance with that Act, as with all other personal data. Data Protection In order to operate efficiently CfBT Schools Trust (CST) has to collect and use information about people. This may include current, past and prospective pupils, parents, members of the public, staff and suppliers. We are committed to ensuring personal data is properly managed and the Data Protection Act 1998 (DPA) is complied with. We will make every effort to meet its obligations under the legislation. This policy, and our processes, will be updated when the new General Data Protection Regulation (GDPR) comes into force in May 2018. Scope and Publication This policy applies to all staff, Local Governors, contractors, agents and representatives working for or on behalf of the Trust, including in all schools and the CST central team, and is available via the website and on request. This policy can be made available in large print or other accessible format if required. This policy applies to all personal data processed by the Trust and held electronically or manually. Images captured by individuals for personal or recreational use with a mobile phone, digital 5

camera or camcorder are exempt from the DPA (i.e. parents are allowed to take photos of pupils in a school play). Responsibilities CST is the data controller for the purposes of the act and therefore have overall responsibility for compliance with the DPA. CST have delegated responsibility to the Headteacher in each school for ensuring compliance with the DPA and this policy within the day-to-day activities of the school. The Headteacher has appointed a Data Protection Officer (DPO). The DPO is responsible for: notifying CST about any change in the school s use of data to allow CST to keep the ICO up to date with changes in how the school processes data obtaining consent for disclosure of personal data, including routine consent from parents and pupils for using photographs for general school purposes ensuring data protection statements are included on forms that are used to collect personal data acting as a central point of advice for staff on data protection matters coordinating requests for personal data arranging appropriate data protection training for all staff keeping up to date with the latest data protection legislation and guidance ensuring adequate systems are in place for compliance with this policy working with CST to update processes in line with the GDPR. Definitions Personal data: information which relates to an identifiable living individual that is processed as data. Examples would be names of staff and pupils, dates of birth, addresses, national insurance numbers, school marks, medical information, exam results, SEN assessments and staff development reviews. Processing data: collecting, using, disclosing, retaining, or disposing of information. Sensitive personal data: information that relates to race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality and criminal offences. 6

The Requirements The DPA stipulates that anyone processing personal data must comply with eight principles of good practice. The principles require that personal data: 1. Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met. 2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. 4. Shall be accurate and where necessary, kept up to date. 5. Shall not be kept for longer than is necessary for that purpose or those purposes. 6. Shall be processed in accordance with the rights of data subjects under the Act. 7. Shall be kept secure i.e. protected by an appropriate degree of security. 8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection. Notification As required under the DPA, CST will ensure that the ICO is notified that we are processing personal data and in what ways and will ensure the registration is renewed annually. Data Gathering Whenever we collect new information about individuals we will ensure individuals are made aware: that the information is being collected of the purpose that the information is being collected for of any other purposes that it may be used for who the information will or may be shared with; and how to contact the data controller. 7

We will only obtain relevant and necessary personal data for lawful purposes and will only process the data in ways which are compatible with the purpose for which it was gathered. Data protection statements will be included in the school prospectus and on forms that are used to collect personal data. Data Storage Personal data will be stored in a secure and safe manner. The following measures are taken to help ensure this: Electronic data will be protected through secure password, encryption software and firewall systems. Computer workstations in administrative areas will be positioned so that they are not visible to casual observers. Manual personal data will be stored securely where it is not accessible to anyone that does not have a legitimate reason to view or process the data. Particular attention will be paid to the need for security of sensitive personal data, for example health and medical records will be kept in a locked cupboard. Personal data will not be left out visible on desks. The physical security of buildings and storage systems will be regularly reviewed. Staff will be trained on this policy and related data protection procedures. Data Checking Systems will be put in place to ensure the personal data that we hold is up to date and accurate. For example, the school will ensure that parents are asked at least once a year to confirm their contact details. Any inaccuracies discovered or reported will be rectified as soon as possible. Disclosing Data Personal data will only be disclosed to organisations or individuals for whom consent has been given to receive the data, or organisations that have a legal right to receive the data without consent being given. When requests to disclose personal data are received by telephone, we will ensure that the caller is entitled to receive the data and that they are who they say they are. In some circumstances, we may call the caller back to check the identity of the caller. 8

Personal data will not be included on the website, in newsletters or other media without consent of the individual (or his/her parents where appropriate). Routine consent may be requested from parents to avoid the need for frequent, similar requests for consent being made by the school. Personal data will only be disclosed to the Police if they are able to supply sufficient authority which notifies of a specific, legitimate need to have access to specific personal data. Data Subject Access Requests Any person whose personal data is held by CST is entitled, under the DPA, to ask to access this information. The request must be in writing. The right is to view or be given a copy of the personal data, rather than to the whole document which contains the personal data. There are some exceptions to the rights of access to information in certain records (for example in relation to examination scripts, legal advice). When a request is received by a member of staff, this should be passed to the school s Data Protection Officer without delay. The request must be dealt with promptly; a response must be provided as soon as possible and no later than within 40 calendar days from the date the request was received. We may make a charge of 10 for responding to a request for personal data under the DPA and will need to confirm the requester s identity. Parents can make data subject access requests on their child s behalf if their children are deemed too young to look after their own affairs. If a request is made by a parent for personal data relating to their child and the child is aged 12 years or older, written consent will need to be sought from the child before the data is disclosed to the parent. A record will be kept of all data subject access requests made that require formal consideration. Destroying Data Out-of-date information will be discarded if no longer relevant. Personal data will only be kept as long as reasonably needed, for legal or business purposes. 9

Breach of the Policy Non-compliance of this policy and data protection legislation by a member of staff is considered a disciplinary matter which, depending on the circumstances, could lead to dismissal. Monitoring, Evaluation and Review The DPO will monitor the implementation and effectiveness on this policy and report his/her evaluation to the Headteacher on an annual basis. The Headteacher will report back to CST on this policy and its implementation and effectiveness every two years, who will then review the policy, making amendments where necessary. This policy will be reviewed in early 2018 in readiness for the GDPR coming into force in May 2018. 10

Indication of Parent s Preference Student Name Date of Birth Address Parent s Declaration of Preference Please insert tick or info. here I agree to photographs or film of my child appearing in any publication or form approved by the Headteacher including the school website. I agree to photographs or film of my child appearing only in the following publications or circumstances (give details). I do not agree to photographs or film of my child appearing in any circumstances. I agree to the following information being associated with my child's photograph or image at the discretion of the Headteacher (please specify e.g. name, age, class, home location, prizes won etc) or say ALL or NONE as appropriate. I consent to the school taking and using information from my child s [insert biometric e.g. fingerprint] by as part of an automated biometric recognition system. This biometric information will be used by the school for the purpose of [describe purpose(s) for which this data will be used, e.g. administration of school library/canteen]. Once your child ceases to use the biometric recognition system, his/her biometric information will be securely deleted by the school. I do not consent to the school taking and using information from my child s [insert biometric e.g. fingerprint] by as part of an automated biometric recognition system. If you wish to withdraw or amend your consent for the above at any time, this must be done in writing and sent to the school. Parents/legal guardians Signed Name (block capitals) Signed Name (block capitals) Signed Student (where applicable) Name (block capitals) 11

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback