Data Protection/ Information Security Policy

Similar documents
Data Protection Policy No. E11

DATA PROTECTION POLICY 2016

Data Management and Protection Policy

Data Protection Policy for the Grimsby Institute of Further & Higher Education

St Mark s Church of England Academy Data Protection Policy

Data Protection Policy

Data Protection Policy

Data Protection Policy

Data Protection Policy & Procedures

DATA PROTECTION POLICY WINCHESTER CITY COUNCIL. Data Protection Policy

Data Protection Policy.

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Data Protection Policy

Queen s Croft High School DATA PROTECTION POLICY AND PRIVACY NOTICE

Dixons Academies Charitable Trust. Pupils, parents and staff privacy notice

DATA PROTECTION POLICY

DATA PROTECTION POLICY

Data Protection Policy for Staff DJJK. Apr of 10

Data Protection Policy

St Laurence s Primary School. Privacy notices GDPR compliant

THE COURTYARD Privacy Notice Policy

Roundwood Primary School. Privacy Notice Parents

Data Protection Policy

St Stephen in Brannel Parish Council PRIVACY NOTICE. For Staff*, Councillors and Role Holders 1 **

Little Gaddesden C. of E. Primary School

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

HITCHIN GIRLS SCHOOL PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING HITCHIN GIRLS SCHOOL

Data Breach Policy 2018/19

DATA PROTECTION POLICY 2018

PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING: St Luke s School

St Michael s CE Primary School Data Protection Policy

This personal information must be dealt with properly, with appropriate safeguards in place to ensure the rights and freedoms of data subjects.

DATA PROTECTION POLICY

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

Data Protection Policy

Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery

Data protection (GDPR) policy

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

Data Protection Policy, including Key Procedures

Privacy notice for the school workforce (all staff) The personal data we hold

PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING Greenside School

Data Protection Policy

The SENAD Group. Section 5 Data Protection Protocol

HOLY TRINITY CE PRIMARY SCHOOL PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS

PRIVACY NOTICE FOR PARENTS/CARERS OF PUPILS ATTENDING WARREN DELL PRIMARY SCHOOL

DATA PROTECTION POLICY

Parents / Carers of Pupils Attending St Catherine s C of E Primary School Privacy Notice

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

CHANNING SCHOOL DATA PROTECTION POLICY

Data Protection Policy

DATA PROTECTION POLICY

DATA PROTECTION POLICY

The Heathland School. Privacy notice for staff

DATA PROTECTION POLICY

Privacy notice for the school workforce

Freedom of Information policy September 2018

Functional area. F Hallinan, C Abad, W Andrews Approver (s) Version 001 Effective date 25 May Privacy Notice for Emergency Contacts

Redundancy Policy. HR Policy and Procedure for Schools and Academies. Last Reviewed: May 2018

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

DATA PROTECTION POLICY

Data Protection Policy

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

PRIVACY NOTICE for Welsh St Donat s Community Council, May 2018

DATA PROTECTION POLICY

Parkfield Community School Freedom of Information Policy

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

PRIVACY NOTICE FOR PARENTS / CARERS OF PUPILS ATTENDING GRAVELEY PRIMARY SCHOOL

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

Data Protection Policy

IQ Data Protection Policy

Privacy Notice: for staff, trustees, governors and all who are engaged to work within The Evolve Trust

Shavington Academy. Freedom of Information Policy

RECORD OF PROCESSING ACTIVITIES ST CUTHBERT S CATHOLIC HIGH SCHOOL

EDWARDS COMMERCIAL CLEANING SERVICES LTD and EDWARDS COMMERCIAL CLEANING (NORTH) LTD Data Protection Policy for Employees, Workers and Consultants

Privacy Notice: All staff

Data Protection Policy

GENERAL PRIVACY NOTICE. Reepham Town Council (The Council) is committed to protecting and respecting your privacy.

Data Protection. Policy

The template uses the terms students / pupils to refer to the children or young people at the institution.

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

GDPR - Privacy Notice Staff

GDPR - Privacy Notice Staff

Privacy notice for suppliers, contractors and volunteers

Security of Personal Data Policy and Guidelines

St George s School Harpenden Academy Trust. Freedom of Information Act 2000 Publication Scheme

THE PORTSMOUTH GRAMMAR SCHOOL

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

Baptist Union of Scotland DATA PROTECTION POLICY

Privacy Notice Work Force

Norton Community Primary School. Data Protection Policy. September Vision Statement. Nothing is beyond our reach!

Data Breach Policy and Procedure

UCD Human Resources. UCD HR Privacy Statement - Employee

PRIVACY NOTICE FOR STAFF

University for the Creative Arts Application Declaration. Data Protection Privacy Notice

DRAYCOTE WATER SAILING CLUB DATA PRIVACY POLICY (12 th August 2018)

APCC Policy Statement

Privacy Notice for Staff

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

Alexander James Recruitment Limited - DATA PROTECTION POLICY

Transcription:

Data Protection/ Information Security Policy Date Policy Reviewed 27 th April 2016 Date Passed to Governors: 27 th April 2016 Approved by Governors: 7 th June 2016 Date of Next Review: June 2018

Data Protection Policy Statement The Longfield Academy Trust is committed to the eight principles of the Data Protection Act 1998: 1) Personal data shall be processed fairly and lawfully 2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes 3) Personal data shall be adequate, relevant and not excessive 4) Personal data shall be accurate and, where necessary, kept up to date 5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 6) Personal data shall be processed in accordance with the rights of data subjects under this Act 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8) Personal data shall be not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This statement represents the response of the Governing Body to its duties under the Data Protection Act 1998. Our Commitment Aims The Longfield Academy Trust will implement the requirements of the Data Protection Act 1998 and any subsequent amendments or regulations on protecting data, and the academy s controls and procedures will ensure integrity and security of data. The Longfield Academy Trust will maintain a Data Protection register entry with the Information Commissioner, and ensure that all personal data obtained, held, used or disclosed conforms to the details recorded within that registration. In addition The Longfield Academy Trust will ensure that: 1) A member of the senior management team has overall responsibility for the implementation of Data Protection. This is currently the Finance Director. 2) Staff are aware of their responsibilities under the Data Protection Act. 3) Staff are trained and supported to deal effectively with the requirements of the Act, including the need to deal with subject access requests, in whole or in part, in accordance with the Act.

4) The requirements of the Act are considered in decision making processes, such as the development of policy and procedures and the design and the implementation of information systems. 5) The operations of the organisation are developed to meet the highest standards of openness and accountability. Scope of the Policy The policy statement of commitment and the ensuing controls and procedures arising from the policy are applicable to all members of the Academy, including pupils. Those with responsibility for handling or processing information are particularly affected. Monitoring The Finance Director has responsibility for maintaining a register of all requests made for information under the Data Protection Act that do not fall within the remit of the Data Protection Registration with the Information Commissioner, and the action taken on each application. It will identify reoccurring requests for the same or similar information and provide information for the reviews of the Data Protection Registration. The Longfield Academy Trust will register all complaints received about its Data Protection arrangements and will ensure learning points that arise from such complaints are used to improve related policies, procedures and guidance. The Finance Director will annually review this policy and its associated procedures and arrangements to ensure it remains up to date, effective and takes account of emerging good practice. Where new legal directions come into force, the policy will be reviewed in line with the commencement of that legislation. The Academy Data Controller, (The Trust s Finance Director) will ensure that the Academy s Data Protection Registration is renewed, reviewed and, where necessary, updated annually. The Business Committee will receive an annual report on the Academy s Information Policies that will include a report on the review of the Data Protection Policy. The controls and procedures may also be subject to review by the Academy auditors who would make recommendations on the basis of their findings. Arrangements and procedures that may be affected by changes in legislation will be reviewed as necessary. Significant changes in arrangements or procedures arising from these will be notified to Governors.

Criteria for monitoring The Policy and associated procedures and arrangements will be monitored within the context of legislation, including: 1) Data Protection 2) Computer Misuse 3) Human Rights 4) Equal Opportunities 5) Telecommunications 6) Health & Safety Requests and charges Requests for information can be made under the Freedom of Information Act or a Subject Access Request. Requests should be made in writing by letter or email to the Academy, either to a named member of staff or role title, or to the Finance Director: Andrew Collishaw Longfield Academy Trust Longfield Road Darlington DL3 0HT Proof of identity (normally a driving licence, passport or utility bill or corporate identification in the case of organisations) will be required before the request can be met. The request will be dealt with within the required response time of 40 calendar days, subject to any extensions as stated within the Data Protection Act. If the request is too general the Academy will offer advice and assistance to determine the information required. The Academy does not have the right to ask why information is being sought, but the information can be volunteered to assist the Academy in meeting the request. The Academy s Charging and Remission Policy details the current costs charged for retrieval of information. Review and appeal If an applicant is dissatisfied with the handling of a request, they have the right to ask for an internal review. Internal review requests should be submitted no later than 40 working days after the date on which the applicant believes that the academy has failed to comply with the requirement, and should be addressed to:-

The Headteacher: Susan Johnson Longfield Academy Trust Longfield Road Darlington DL3 0HT If you are not content with the outcome of the internal review, an applicant has the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Making a request (Academy staff) No member of the Academy staff whilst acting within their respective role should make a request under the Data Protection Act 1998 without first receiving the authorisation of a member of the senior management team. Specific Data Protection Act Guidance Photos The Data Protection Act is unlikely to apply in many cases where photographs are taken in school. Fear of breaching the provisions of the Data Protection Act will not be wrongly used to stop people taking photographs or videos which provide many with much pleasure. Where the Data Protection Act does apply, a common sense approach suggests that if the photographer asks for permission to take a photograph, this will usually be enough to ensure compliance. Photos taken for official school use may be covered by the Data Protection Act and pupils and students will be advised why they are being taken. Photographs/videos should be stored securely and access should be restricted. At no time should access to photographs be open to other pupils or parents. Biometrics The Longfield Academy Trust does hold any biometric data relating to pupils or staff. This data is always stored securely.

Bring Your Own Device Bring your own device raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller. It is crucial that the school ensures that all processing for personal data which is under his control remains in compliance with the Data Protection Act. Currently Bring Your Own Devices does not happen within the curriculum within the Trust. Cloud Computing The Longfield Academy Trust, as data controller, has a responsibility to ensure that the processing carried out by their cloud service provider complies with the Data Protection Act. The Trust will ensure that a contract and a data processing agreement in place. Data confidentiality When choosing a cloud service provider the Trust will select a data processor providing sufficient guarantees about the technical and organisational security measures governing the processing to be carried out, and will take reasonable steps to ensure compliance with those measures. Service availability Service availability means ensuring timely and reliable access to personal data. One threat to availability in the cloud which is often outside the responsibility of the cloud service provider is the accidental loss of network connectivity between the client and the service provider. The school as data controllers will therefore check whether they have adopted reasonable measures to cope with the risk of disruptions such as backup internet network links. The school will assess the level of risk and whether the school is prepared to accept that risk. Data transfers beyond the European Economic Area (EEA) The school understands that cloud service being provided by companies outside of the EEA may not have to comply with such tight data protection protocols. The Longfield Academy Trust will therefore only choose a cloud based supplier which confirms that the data is stored within the EEA. Payment Card Information The Longfield Academy Trust does currently receive debit/credit card payments and also via SIMS Agora/Parentmail. Sims Agora/Parentmail complies with the Payment Card Industry Data Security Standard. (PCI DSS). SIMS Agora/Parentmail has the appropriate firewalls to protect cardholder data, and also anti-virus software. Access to SIMS Agora is via a series of system passwords. When credit/debit card

information is received the receipts of the payments are stored securely with cardholders information encrypted. Information Security Employee Responsibilities Employees are responsible for:- 1) Ensuring any information they provide to The Longfield Academy Trust in connection with their employment is accurate and up to date. 2) Informing the Academy of any changes to information they have previously provided e.g. changes of address. 3) Checking the information that the Academy will send out from time to time giving details of information held and processed. 4) Informing the Academy of any errors or changes. If and when employees as part of their responsibilities collect, access and process information for employment records they must comply with the Guidelines for Data Protection. Line Managers are responsible for ensuring all employees they supervise are aware of their responsibilities under the Data Protection Act. The Academy will review annually the personal data held in respect of individual employees and will send a copy to employees to ensure it is accurate and up to date. Data Security Personal information (pupils, employees, commercial or any other information) should be kept in a locked filing cabinet or securely on the schools network. Information of this nature should not be stored on memory sticks. All employees are responsible for ensuring that:- 1) Any data which they have is kept secure particularly if taking data off site on laptop computers, tablets or files. If mobile devices are taken off site, they should never be left in a car overnight. A password must be in place for the device. The same precedent applies if personal data is stored on employees own devices. 2) At all times take care to ensure the safe keeping of personal data, minimising the risk of its loss or misuse. 3) Ensure any document containing personal data is password protected. 4) Personal information is not disclosed either orally or in writing deliberately or accidentally or otherwise to any unauthorised third party. 5) No personal information is given to unknown third parties over the telephone. The sharing of personal data is required as detailed elsewhere in the

document. If there are any doubts regarding the validity of the third party requesting the data requests should be replied to writing. 6) Use personal data only on secure password protected computers and other devices, ensuring that they are properly logged-off at the end of any session in which they are using personal data. 7) If school equipment is to be used by anyone other than the member of staff responsible for it that user must have a separate account set up by the ICT Support Department. The laptop must remain in the users possession at all times. 8) Equipment is insured whilst in school premises or the registered user s home. Whilst in transit it is only covered if it is in the possession of the user. If the equipment is in a situation where it is not covered by insurance, users are responsible for organising their own insurance. Any damage not covered by insurance could be charged to the individual. 9) If staff receives work e-mails on their mobile phone as a minimum a 4 digit passcode must be used on the device. If there is a data breach employees must notify their Headteacher and the Longfield Academy Trust s Finance Director immediately. Major data breaches could be reportable to the Information Commissioners Office, within 24 hours. Therefore it is important that any data breaches are disclosed as a matter of urgency. The Headteacher in conjunction with the Finance Director will review the circumstances of the data breach and decide whether this breach warrants disclosure and any corrective action which may be required. Employees should note that unauthorised disclosure will usually be a disciplinary matter and may be considered gross misconduct in some cases. It may also result in a personal liability for the individual employee. Data Sharing The Longfield Academy Trust, Local Authority and the Department of Education, hold information on pupils in order to run the education system. In doing so the Academy has to follow the Data Protection Act, 1998. Data help about pupils has to be used for specific purposes, allowed by law. The Academy holds information about staff in its employment records in order to perform key tasks e.g. recruitment, performance monitoring, recording absence and health & safety matters. The Academy has to comply with the Data Protection Act, 1998 to ensure it is collected and used fairly, stored safety and not disclosed to other persons unlawfully. Pupil Data The Academy holds information on pupils in order to support their teaching and learning, to monitor and report on their progress, to provide appropriate pastoral care, and to assess how well the Academy as a whole is doing. This information

includes contact details, National Curriculum assessment results, attendance information, and characteristics such as ethnic group, special educational needs and any relevant medical information. From time to time we are required to pass on some of this data to the Local Authority (LA), to another school, Academy, College to which the pupil is transferring, to the Department of Education, and to the Standards and Testing Agency/Teaching Agency. The local Authority uses information about pupils to carry out specific functions for which it is responsible, such as the assessment of any special educational needs the pupil may have. As with the Department of Education, it may also use the information to derive statistics to inform decision on (for example) the funding of Academies, and to assess the performance of Academies and set targets for them. The statistics are used in such a way that individual pupils cannot be identified from them. The Standards and Testing Agency/Teaching Agency uses information about pupils to administer the National Curriculum tests and assessment. The results of these are passed on to Department of Education in order for it to compile statistics on trends and patterns in levels of achievement. The Standards and Testing Agency/Teaching Agency uses the information to evaluate the effectiveness of the National Curriculum and the associated assessment arrangements, and to ensure that these are continually improved. The Department for Education uses information about pupils for statistical purposes, to evaluate and develop Education Policy and to monitor the performance of the education service as a whole. The statistics are used in such a way that individual pupils cannot be identified from them. On occasions, information may be shared with other Government departments or agencies strictly for statistical or research purposes only. Pupils, as data subjects, have certain rights under the Data Protection Act, including a general right of access to personal data held on them, with parents exercising this right on their behalf if they are too young to do so themselves. If a pupil wishes to access their personal data, or a parent wishes to do so, on their behalf, they can contact the Academy in writing: Please note that all rights under the Data Protection Act to do with information about pupils rest with them as soon as they are old enough to understand these rights. This will vary from one child to another and you will wish to consider the position for your child, but, as a broad guide, it is reckoned that most children will have a sufficient understanding by the age of 12. Separately from the Data Protection Act, Department of Education regulations provide a pupil s parent (regardless of the age of the pupil) with the right to view, or

to have a copy of, their child s educational record at the Academy. If a parent wishes to exercise this right they should write to the Academy. Retention of Data Personal information should not be retained on the employment record for any longer than is necessary for the purpose required but equally it should not be discarded if doing so renders the record inadequate. Retention Timescales Application Form 6 years from end of employment References received 6 years from end of employment Payroll and Tax information 6 years from end of employment Annual Leave record 2 years Unpaid/Special Leave record 6 years from end of employment Sickness records 6 years from end of employment Annual Appraisal record 6 years from end of employment Records relating to promotion, training 6 years from end of employment Disciplinary record 6 years from end of employment References given 6 years from date reference provided Summary Record of Service E.g. Name, post(s) held dates of 10 years from end of employment Accident record at work 15 years Injury at work record 15 years. Core financial records 6 financial years + current. These timescales can be extended where there is a justified business reason for doing so not merely that it might be useful to hold such documentation. Application forms and other associated documentation within the Code of Practice for Recruitment and Selection of unsuccessful candidates for jobs should be destroyed after 8 months unless subject to challenge. Date of next review To be reviewed and approved by the Business Committee June 2018.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback