1. COMMITMENT TO GENERAL DATA PROTECTION AND DATA PROTECTION BY DESIGN
1.1. General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) is the law that protects personal privacy and upholds individual’s rights. It applies to anyone who handles or has access to people’s personal data.
1.2. This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the legislation. It will apply to personal information regardless of the way it is used, recorded and stored and whether it is held in paper files or electronically.
1.3. This policy sets out the Organisations commitment to GDPR and the implementation of a data protection by design approach.
1.4. The Organisation will refer to documents and guidance from the Information Commissioner’s Office and the Department for Education in relation to GDPR and data processing.
1.5. This includes ensuring the following:
● The creation and maintenance of a data protection working group;
● Assigning responsibility to an individual within The Organisation;
● Assigning a Data Protection Officer;
● Development and maintenance of a GDPR project;
● Ensuring that all staff are trained in data protection and take responsibility for the collection, processing, storage and destruction of data;
● A lawful basis for processing is documented for all processing activity;
● Principles relating to processing of personal data are adhered to;
● The rights of data subjects are respected;
● Risks to the rights of data subjects are assessed and mitigated for all large-scale and new processing;
● Regular independent reviews of processing activity and processing documentation are carried out;
● Organisational and technical measures are implemented to protect data;
● Data breaches impacting on the rights and freedoms of data subjects will be reported to the Information Commissioner’s Office (ICO).
2.2. The Organisation as the Data Controller will comply with its obligations under the GDPR and the Data Protection Act 2018. The Organisation is committed to being concise, clear and transparent about how it obtains and uses personal information and will ensure data subjects are aware of their rights under the legislation. This policy sets out how the Organisation will do this.
2.2. All Organisation staff and Organisation workforce must have a general understanding of the law and understand how it may affect their decisions in order to make an informed judgement about how information is gathered, used and ultimately deleted. All staff must read, understand and comply with this policy in order to comply with its obligations under GDPR and the Data Protections Act 2018.
2.3. The Information Commissioner as the Regulator can impose substantial fines for breaches of GDPR and the Data Protection Act 2018 and other Data Protection Legislation. Therefore it is imperative that the Organisation, all staff and the workforce comply with the legislation. The Data Protection Officer will be the principal point of contact with the ICO.
3. POLICY STATEMENT
3.1 Everyone has rights with regard to the way in which their personal data is handled. During the course of our activities as a Organisation we will collect, store and process personal data about our pupils, workforce, parents and others. This makes us a data controller in relation to that personal data.
3.2 We are committed to the protection of all personal data and special category personal data for which we are the data controller.
3.3 The law imposes significant fines for failing to lawfully process and safeguard personal data and failure to comply with this policy may result in those fines being applied.
3.4. All members of our staff and workforce will comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary or other action.
4.1. The types of personal data that we may be required to handle include information about pupils, parents, our workforce, and others that we deal with. The personal data which we hold is subject to certain legal safeguards specified in the General Data Protection Regulation the Data Protection Act 2018, and other regulations Data Protection Legislation
4.3. This policy does not form part of any employee's contract of employment and may be amended at any time.
4.4. This policy sets out rules on data protection and the legal conditions that must be satisfied when the Organisation processes personal data.
5.1. As a Organisation we are not required to appoint a DPO. However a Director has been appointed as responsible for data protection issues.
6.1. Anyone processing personal data must comply with the data protection principles. The Organisation will comply and is committed to these principles in relation to any processing of personal data. The Data Protection principals provide that personal data must be:
● Processed lawfully, fairly and in a transparent manner in relation to the data subject and their rights;
● Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
● Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
● Accurate and, where necessary, kept up to date;
● Kept in a form which permits identification of data subjects for no longer than is necessary;
● Processed in a manner that ensures appropriate security of the personal data
● Must NOT be transferred to people or Organisations situated in other countries without adequate protection.
7. DATA SUBJECT’S RIGHTS
7.1. The Organisation supports the rights of data subjects (or the parents/carers of data subjects where data subjects are not able to demonstrate the capacity to understand their rights) in relation to data that is processed or stored about them, as follows:
● Right to fair and transparent processing;
● Right of access;
● Right of rectification;
● Right to erasure (the "right to be forgotten");
● The right to restrict processing;
● Right to be notified of erasure, rectification or restriction;
● Right of data portability;
● Right to object to processing;
● Right to object to processing for the purposes of direct marketing;
● Right to object to processing for scientific, historical or statistical purposes;
● Right to not be evaluated on the basis of automated processing;
● Right to withdraw consent at any time;
● Right to be notified about a data breach;
● Right to an effective judicial remedy against a supervisory authority;
● Right to lodge a complaint with supervisory authority;
● Right to an effective judicial remedy against a controller or processor;
Right to compensation.
7.2. The Organisation shall maintain procedures, policies and notices to ensure that data subjects are informed about their rights
8. FAIR AND TRANSPARENT PROCESSING OF DATA
8.1. Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
8.2. For personal data to be processed fairly, data subjects must and will be made aware of the following in our privacy notices or requests to process data:
● That the personal data is being processed;
● Why the personal data is being processed;
● What the lawful basis is for that processing (see below);
● Whether the personal data will be shared, and if so with whom;
● The period for which the personal data will be held;
● The existence of the data subject’s right’s in relation to the processing of that personal data; and
● The right of the data subject to raise a complaint with the Information Commissioner’s Office in relation to any processing.
8.3. The Organisation will only process data that is necessary and relevant to the purpose for which it was gathered, and will ensure that we have a lawful basis for any processing
9. LAWFUL PROCESSING OF DATA
9.1. For personal data to be processed lawfully it must be processed on the basis on one of the legal grounds set out in the DATA Protection Legislation. The Organisation will only process personal data where a lawful basis for processing exists. Specifically, where:
● The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
● Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
● Processing is necessary for compliance with a legal obligation to which the controller is subject (e.g the Education Act 2011);
● Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
● Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
10. SPECIAL CATEGORY DATA
10.1. This is data relating to health; race; sexuality; religion; criminal offences; political opinions and union memberships.
10.2. These special categories of personal data relating to will not be processed unless a specific lawful basis as listed in Article 9 of the GDPR applies. When this special category data is being processed we will normally only do so under the following legal grounds:
● Where the processing is necessary for employment law purposes, for example in relation to sickness absence;
● Where the processing is necessary for reasons of substantial public interest, for example for the purposes of equality of opportunity and treatment;
● Where the processing is necessary for health or social care purposes, for example in relation to pupils with medical conditions or disabilities; and
● Where none of the above apply then we will seek the consent of the data subject to the processing of their special category personal data.
11. DATA PROCESSING
11.1 Where the Organisation operates as a data processor (this is the usual relationship we have with schools) we will only process data as agreed with the Data Controller.
11.2 The data controller is responsible for ensuring that the terms of this policy is satisfactory for meeting the Organisational and technical measures of the data processor
11.2 Data Subjects rights are the responsibility of the Data Controller. The Organisation is only the Data Controller in the circumstances where we have decided the data required and the purpose of processing. This includes the personal data of administrative contracts in schools. In relation to student, parent and teacher data on our platforms, the school acts as Data Controller.
12. DISCLOSURE AND SHARING OF PERSONAL INFORMATION
12.1 We may share personal data that we hold about data subjects, with other Organisations, without consent, where we have a lawful basis for doing so. Such Organisations include the Department for Education and Education and Skills Funding Agency “ESFA”, Ofsted, health authorities and professionals, the Local Authority, examination bodies, other Organisations, and other Organisations where we have a lawful basis for doing so.
12.2 The Organisation will inform data subjects of any sharing of their personal data unless we are not legally required to do so, for example where personal data is shared with the police in the investigation of a criminal offence.
12.3 In some circumstances we will not share safeguarding information. Please refer to our Child Protection Policy.
12.4 Further detail is provided in our Schedule of Processing Activities.
13. DATA SECURITY
13.1. The Organisation will implement appropriate data security measures using policies, procedures and technologies to that ensure and maintain the security of all personal data from the point of collection to the point of destruction.
13.2. These security measures will be appropriate to the risks in processing personal data and will be consistent with the rights of the data subjects.
13.3. These measures shall include as appropriate:
● Measures and data access controls to ensure that the Personal Data can only be accessed by authorised personnel for the purposes agreed in the record of processing activity and outlined in the Organisation privacy notice;
● In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, processing, access or disclosure of personal data;
● The anonymisation, pseudonymisation and encryption of personal data;
● The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
● The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
● A process for regular testing, assessing, and evaluating the effectiveness of technical and Organisational measures for ensuring the security of the processing of personal data;
● Measures to identify vulnerabilities with respect to the processing of personal data in systems used to provide services to The Organisation.
14. DATA PROTECTION IMPACT ASSESSMENTS
14.1 The Organisation takes data protection very seriously, and will consider and comply with the requirements of Data Protection Legislation in relation to all of its activities whenever these involve the use of personal data, in accordance with the principles of data protection by design and default.
13.2 In certain circumstances the law requires us to carry out detailed assessments of proposed processing. This includes where we intend to use new technologies which might pose a high risk to the rights of data subjects because of the types of data we will be processing or the way that we intend to do so.
14.3 The Organisation will complete an assessment of any such proposed processing and will use a template document which ensures that all relevant matters are considered.
14.4 The DPO should always be consulted as to whether a data protection impact assessment is required, and if so how to undertake that assessment.
15.1. In the case of a personal data breach, The Organisation shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Information Commissioner’s Office, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
15.2. Where the notification to the Information Commissioner’s Office is not made within 72 hours, it shall be accompanied by reasons for the delay.
15.3 In order to evaluate the personal data breach The Organisation shall without undue delay immediately inform and involve the Data Protection Officer in the assessment of the breach and in the execution of the data breach procedure to contain and manage the breach.
15.4. The notification to the Information Commissioner's Office shall at least:
● describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
● communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
● describe the likely consequences of the personal data breach;
● describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
● Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The Organisation shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken in a data breach log. The log shall enable the Information Commissioner’s Officer to verify compliance with the data breach rules and raise awareness of minor breaches that may assist in the identification of new data handling processes and training requirements.
16. SUBJECT ACCESS REQUESTS
16.1. The Organisation is committed to:
● Ensuring that individuals’ rights to their own personal information can be appropriately exercised;
● Providing adequate training for staff to recognise and handle subject access requests;
● Ensuring that everyone handling personal information knows where to find further guidance on individuals’ rights in relation to their own personal information;
● Ensuring that queries about individuals’ rights to their own personal information are dealt with effectively and promptly;
● Being fair and transparent in dealing with a subject access request;
● Logging all subject access requests to assist the Information Commissioner’s Office with any complaints related to subject access as well as identifying any issues that may assist in the identification of new data handling processes and training requirements.
16.2. All staff are responsible for ensuring that any request for information they receive is dealt with in line with the requirements of the GDPR and in compliance with this policy.
All staff have a responsibility to recognise a request for information and ensure it is passed to the responsible member of staff and/or the Data Protection Officer within two working days.
16.3. For information and guidance on how the Organisation will deal with a Subject Access Request see the Subject Access Request Procedure
17. PUBLICATION OF INFORMATION
17.1. The Organisation maintains and publishes a publication scheme on its website outlining classes of information that will be made routinely available, including policies and procedures.
17.2. Classes of information specified in the publication scheme will be made available quickly and easily on request.
17.3. The Organisation will not publish any personal information, including photos, on its website without the permission of the affected individual.
17.4. When uploading information to the Organisation website, staff will be considerate of any metadata or deletions which could be accessed in documents and images on the site.
18.1. All data provided by the DBS will be handled in line with data protection legislation; this includes electronic communication.
18.2. Data provided by the DBS will never be duplicated.
18.3. Any third parties who access DBS information will be made aware of the data protection legislation, as well as their responsibilities as a data handler.
18.4 Data Subjects have the right to appeal against any automated decision making, such as a DBS check
19. RETENTION POLICY.
19.1. The Organisation will not keep personal data longer than necessary and will maintain a retention schedule outlining the retention requirements of electronic and paper records. The Organisation will retain the minimum amount of information that it requires to carry out its’ statutory functions and the provision of services.
19.2. In circumstances where a retention period of a specific document has expired, checks will be made to confirm disposal and consideration given to the method of disposal to be used based on the data to be disposed of.
19.3. These checks will include the following questions being addressed:
● Have the documents been checked to ensure they are appropriate for destruction?
● Is retention required to fulfil statutory obligations or other regulatory obligations, including child protection?
● Is retention required for evidence?
● Is retention required to meet the operational needs of the service?
● Is retention required because the document or record is of historic interest, intrinsic value or required for Organisational memory?
20.1. The Organisation shall ensure that all members of staff receive data protection training, including training on information handling appropriate to ensure data protection competence in their role. This training shall be completed every two years as a minimum.
21. DATA PROCESSORS & SUB-PROCESSORS
21.1. The Organisation contract with various Organisations who provide services to the Organisation, including:
● Technology support and hosting providers
● Payroll and accountancy practices
21.2 In order that these services can be provided effectively we are required to transfer personal data of data subjects to these data processors.
21.3 Personal data will only be transferred to a data processor if they agree to comply with our procedures and policies in relation to data security, or if they put in place adequate measures themselves to the satisfaction of the Organisation.
21.4. The Organisation will always undertake due diligence of any data processor before transferring the personal data of data subjects to them.
21.5. Contracts with data processors will comply with Data Protection Legislation and contain explicit obligations on the data processor to ensure compliance with the Data Protection Legislation, and compliance with the rights of Data Subjects.
21.6 Where The Organisation acts as a Data Processor, sub-processors will only be used with the agreement of the Data Controller
22. CHANGES TO THIS POLICY
22.1 We may change this policy at any time. Where appropriate, we will notify data subjects of those changes.
This Policy was approved by the board of Directors of 1 February 2019.
It will be reviewed annually.