We believe this policy should be a working document that is fit for purpose, represents the school ethos, enables consistency and quality across the school and is related to the following legislation:
Equality Act 2010
General Data Protection Regulations 2018
The following documentation is also related to this policy:
Equality Act 2010: Advice for Schools (DfE)
Race Disparity Audit - Summary Findings from the Ethnicity Facts and Figures Website (Cabinet Office)
Preparing for the General Data Protection Regulation (GDPR) - Information Commissioner's Office
We are aware that the General Data Protection Regulations (GDPR) is entirely replace the current Data Protection Act (DPA) by making radical changes to many existing data protection rules and regulations that schools, academies and other educational establishments adhere to under the DPA. The principal aim of the GDPR is to strengthen and unify the safety and security of all data held within an organisation.
We have the duty to ensure that we comply with this new regulation by considering the impact that the GDPR will have on this school and to ensure new policies and procedures are in place before the GDPR comes into effect.
We believe that we comply with the current DPA and we realise that many of the GDPR's main concepts and principles are much the same as those in the DPA but we are aware that there are new elements, significant improvements and a new accountability that we need to address for the first time. We understand that under the GDPR:
data management is strengthened and unified;
it will become illegal not to have a formal contract or service level agreement with a chosen data processor;
the data processor must be GDPR compliant;
there will be higher penalties for non-compliance with the GDPR;
data breaches must be reported within 72 hours;
individuals have greater control over their personal data.
We are committed to the protection of all personal and sensitive data for which we hold responsibility as the Data Controller. We believe the handling of such data is in line with the data protection principles and that access to such data does not breach the rights of the individuals to who it relates.
We acknowledge the GDPR's definition of personal data as 'meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier' such as name, identification number, location data or online identifier. It applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.
The GDPR refers to sensitive personal data as “special categories of personal data” which includes genetic data, and biometric data where such data is processed to uniquely identify an individual by using finger prints, face recognition or eye screening.
At all times we ensure the principles of the DPA are applied and that all data is:
obtained and processed for specific and lawful purposes;
sufficient, appropriate and not excessive in relation to the precise purpose;
accurate and up to date;
not kept for a great length of time;
processed in agreement with the individual’s legal rights;
protected against unlawful processing, accidental loss, destruction or damage;
not to be transferred outside the EU unless the rights and freedom of the individual is protected.
We have the responsibility to ensure that all changes to data protection legislation will be monitored and implemented in order to remain compliant with all requirements. All school personnel will attend training in order to be made aware of data protection policies and legal requirements. All contracted service providers will also be notified of our data protection policies and legal requirements.
In preparation for full compliance with the General Data Protection Regulation we have used the 12 step guidance from the Information Commissioner's Office in order to identify what changes we need to make.
On completion of the ICO guidance an updated data protection system that fits the needs of the school and complies with the new General Data Protection Regulations will be implemented.
All our data processing activities will be registered with the Information Commissioner's Office (ICO). The ICO will be notified of any changes to the type of data processing activities being undertaken and the register will be amended accordingly.
We are aware that the GDPR places greater emphasis on accountability and therefore the Data Protection Officer will keep up to date documentation of all data protection activities.
We all have a responsibility to ensure equality permeates in to all aspects of school life and that everyone is treated equally irrespective of age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. We want everyone connected with this school to feel safe, secure, valued and of equal worth.
We acknowledge the findings of the Race Disparity Audit that clearly shows how people of different ethnicities are treated across the public services of health, education, employment and the criminal justice system.
The educational section of the audit that covers: differences by region; attainment and economic disadvantage; exclusions and abuse; and destinations, has a significant importance for the strategic planning of this school.
We believe it is essential that this policy clearly identifies and outlines the roles and responsibilities of all those involved in the procedures and arrangements that is connected with this policy.
To ensure compliance with the General Data Protection Regulations.
To strengthen and unify the safety and security of all data held within the school.
To ensure the protection of all personal and sensitive data for which we hold responsibility as the Data Controller.
To ensure the handling of all personal and sensitive data is in line with the data protection principles.
To undertake an audit of the school's current position in preparation for the full implementation of and compliance with the GDPR.
To work with other schools and the local authority to share good practice in order to improve this policy.
Role of the Governing Body
The responsibility to comply with the legal requirements of the new General Data Protection Regulation 2018;
In accordance with the GDPR appointed a Data Protection Officer who has expert knowledge of data protection law and practices;
The responsibility to ensure the DPO:
operates independently and is not dismissed or penalised for undertaking their role;
keeps the Governing Body up to date with all data protection activities;
has adequate resources to meet their GDPR obligations;
keeps up to date documentation of all data protection activities.
The responsibility to ensure data is processed in accordance with the eight principles of the Data Protection Act 1998;
Delegated powers and responsibilities to the Headteacher as ‘Data Controller’ for the school;
Delegated powers and responsibilities to the Headteacher to prepare for compliance with the GDPR by following the 12 step guidance from the Information Commissioner's Office in order to identify what changes that we need to make to the current data protection system;
Delegated powers and responsibilities to the Headteacher that on completion of the guidance to devise and implement an updated data protection system that fits the needs of the school and complies with the new GDPR;
Delegated powers and responsibilities to the Headteacher to ensure all school personnel and stakeholders are aware of and comply with this policy;
Responsibility for ensuring that the school complies with all equalities legislation;
Responsibility for ensuring funding is in place to support this policy;
Responsibility for ensuring this policy and all policies are maintained and updated regularly;
Responsibility for ensuring all policies are made available to parents;
Nominated a link governor (Chair) to:
visit the school regularly;
work closely with the Headteacher;
ensure this policy and other linked policies are up to date;
ensure that everyone connected with the school is aware of this policy;
attend training related to this policy;
report to the Governing Body every term;
annually report to the Governing Body on the success and development of this policy.
Responsibility for the effective implementation, monitoring and evaluation of this policy.
Role of the Headteacher
Act as ‘Data Controller’ for the school;
Prepare for the General Data Protection Regulation by following the 12 step plan in accordance with the advice from the Information Commissioner's Office.
To organise awareness training in order to inform all school personnel and governors;
that data law is changing to GDPR;
to appreciate the impact it will have on the school;
how the impact will affect the school;
by identifying areas that could cause compliance problems under the GDPR.
To hold refresher training for all school personnel and governors when necessary;
To organise an information audit of data held on pupils, school personnel, parents, governors/trustees and suppliers.
The audit will be undertaken under the following headings:
The type of data.
How is the data collected?
How is it processed?
Where did it come from?
Where is it located?
How is it secured?
Who is it shared with?
To review current privacy notices and to undertake any necessary changes before the implementation of GDPR.
To check current procedures to ensure they cover all the rights of individuals have including:
how to delete personal data; and
how to provide data electronically in a commonly used format.
To update present procedures and to plan how to handle requests within the new one month timescale and to provide any additional information.
To review the various types of data processing that the school carries out and then identify and document the legal basis for carrying it out.
To review how the school seeks, obtains and records consent and consider any changes that are required.
To thinking now about whether we need to put systems in place to verify individuals ages and to obtain parental or guardian consent for any data processing activity.'
To ensure the right procedures are in place to detect, report and investigate a personal data breach.
To consider when to begin implementation of the Privacy Impact Assessments.
To have in place a designated Data Protection Officer to take responsibility for data protection compliance.
To assess where this role sits within the school's structure and governance arrangements.
To determine (if the school operates internationally) under which data protection supervisory authority applies to the school.
Keep a detailed record of all activities while undertaking the 12 point plan;
Ensure the school complies with the GDPR;
Works closely with the Data Protection Officer and the nominated governor;
Ensure the school complies with the eight data protection principles;
Ensure all data is processed fairly and lawfully;
Ensure security measures and confidential systems are in place to protect personal data and pupil records;
Ensure data is obtained for specific and lawful purposes;
Ensure data is adequate, relevant and not excessive;
Ensure all personal data is accurate and that inaccurate data is corrected or erased;
Ensure that at the beginning of every academic year all school personnel will receive a copy of their personal data;
Ensure procedures are in place to deal with requests for access to personal data;
Ensure data is not kept longer than is necessary;
Ensure school personnel are aware of their rights;
Ensure school personnel are aware of their responsibilities;
Ensure a pupil's educational records will be made available to their parents or carers on receipt of a written request;
Ensure a Common Transfer File is sent when a pupil joins another school;
Make effective use of relevant research and information to improve this policy;
Provide leadership and vision in respect of equality;
Provide guidance, support and training to all staff.
Role of the Data Protection Officer
Have expert knowledge of data protection law and practices;
Inform the school and school personnel about their obligations to comply with the GDPR and other data protection laws;
Ensure data management is strengthened and unified;
Monitor compliance with the GDPR and other data protection laws;
Manage internal data protection activities;
Ensure risk and impact assessments are conducted in accordance with ICO guidance;
Report data breaches within 72 hours;
Ensure individuals have greater control over their personal data;
Ensure that prior to the processing of an individual's data that:
the process is in line with ICO guidance;
the process is transparent;
the individual will be notified;
the notification is written in a form that is understandable to children;
when sharing an individual's data to a third party outside of school that details for the sharing are clearly defined within the notifications.
Share an individual's data where it is a legal requirement to provide such information;
Process all written subject access requests from individuals within 40 days of receiving them;
Have in place a formal contract or service level agreement with a chosen data processor who is GDPR compliant;
Ensure the secure disposal of redundant data and IT hardware holding data in compliance with ICO guidance;
Train school personnel;
Be the first point of contact for supervisory authorities and for individuals whose data is processed;
Keep up to date documentation of all data protection activities.
Work closely with the Headteacher and nominated governor;
Periodically report to the Headteacher and to the Governing Body;
Role of School Personnel
Attend GDPR awareness training;
Comply with all aspects of this policy;
Be aware of all other linked policies.
Role of Parents/Carers
Be informed of GDPR procedures;
Comply with all aspects of this policy;
Be aware of all other linked policies.
Have equal chances of training, career development and promotion
Receive training on this policy on induction which specifically covers:
General Data Protection Regulation
Data Protection Act 1998
Freedom of Information 2000
Access to Personal Records
This policy will be reviewed when required.
For more information about GDPR at LPS, please follow the link below.