- Data Protection Act 1998 and any subsequent legislation See https://www.gov.uk/data-protection/the-data-protection-act
- General Data Protection Regulations See http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
- Information Commissioners' Office
- Statutory policies for schools: Advice on the policies and documents that governing bodies and proprietors of schools are required to have by law – DfE September 2014.
- Subject Access Code of Practise
- See also the following LCC guidance:
- Pupil Records
- Disclosure of Information to Parents and Others
- The Use of Photographs and Electronic Images
- Use of Closed Circuit Television – CCTV
- Use of Biometric Data
Samantha Stocks - Lawyer (Information Governance)
Tel: 01522 552129
John Armstrong – Lawyer (information Governance)
Tel: 01522 552553
The Data Protection Act (DPA) and the General Data Protection Regulations (GDPR) provides protection for individuals as to how their personal information is used by organisations, businesses or the government. Schools are designated 'Data Controllers' and are required to keep records of processing activities, which must be made available to the Information Commissioner's Office upon request. Please see the links above for further information as to schools' responsibilities in relation to data protection.
1 The Shepeau Stow Primary and Gedney Hill CofE Primary Schools Federation collects and uses personal information about staff, pupils, parents and other individuals who come into contact with the school. This information is processed in order to enable the School to provide education and other associated functions. In addition, there may be a legal requirement for the School to process personal information to ensure that it complies with statutory obligations.
2 Schools have a duty, as Data Controllers, to keep detailed records of data processing activities and the records shall contain:-
- Name and details of the organisation (and where applicable, of other controllers, any representative and data protection officer)
- Purposes of the processing
- Description of the categories of individuals and categories of personal data.
- Categories of recipients of personal data
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place
- Retention schedules
- Description of technical and organisational security measures
These records must be made available to the Information Commissioner's Office (ICO) upon request. The School will, on an annual basis, provide its registrable particulars and pays the data protection fee to the ICO.
1 This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with GDPR, DPA and other related legislation. It will apply to personal information regardless of the way it is collected, used, recorded, stored and destroyed and irrespective of whether it is held in paper files or electronically.
2 All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines and shall attend regular training to ensure compliance with their responsibilities.
1 Personal information or data is defined as any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier held by the Federation.
2 Data Protection Principles – there are six enforceable principles contained in Article 5 of the General Data Protection Regulations. They are key to compliance and the Federation must endeavour to ensure that they are adhered to at all times. The responsibility for adherence to the principles is the responsibilities of all Federation staff.
Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.
Principle 2 – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 – Personal data shall be adequate, relevant and limited to what is necessary.
Principle 4 – Personal data shall be accurate and where necessary, kept up to date. Steps must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Principle 5 - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle 6 - Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
3 To ensure compliance with the above principles the Federation will:
- Produce an information asset register that contains details of the records it holds.
- Inform individuals why the information is being collected at the point it is collected by way of privacy notices.
- Inform individuals when their information is shared, and why and with whom it will be shared.
- Check the quality and the accuracy of the information it holds.
- Ensure that information is not retained for longer than is necessary.
- Ensure that when obsolete information is destroyed and it is done so appropriately and securely.
- Create, maintain and publish a Disposal and Retention Schedule setting out retention and disposal dates for common data sets and other information.
- Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded.
- Share information with others only when it is fair and lawful to do so and satisfies the lawful basis for processing that information.
- Share personal data with other organisations for the purpose of crime prevention and/or detection, or for the purpose of legal proceedings, provided that the disclosure falls within an exemption to the non-disclosure provisions contained within the Data Protection Act 1998 or any subsequent legislation.
- Disclose personal data where required to do so by law for example, following receipt of a court order.
- Set out procedures to ensure compliance with the duty to respond to an individual's rights to:
- request access to personal information, known as Subject Access Req
- be informed about the way their data is used;
- have inaccurate personal data rectified;
- have their personal data erased;
- restrict the processing of their personal data; and
- object to the processing of their personal data.
- Ensure our staff are appropriately and regularly trained and aware of and understand our policies and procedures.
- Create and maintain a data breach notification spreadsheet to record data breaches and also circumstances where a breach was narrowly avoided.
Data Protection Officer (DPO)
The Data Protection Officer – our DPO is Joe Lee and can be contacted on DPO@ark.me.uk
The DPO cannot hold a position that requires them to determine the purpose and means of processing personal data, for example, the Head Teacher, head of human resources, or head of information technology.
Data Protection Impact Assessments (DPIA)
1 The Federation must carry out a DPIA when processing is likely to result in high risk to the rights and freedoms of individuals.
2 GDPR does not define high risk but guidance highlights a number of factors that are likely to trigger the need for a DPIA, which include the use of new technologies, processing on a large scale, systematic monitoring, processing of special categories of personal data.
1 The Federation publishes a privacy notice on its website which provides information about how and why the Federation gathers and uses images and shares personal data.
2 The privacy notice under GDPR should include:
- Who you are and how they can contact you;
- The personal data you are collecting & why you are collecting it;
- Where you get the personal data from & who you are sharing it with;
- How long the data will be held for;
- Transfers to third countries and safeguards;
- Description of the data subjects individual rights;
- The data subjects right to withdraw consent for the processing of their data;
- How individuals can complain.
3 The privacy notice will be reviewed at regular intervals to ensure it reflects current processing.
4 The privacy notice will be amended to reflect any changes to the way the Federation processes personal data.
5 Whist the Federation will publish an overarching privacy notice it l will also issue a privacy notice to all parents and pupils, before, or as soon as possible after, any personal data relating to them is obtained. This may simply be an explanation why the information is being requested and the purpose for which it will be used.
6 The privacy notice will include details of how the Federation uses CCTV, whether it intends to use biometric data and how consent will be requested to do this and include details of the Federation’s policy regarding photographs and electronic images of pupils.
Close Circuit Television (CCTV)
1 Images and audio recordings of identifiable individuals captured by Closed Circuit Television amount to personal data relating to that individual and will be subject to the same provisions and safeguards afforded by the General Data Protection Regulations and the Data Protection Act as other types of recorded information.
2 The Federation will use CCTV for the following purposes:
- To protect the school buildings and assets;
- To increase personal safety of staff, pupils and visitors;
- To reduce the fear of crime;
- To support the Police in order to deter and detect and to apprehend and prosecute offenders;
- To help protect members of the public and private property;
- To investigate both pupil and staff behaviour where appropriate.
3 The Federation will ensure that any use of CCTV is necessary and proportionate to achieve the aims stated in 7.6 and will ensure that regular reviews of the use of CCTV within the Federation take place.
4 The Federation will ensure that any use of CCTV is included in its records of data processing activity.
5 The Federation’s use of CCTV will comply with the Information Commissioner's Office CCTV Code of Practice https://ico.org.uk/for-organisations/guide-to-data-protection/cctv/.
6 The Federation will ensure that clear notices are in place identifying when an individual is entering an area that is monitored by CCTV. The notice will identify the Federation as the responsible data controller and will state the purpose for which the recording is taking place.
7 The Federation will not operate audio recording as part of the CCTV without seeking additional advice.
8 The Federation will not operate CCTV in any areas of the premises where individuals would have a legitimate expectation of personal privacy, such as toilets or changing rooms.
9 The Federation will ensure that CCTV recordings are kept securely and that access to them is restricted to those staff that operate the system or make decisions relating to how the images should be used.
10 Retain in line with the retention schedule.
Photographs and Electronic Images
The Federation has developed a policy in relation to the use of photographs/videos that contain images of pupils. The policy provides the Federation’s position regarding parents photographing and filming pupils at school events and the use of images of pupils by the School in any Federation publicity material, its website, in newspapers and in outside agency publications.
1 If the Federation uses or intends to use biometric data (such as fingerprint technology) a separate, detailed notice will be sent to all pupils and parents explaining the intended reasons for and lawful basis for the use of the data, and provide parents with options for alternative systems if they do not wish their child to provide this information and want to opt out.
2 The Federation will obtain the written consent of at least one parent or carer with Parental Responsibility for the child before taking and using any biometric data from a pupil.
Requests for Access to Personal Data
This section sets out the process that will be followed by the school when responding to requests for access to personal data made by the pupil or their parent or carer with Parental Responsibility.
1 There are two distinct rights of access to information held by schools about pupils, parents/carer and staff:
- Pupils have a right to make a request under the GDPR to access the personal information held about them.
- Pupils and parents or those with Parental Responsibility have a right to access the educational records. The right of those entitled to have access to curricular and educational records as defined within the Education (Pupil Information) (England) Regulations 2005.
2 Handling a subject access request for access to personal data:
- Article 15 of GDPR gives individuals the right to access personal data relating to them, processed by a data controller. The right can be exercised by a person with Parental Responsibility on behalf of their child dependent on the age and the understanding of the child. For the purposes of a subject access request the school will apply the full legal definition of 'Parental Responsibility' when determining who can access a child's personal data.
- Requests for information must be made in writing; which can include e-mail, and be addressed to the Head Teacher or the Chair of Governors. If the original request does not clearly identify the information required, then the Federation will seek further enquiries to clarify what information is being requested.
- The identity of the requestor must be established before the disclosure of any information is made. Proof of the relationship with the child (if not known) must also be established as this will verify whether the individual making the request can lawfully exercise that right on behalf of the child. Below are some examples of documents which can be used to establish identity:
- Driving licence
- Utility bill with current address
- Birth/marriage certificate
- Credit card or mortgage statement.
3 It is widely accepted that children of primary school age do not have the maturity to understand and exercise their own rights and as such it is acceptable for those with Parental Responsibility to exercise these rights on their child's behalf. However, each request will be considered on its own merits and the circumstances surrounding the request and the child. A child with competency to understand can refuse to consent to a request for their personal information made under the GDPR. This position differs when the request is for access to the Education Record of the child (see below for more detail).
4 No charge can be made for access to personal data that is not contained within an education record.
5 The response time for a subject access request is one month from the date of the request (irrespective of school holiday periods). The one month period will not commence until any necessary clarification of information is sought. The time to respond can be extended to two months where the request is complex or numerous.
6 There are some exemptions available under the Data Protection Act which will mean that occasionally personal data will need to be redacted (information blacked out/removed) or withheld from the disclosure. All information will be reviewed prior to disclosure to ensure that the intended disclosure complies with the School's legal obligations.
7 Where the personal data also relates to another individual who can be identified from the information, the information will be redacted to remove the information that identifies the third party. If it is not possible to separate the information relating to the third party from the information relating to the subject of the request, consideration will be given to withholding the information from disclosure. These considerations can be complex and additional advice will be sought when necessary.
8 Any information which may cause serious harm to the physical or mental health or emotional condition of the pupil or another person will be withheld along with any information that would reveal that the child is at risk of abuse, or information relating to Court Proceedings.
9 Where redaction has taken place then a full copy of the information provided will be retained in order to maintain a record of what was redacted and why and a clear explanation of any redactions will be provided in the School's response to the request.
10 If there are concerns about the disclosure of information additional advice will be sought.
11 Handling a request for access to a curricular and educational record as defined within the Education (Pupil Information) (England) Regulations 2005.
- A parent may make a request to access information contained within their child's education record, regardless of whether the child agrees to the disclosure of information to them. The right of access belongs to the parent in these cases. It is not a right being exercised by the parent on behalf of the child.
- For the purpose of responding to an Educational Records request, the School will apply the definition of 'parent' contained within the Education Act 1996.
- An "educational record" means any record of information which-
- Is processed by or on behalf of the governing body of, or a teacher at, any school maintained by a local education authority and any special school which is not so maintained.
- Relates to any person who is or has been a pupil at any such school; and
- Originated from or was supplied by or on behalf of the persons specified in paragraph (a), other than information which is processed by a teacher solely for the teacher's own use
- The amount that can be charged for a copy of information contained in an education record will depend upon the number of pages provided. The charge made will be in accordance with the Education (Pupil Information) (England) Regulations 2005.
- No charge will be made to view the education record.
- The response time for requests made under the Education (Pupil Information) (England) Regulations 2005 is 15 school days (this does not include half terms or teacher training days).
- An exemption from the obligation to comply with the request will be claimed where the disclosure of the information to the parent may cause serious harm to the physical or mental or emotional condition of the pupil or another person or if the disclosure of the information would reveal that the child is at risk of abuse.
- If a subject access request is made for information containing in whole or in part a pupils educational record a response must be provided within 15 school days
Retention and Disposal of personal data
The Governing Body of the Federation will ensure that the School has an up to date and accurate retention and disposal schedule that is compliant with GDPR. The Federation will ensure that personal data is stored, transferred and disposed of securely and in accordance with the retention and disposal schedule.
Security of personal data
- The Federation will ensure that appropriate security measures are in place and enforced to keep paper and electronic personal data secure.
- The Federation will regularly review the physical security of the School buildings and storage systems.
- The Federation will ensure that only authorised individuals have access to personal data.
- All portable electronic devices containing personal data will be encrypted.
- No personal data will be left unattended in any vehicles and staff will ensure that if it is necessary to take personal data from School premises, for example to complete work from home, the data is suitably secured.
- The Federation will refer to any relevant guidance and seek advice where necessary if processing personal data utilising a cloud based solution.
1 Complaints relating to the Federation’s compliance with GDPR will be dealt with in accordance with the school's complaint policy.
2 Complaints relating to access to personal information or access to education records should be made to Mrs Alison Buddle who will decide whether it is appropriate for the complaint to be dealt with through the Federation’s complaints procedure. Complaints which are not appropriate to be dealt with through the Federation’s complaints procedure can be referred to the Information Commissioner. Details of how to make a complaint to the ICO will be provided with the response letter. [Reference to the ICO should only usually be made where the Federation’s internal complaints process has been exhausted]
3 Complaints relating to information handling may be referred to the Information Commissioner's Office (the statutory regulator). Contact details can be found on their website at www.ico.org.uk or telephone 01625 5457453
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. The policy review will be undertaken by the Head teacher or nominated representative.
If you have any enquiries in relation to this policy, please contact [insert details of Head teacher or nominated representative].
Further advice and information is available from the Information Commissioner's Office at www.ico.org.uk or telephone 01625 5457453
Date of Last Review: 22nd May 2018
How we use your personal information at The Shepeau Stow Primary and Gedney Hill C of E Primary Schools Federation
The Shepeau Stow Primary and Gedney Hill C of E Primary Schools Federation is known as the "Controller" of the personal data that we collect about you and your children. We process and hold your information in order to provide the public service of education. This notice will explain how we use and share your information.
Why do we collect your personal information?
The Shepeau Stow Primary and Gedney Hill C of E Primary Schools Federation holds a wide variety of personal information which can be used in order to deliver education services.
In relation to the above services, we will process your information for the following purposes:-
- To monitor and improve the school’s performance and outcomes for learners.
- To allow us to be able to communicate and provide services and benefits appropriate to your needs.
- To ensure that we meet our legal obligations and in order to exercise our statutory powers in the public interest.
- Where necessary for the law enforcement functions.
- Where necessary to protect individuals from harm or injury/safeguarding.
- To allow the statistical analysis of data so we can plan the provision of education services.
- To provide financial services.
We will only collect personal data that we need in order to deliver services to you and as far as is reasonable and practicable we will ensure that the information recorded is accurate and kept up to date.
What personal data do we collect?
We will collect personal data about you in order to help us deliver the right service. The personal data we collect may include:
- Name, address and other contact details
- family details
- date of births
- lifestyle and social circumstances
- financial data
- employment and education details
- visual images, personal appearance and behaviour
- licenses or permits held
- student and pupil records
We also process special categories of personal data that may include:
- physical or mental health needs
- racial or ethnic origin
- criminal convictions data;
- civil and criminal proceedings, outcomes and sentences.
- religious or other beliefs of a similar nature
How do we collect your personal data?
Information may be collected in many different ways but predominantly as set out below:
Face to Face
If you attend our school or we visit you we may collect your personal data.
We may collect your personal data and written transcripts of conversations.
If you email us we may keep a record of your email address and the email as evidence of the contact. We are unable to guarantee the security of any email initiated by you and we recommend that you keep the amount of confidential information you send to us via email to a minimum.
Using our website
If you have given consent we may use your, your child’s image or work completed on our school website, on our twitter feed, PTA Facebook page and newsletters. You may withdraw consent at any time informing the school and images will be removed.
Data Bases/Personal Files
Upon entry we maintain personal file records for pupils, families and staff. We ask you to complete a variety of consent forms regarding use of your or your child’s personal data, images and work etc. We transfer records from hard paper copies to our electronic data base to keep up to date contact details, medical information etc. We keep the amount of confidential information about staff, pupils and families to a minimum. Our IT software is encrypted to ensure security of this data.
Who do we get your personal information from?
This information is collected in a number of ways:
- Provided to us directly by you when you sign up to the education service we are providing;
- Provided to us by members of the public, sometimes anonymously.
- Provided by another professional organisation involved in the provision of services;
- Provided by another professional organisation
Professional organisations may include other public sector bodies such as health, police services and other schools. We may also receive information from government bodies and regulators such as the Department of Education, Department of Work and Pensions and Her Majesty's Revenue and Customs.
Who do we share your information with?
The type of service you receive and your personal circumstances will dictate who we share your personal data with.
We will only share your information where it is necessary to do so. The school will not share your information without your consent unless the law requires or allows the school to do so.
Where necessary we may share your information with the following categories of recipients:
- Healthcare, social and welfare organisations and professionals
- Providers of goods and services
- Financial organisations
- Elected members
- Local and central government
- Ombudsman and regulatory authorities
- Professional advisors and consultants
- Police forces, other law enforcement and prosecuting authorities
- Voluntary and charitable organisations
- Disclosure and Barring Service
- Courts and Tribunals
How long do we keep your information for?
We are required to retain your personal data only for as long as is necessary, after which it will be securely destroyed in line with the school's retention policy or the specific requirements of the organisation who has shared data with us.
Retention periods can vary and will depend on various criteria including the purpose of processing, regulatory and legal requirements, and internal organisational need. Retention periods are defined within the school’s retention guidelines.
How do we keep your data safe?
We have an information assurance framework in place which ensures that appropriate technical and organisational measures are in place to help keep your information secure and to reduce the risk of loss and theft.
Access to information is strictly controlled, based on the role of the professional.
All staff are required to undertake regular data protection training and must comply with a variety of security policies designed to keep your information secure.
Your personal data is not processed outside of the UK.
You have a number of rights which relate to your personal data.
You are entitled to request access to any personal data we hold about you and you can also request a copy.
Where we a relying on your consent to process your personal data you are entitled to withdraw your consent at any time.
You can also request that we correct any personal data we hold about you that you believe is inaccurate; erase your personal data; stop processing all or some of it and that automated decisions are made by a person.
We are obliged to consider and respond to any such request within one calendar month.
If you wish to make a request or make a complaint about how we have handled your personal data please contact:
- The Data Protection Officer
Alternatively, you can contact the school by writing to:
Shepeau Stow Primary School, Dowsdale Bank, Shepeau Stow, Spalding, Lincolnshire PE12 0TX
Gedney Hill C of E Primary School, North Road, Gedney Hill, Spalding, Lincolnshire PE12 0NL
Telephone 01406 330395 (Shepeau Stow) 01406 330258 (Gedney Hill
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office (ICO) www.ico.org.uk
Disposal of Assets Policy
Freedom of Information Act
Last updated May 2018