Data and its use in schools
The General Data Protection Regulation (GDPR) is a new EU law that will come into effect on the 25th May 2018 to replace the current Data Protection Act (1998). It is the biggest change of data protection legislation for over 25 years, and will introduce new requirements for how organisations process personal data.
It is focused on looking after the privacy and rights of the individual and based on the premise that consumers and data subjects should have knowledge of the lawful basis for processing their data, what data is being held about them, how it is held, how it will be used, why it will be used, how long it will be held for and whether or not this information will be exported elsewhere for use by another organisation.
What information does this relate to?
The data relates to any personal information that could be used to identify an individual directly or indirectly. This includes any living person including pupils, parents, staff, governors, contractors, university students etc.
What action is the school taking?
As a school we will ensure the following:
- that the data we hold is accurate and kept up to date
- that the we only keep data for as long as is required
- we inform the data subject of the length of time the information will be kept
- We will inform data subjects why we will use the data
- We will inform data subjects how we will use the data
- We will inform data subjects if their data will be used by a third party
- We will inform data subject what we will do with their data once we no longer require it
- We will identify the lawful basis for processing data (unless an exemption applies).
The lawful basis for processing data could fall into one of the following categories:
The lawful basis for processing is set out in Article 6 of the GDPR. At least one of these must apply whenever processing personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
What could go wrong?
As an organisation we are responsible for the data we hold. Much of this data is sensitive so we need to ensure that we take care of this data.
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
What is the school doing to reduce the risk of anything going wrong?
In order to mitigate the risks associated with data the school will ensure the following:
- that we keep data safe on school premises. This includes locking data away, locking computers, using encryption and passwords to protect documents
- ensure data is being transported in a secure way when it is being removed off site
- ensure that the intent with which any data is accessed and used is lawful, fair and transparent, and that it is for specified explicit and legitimate purposes.
What rights do you have as an individual?
- The right to be informed
- The right of access to the information held about you in the school
- The right to rectification of any errors
- The right to request removal of data
- The right to restrict processing
- The right to secure data portability
- The right to object to the information held
- The right to automated decision making and profiling.
The school will protect data to ensure it is only seen by people with the correct permissions and only store/retain data as per the schools Retention Policy which can be found in the link below.
What to do if you think there may have been a personal data breach?
As a school we have a Data Protection Breach Notification Form (DPNF). A copy of which can be found below.
You should complete the DPNF with the schools Data Controllers.
Dobcroft Infant School Joint Data Controllers are Cathy Rowland (Head teacher) and Vicky Abdy (Business Manager)
They will then inform the Data Protection Officer (DPO). The DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
The DPO will inform the Information Commissioner’s Office (ICO).
Privacy Notice May 2018– GDPR
Data Retention Policy May 2018
Data Breach 2018
Dobcroft Infant School
Tel: 0114 2368099
ICO Telephone Number: 0303 123 1113