The Independent Grammar School: Durham
DATA PROTECTION POLICY
IGS: Durham is responsible for ensuring that all records are maintained in accordance with the law as it applies to education in general and to personal information specifically. The legislation covering this area is contained within the General Data Protection Regulations (GDPR) which came into effect on 25th May 2018. As the implications of the regulations become better appreciated across the education sector, we will respond accordingly and ensure that our policies and practices continue to be appropriate.
Data Controller
Although schools are not necessarily required to appoint a Data Controller, it appears to be seen as good practice and we can see the benefits of doing so. The Principal is therefore appointed as Data Controller with effect from the date upon which the school is approved to open by the Department for Education.
What the Policy Involves
The school will obtain and process personal data fairly and lawfully by making all data subjects (i.e. people about whom the school holds data) aware of why information about them is being held, how it will be used, who might access that information and the data subjects’ rights as set out in the GDPR. Where any form is used to gather information of any kind, this information will be printed there.
Definitions
Some useful definitions are:
· “Processing” means obtaining, recording or holding information or using the information for any reason
· “Data subject” is the person who is the subject of the information being obtained, recorded etc.
· “Personal data” means any information relating to a living person who can be identified. This includes names and addresses and may also include photographs (see Photography Policy)
· “Parent” is any person having parental responsibility for a child, as set out in the Education Act (1996).
Obtaining and Keeping Reliable Data
In general terms, we aim to do this by ensuring the following:
Data Accuracy
We will maintain data which is as up to date and as accurate as possible. If a data subject lets us know of any changes to his or her personal information, we will make the change immediately (or as soon as is reasonably practicable given the importance of doing so). Every data subject will receive a print of their personal data sheet every two years so it can be verified. Should a data subject for any reason challenge the accuracy of data shown, and we cannot amend it straightaway, it will be marked “challenged” until the matter is resolved. Ultimately the School Board might have to be called upon to resolve the issue.
Length of Time
Data should not be kept longer than is necessary. The school will make sensible judgments, based on the relevant published guidelines, as to how long data may be retained. The Data Controller will ensure that no data is retained for longer than necessary. In all cases, time-elapsed data must be securely shredded (i.e. shredded on site).
All data subjects may have access to data held about them. Given the sensitive nature of this areas, a formal process for making requests for information is essential. The school policy is that requests from pupils will be received on the same basis as any other request but, apart from in the case of a pupil aged 16 and above, will be referred to parents. (Note: 16 is the age set out in the GDPR although it is believed that in the UK the age may be set at 13). No charge will be made for such requests.
Requests made by parents for information on their own child(ren) will be processed as if the parent were the data subject and a copy of the information will be sent in a sealed envelope to the parent(s).
Individuals’ Rights
Under the terms of the GDPR, people have the following rights:
· The right to be informed
· The right of access
· The right to rectification
· The right to erasure
· The right to restrict processing
· The right to date portability
· The right to object, and
· The right not to be subject to automated decision-making including profiling
IGS: Durham will ensure that those rights are respected. Most are contained within the terms of the existing DPA (Data Protection Act) but the emphasis has changed in some and the area of data portability is new. In this regard, organisations are required to provide others with data in common, machine-readable formats. Where necessary (e.g. when required by another school) we will convert the data we have into such a format before transmitting it.
Subject Access Requests
A request for Data Subject Access should be made to the Principal in writing. All such requests should be recorded in a log book and should record the date, name and address of person making the request, name of data subject, type of information required, and the planned date of supplying the information (normally within one month of the request but in the case of a parent requesting information about a pupil the period is 15 days).
Authorised Disclosures
The school will normally only give out information about a person having first obtained his or her consent. There are however certain circumstances in which information might be disclosed without such consent. These circumstances are strictly limited to the following, which will be communicated to all parents in writing.
· Pupil data which is necessary in allowing a school to perform its legal duties
· Pupil data disclosed to authorised recipients in relation to a child’s health and safety
· Pupil data disclosed to parents in respect of a child’s progress at school etc.
· Staff data released to relevant authorities e.g. in respect of payroll
· Unavoidable disclosures, e.g. external IT working on the school computer system. Such staff are required to sign a document promising not to disclose such data outside school.
Only authorised and trained staff may disclose personal data to external bodies. No data may be released by any other member of staff apart from when it is clear than the request is from someone legitimately working within the school who needs to know the information in order to fulfil their responsibilities.
No person other than a member of the School Board or teaching staff or an authorised member of the administration or support teams may use the staff room. All staff are responsible for keeping any information displayed on notice boards in staff rooms absolutely confidential. In particular, under no circumstances must anyone outside the above categories, e.g. a parent or other visitor, be allowed to enter the staff room.
The school will never disclose anything to anyone which might be reasonably thought to give rise to risk to a pupil’s health, welfare or safety. This includes anything which might suggest that he or she is, or has been, either the subject of, or at risk from, child abuse.
Data Security
As a small school, and to reduce the risks relating to Data Protection particularly in the context of the new GDPR requirements, we will where possible hold data in paper form, photocopied where necessary to provide back-up. Where electronic data is necessarily held, it will be held on a computer which is not networked and not therefore connected to the internet.
All sensible security measures will be implanted to protect data held in school. Filing cabinets and offices where data is held are locked at night. All visitors to school are required to sign in, wear a visitor badge and where appropriate be accompanied at all times. A password protocol is in place in respect of all electronic files and only the Principal and other designated staff have access to the codes (which will be recorded and held under lock and key in the unlikely event of all relevant staff being unavailable when information is urgently needed). The codes will be changed every half term and regular back-up will be implemented.
Training
All staff will receive regular training in Data Protection.
Responsibilities
Responsibility for legal compliance with Data Protection legislation lies with the Principal. All staff, however, have responsibility for ensuring that procedures are followed. Staff should not hesitate to refer any questions or uncertainties in this area to the Principal.
Training in the requirements of the GDPR will be included in all induction training.
Given the increasing importance and higher profile of data protection, and the sanctions which may result from poor practice, we must take this area very seriously indeed. It will therefore be a standing item on all School Board Meetings, at which the Data Controller will report on the effectiveness of policies, any risks which are emerging and any potential or actual breaches of the regulations.
This policy should be read in conjunction with the Child Protection (Safeguarding) Policy, the Photography Policy and other relevant Policies.
Please click here for our Data Retention Table which shows the kind of data we will retain and how long we will keep it for.
The Independent Grammar School: Durham
February 2017
Reviewed: May 2020, March 2022, July 2024
Next Review due: May 2026