Data Protection Policy
General Introduction:
This policy supports the work of the school in promoting its mission statement, aims and values.
Mission statement:
Like a lighthouse, St Michael’s is a beacon of safety and stability. It takes courage to learn and remember knowledge, develop new skills and allow your own light to shine in the world. We respect our differences and know that working peacefully together allows our lights to shine more brightly.
‘Let your light shine’ Matthew 5:16
School aims:
At St Michael’s we value every member of our school community and our aims are for every child, whatever their background or circumstances, to have the support they need to:
- Develop their understanding of the value of leading a healthy lifestyle
- Work and play in a secure and safe environment in which they are encouraged to develop moral values and mutual respect
- Experience an exciting curriculum which fosters their enthusiasm, develops an enquiring mind and enables every child to achieve his/her full potential
- Access an education for life which promotes British Values that enable all learners to become effective and reliable members of the wider community
- Foster ambition and expectation to carry through to adult life
To achieve these aims all learners, staff, parents and governors will work together to promote our core values of peace, courage and respect.
Aims
Our school aims to ensure that all data collected about staff, pupils, parents and visitors is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR)/GDPR.
This policy applies to all data, regardless of whether it is in paper or electronic format.
Definitions
Term | Definition |
Personal data | Data from which a person can be identified, including data that, when combined with other readily available information, leads to a person being identified |
Sensitive personal data | Data such as:
|
Processing | Obtaining, recording or holding data |
Data subject | The person whose personal data is held or processed |
Data controller | A person or organisation that determines the purposes for which, and the manner in which, personal data is processed |
Data processor | A person, other than an employee of the data controller, who processes the data on behalf of the data controller |
Introduction
This policy meets the requirements of the General Data Protection Regulation (GDPR), May 2018 and is based on guidance published by the Information Commissioner’s Office and model privacy notices published by the Department for Education.
The General Data Protection Regulation (GDPR), is based on the following data protection principles, or rules for good data handling:
- Data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes
- Personal data shall be relevant and not excessive in relation to the purpose(s) for which it is processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data shall not be kept for longer than is necessary for the purpose(s) for which it is processed
- Personal data shall be processed in accordance with the rights of data subjects under the General Data Protection Regulation (GDPR)
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of data in relation to the processing of personal data
St Michael’s Primary School and all staff or others who process or use personal information must ensure that they follow the Regulations at all times. In order to ensure that this happens, the School has developed this Data Protection Policy.
Status of this Policy
This policy does not form part of the contract of employment for staff, but it is a condition of employment that employees will abide by the rules and policies made by the School from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings.
The Data Controller and the Data Protection Officer (DPO)
The School as a body corporate is the Data Controller under GDPR, and the Governors are therefore ultimately responsible for implementation. However, the DPO will deal with day-to-day matters.
The School has appointed a DPO.
Staff, parent or other individuals who consider that the Policy has not been followed in respect of personal data about himself or herself or their child should raise the matter with the DPO.
Privacy/fair processing notice
Pupils and parents
We hold personal data about pupils to support teaching and learning, to provide pastoral care and to assess how the school is performing. We may also receive data about pupils from other organisations including, but not limited to, other schools, local authorities and the Department for Education.
This data includes, but is not restricted to:
- Contact details
- Results of internal assessment and externally set tests
- Data on pupil characteristics, such as ethnic group or special educational needs
- Exclusion information
- Details of any medical conditions
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
We will not share information about pupils with anyone without consent unless the law and our policies allow us to do so.
We are required, by law, to pass certain information about pupils to specified external bodies, such as our local authority and the Department for Education, so that they are able to meet their statutory obligations.
The school does not process any biometric data and has no future plans to do so.
Staff
We process data relating to those we employ to work at, or otherwise engage to work at, our school. The purpose of processing this data is to assist in the running of the school, including to:
- Enable individuals to be paid
- Facilitate safe recruitment
- Support the effective performance management of staff
- Improve the management of workforce data across the sector
- Inform our recruitment and retention policies
- Allow better financial modelling and planning
- Enable ethnicity and disability monitoring
- Support the work of the School Teachers’ Review Body
Staff personal data includes, but is not limited to, information such as:
- Contact details
- National Insurance numbers
- Salary information
- Qualifications
- Absence data
- Personal characteristics, including ethnic groups
- Medical information
- Outcomes of any disciplinary procedures
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
We will not share information about staff with third parties without consent unless the law allows us to.
We are required, by law, to pass certain information about staff to specified external bodies, such as our local authority and the Department for Education, so that they are able to meet their statutory obligations.
Publication of School Information
Certain items of information relating to School staff will be made available via searchable directories on the public Website, in order to meet the legitimate needs of researchers, visitors and enquirers seeking to make contact with the School.
Responsibilities of Staff
All staff are responsible for:
• Checking that any information that they provide to the School in connection with their employment is accurate and up to date.
• Informing the School of any changes to information that they have provided, e.g. change of address, either at the time of appointment or subsequently. The School cannot be held responsible for any errors unless the staff member has informed the School of such changes.
Storage of records
- Paper-based records and portable electronic devices, such as laptops and hard drives, that contain personal information are kept under lock and key when not in use
- Papers containing confidential personal information should not be left on office and classroom desks, on staffroom tables or pinned to noticeboards where there is general access
- Where personal information needs to be taken off site (in paper or electronic form), staff must sign it in and out from the school office
- Passwords that are at least 8 characters long containing letters and numbers are used to access school computers, laptops and other electronic devices. Staff and pupils are reminded to change their passwords at regular intervals
- Encryption software is used to protect all portable devices and removable media, such as laptops and USB devices
- Staff, pupils or governors who store personal information on their personal devices are expected to follow the same security procedures for school-owned equipment
Rights to Access Information
All staff, parents and other users are entitled to:
• Know what information the School holds and processes about them or their child and why and be informed about this in the School’s Privacy Notice.
• Know how to gain access to it.
• Know how to keep it up to date.
• Know what the School is doing to comply with its obligations under GDPR.
This Policy document addresses in particular the last three points above. To address the first point, the School will, upon request, provide all staff and parents and other relevant users with a statement regarding the personal data held about them. This will state all the types of data the School holds and processes about them, and the reasons for which they are processed.
All staff, parents and other users have a right under GDPR to access certain personal data being kept about them or their child either on computer or in files. Any person who wishes to exercise this right should notify the DPO.
The School aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 1 month, as required by GDPR.
Right to be forgotten (Data erasure)
All staff, parents and other users have a right under GDPR to have personal data erased and prevent processing:
- where it is no longer necessary for the original purpose,
- if they withdrawing consent,
- if they object to processing and there is no overriding legitimate interest to continue,
- if the personal data was unlawfully processed,
- if the personal data has to be erased to comply with a legal obligation,
- if it relates to the offer of information society services to a child (under 16 years old).
Disposal of records
Personal information that is no longer needed, or has become inaccurate or out of date, is disposed of securely.
For example, we will shred or incinerate paper-based records, and override electronic files. We may also use an outside company to safely dispose of electronic records.
Training
Our staff and governors are provided with data protection training as part of their induction process.
Data protection will also form part of continuing professional development, where changes to legislation or the school’s processes make it necessary.
Conclusion
The above guidelines are intended to protect the welfare of all pupils equally and the professional and personal well-being of staff and governors at St Michael’s School. They may not cover all eventualities and if it becomes apparent that a situation arises which is not included in these guidelines, then the attention and advice of the headteacher/DPO should be sought.
Compliance with Data Protection Regulation is the responsibility of all members of the School. Any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or even to a criminal prosecution.