The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018, covers all the countries in the EU and has been adopted by the UK. It works in conjunction with the Data Protection Act 2018 and as a school we have refined our approach to Data Protection, as it brings many enhancements to the rights of individuals in regards to their personal data. At its heart the GDPR changes the importance of Data Protection and emphasises accountability. Making Data Protection important means that as a school we will employ ‘Privacy by Design’ – thinking about how we use data in everything we do. There is also an emphasis on accountability which means that as a school we have had to increase the amount of documentation we use to record procedures and issues. As a school we have been developing our approach to ensure that we are compliant with GDPR and the aim of this page is to outline our GDPR compliance and share resources to explain the implications of GDPR and what it means for schools.
The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. If you click here you can visit the ICO’s GDPR website to read in depth information about all aspects of GDPR or click here to download and read the schools Data Protection Policy. Click the links to view our privacy notices on the use of pupil and staff data. In simple terms, we have a duty as a school to:
- Discover what data we are holding, where it is stored, why we hold it, who it is shared with and what access is available to this data by who in the school organisation.
- Manage the data held and processed in school by robust policies and procedures that are clear and transparent.
- Protect all data held through appropriate systems.
- Report what is done with data and record how data is discovered, managed and protected.
There are 6 key principles to the GDPR that the school is accountable for:
- There must be a lawful reason for collecting personal data and it must be done in a fair and transparent way.
- Data must only be used for the reason it is initially obtained.
- No more data than is necessary should be collected.
- Data has to be accurate and there must be mechanisms in place to keep it up to date.
- Data should not be retained for longer than is necessary.
- The protection of personal data must be upheld.
Key Protection Measures
The school has put a variety of measures in place to ensure that all personal data is protected. These include;
- Storing all pupil and staff personal data with the school Management Information System that is password protected and access to data is strictly limited to a needs to know basis.
- Data stored on the school Server is password protected and access rights for individual staff members is linked to their role within school. The retention of data on the server is governed by the Data Protection Policy and the retention schedule, which is enforced by the School Data Protection Officer.
- All passwords are changed every 42 days across the school server, MIS and email system, whilst also having a criteria of things that must be included to make passwords robust.
- No passwords are stored by automated means on any school equipment on or off site.
- No portable USB sticks or hard drives are permitted within school and no personal data is removed off the school site.
- A Virtual Private Network (VPN) is currently being established and will be made available to staff in March 2018 to ensure that school data remains stored within the school server.
- All visitors and staff use a digital sign in system, which ensures that no personal information is visible to other visitors. Pupils are signed in by the admin staff.
There is a range of terminology that is used to refer to aspects of GDPR that schools must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.
- Data Controller-the holder and gatherer of data who decides what to do with it (the school).
- Data processor-the person/organisation who does activities that the controller tells them to do with data and who is not a direct employee. An example would be RM Education who host the School Management Information System known as Integris which digitally stores all of the personal data about pupils, staff and parents or Parent Hub, which hosts the school communication system.
- Data Subject-the person who data belongs to. It is important to note that under the new GDPR regulations children have more rights even though it is parents who give consent for the collection of certain types of data.
- Subject Access Request-the request by a data subject for information about the personal data that a data controller holds. This must be made available in an accessible format within 40 days and 15 days if it is a request for a child’s education record.
- Data-all recorded information in any format (sound, text, electronic files, photographs, videos, voice recordings) which includes statements and opinions.
- Personal Data-any data that relates to an individual which can identify them or link to other information which would lead to identification.
- Sensitive Personal Data-data that relates to aspects of personal life/preferences such as race, political opinions, religion, disability, sexuality, criminal offences etc.
- Processing Data-obtaining, recording, sorting, converting, disclosing, analysing, storing, sharing or destroying data by any means.
As a school we have reviewed all of the data that we currently hold and produced a “Data Asset Register” which documents the type of data, the data processor, where the data is stored, the reason that the data is stored and any potential risks that must be considered when developing policies/procedures around data protection. Included in this process has been making contact with any data processors to ensure that they are all GDPR compliant. Below is a list of the data processors used by the school (individual links to each provider will be added once their GDPR compliance policies/statements are finalised, which will highlight them below as blue):
- RM Integris (School Management Information System)
- Tapestry (Online Learning Journals)
- Swiped on (Digital Sign in system)
- Trello (Secure Cloud based communication, collaboration and digital portfolio platform used internally within school by staff with individual logons and under supervision by children to store examples of computing into a class portfolio. Children do not have individual accounts in Trello)
- Office Education 365 (Staff email system)
- Purple Mash (Digital learning tool that can be accessed within school and at home with individual logons from Y3-Y6 and class logons from YR-Y2.
- Junior Librarian (Online library catalogue of the school library with individual user barcodes to scan books in and out of the library)
- RM Maths (Digital maths activities that children access weekly with an individual logon)
- Active Learn (Digital reading books with accompanying comprehensions and digital maths activities for children with individual logons)
- CPOMS (Child Protection Online Monitoring System that incidents are stored on)
As a school we have looked at what data we need to obtain consent for under the GDPR, so that any data we collect is appropriate. To comply with the Department for Education (DFE) and Census obligations we request on admission a range of personal information that complies with our statutory duties on the emergency contact form. When changes to any of this data occurs and we are informed, this is updated as soon as possible within our Management Information System (MIS) RM Integris. For other types of data that we collect we seek consent though consent forms that provide parents with the opportunity to give or decline consent. Consent is only accepted if it is freely given and parents/cares are entitled to withdraw consent at anytime by contacting the School office, where the request will be put in place with immediate effect. Consent is requested for the types of data outlined below;
- The use of photographs/videos for different purpose-click here to download the consent form.
- The use of Tapestry-click here to download the consent/agreement form.
- The School Acceptable Use Agreement for use of Internet related services-click here to visit our safety page to view and download the agreement.
[learn_more caption=”Subject Access Requests”]
What are subject access requests?
Individuals have the right to access the personal data and supplementary information we hold about them. This allows them to be aware of, and verify the lawfulness of, you processing this data. This right applies to everyone whose personal data our school holds, including staff, governors, volunteers, parents, carers and pupils.
Who deals with subject access requests?
The school’s Data Protection Officer Mrs Ahmed will deal with all subject access requests received. This is based on advice from the Information Commissioner’s Office’s guidance.
How we will respond to subject access requests
On receiving a request in writing, our Data Protection Officer will contact the individual via phone to confirm the request was made. We will then verify the identity of the person making a request using ‘reasonable means’. Generally, this means we will ask for two forms of identification.
In most cases, we will provide the information within 15 days, and free of change. If the request is complex or numerous, we will provide the information within 40 days.
We recognise that school holidays are counted in the response time and if we receive a request in the school holidays, we will still respond within the same time frame.
‘Unfounded or excessive’ requests
If the request is unfounded or excessive, we will charge a reasonable fee, based on the administrative cost of providing the information.
Usually, ‘unfounded or excessive’ means that the request is repetitive, or asks for further copies of the same information.
How the information is provided
We will provide the information in paper or electronic format.
Information that is exempt from SARs
Certain types of personal data are exempt from SARs because of its nature or effect its disclosure may have (e.g. safeguarding or legal issues) or where disclosure would involve information about another individual. In these cases, we will explain to the requester the reasons why information requested cannot be disclosed.
Monitoring our compliance with responding to SARs
We retain a log of SARs received automatically on our School Management Information System (RM Integris). The log contains copies of the information supplied in response to the SAR together with copies of any material withheld and an explanation why.
Compliance with dealing and responding to SARs is monitored and discussed at senior leadership level and with our Board of Governors.
Complaints about our Subject Access request procedure
If the requester believes that a request for information has not been dealt with properly, the requester should make a complaint to the school through our normal complaints procedure. If following the conclusion of the complaints procedure within the school, the requester is still dissatisfied or the original decision is not reviewed, the requester can complain directly to the Information Commissioner’s Office.