Governing bodies are required to hold each of the policies and other documents as outlined below.
Regulations state that:
- The drafting of school policies can be delegated to any member of school staff;
- There is no requirement for all policies to be reviewed annually; and
- Not all policies need to be signed off by the full governing body.
Please use the links on this page to access each policy.
Academies are required to hold each of the policies and other documents as outlined below. The links below show the name of the policy.
Regulations state that:
- the drafting of school policies can be delegated to any member of school staff;
- there is no requirement for all policies to be reviewed annually; and
- not all policies need to be signed off by the full local governing body.
Data Protection Policies and Information (GDPR)
We reviewed our whole school approach to data protection inline with the new General Data Protection Regulation (GDPR) which came into effect from 25th May 2018. As a school we are continuing to review the school’s polices/procedures (Data Protection Policy, Subject Access Request Policy, Privacy Notices and all permissions for use of data), increasing staff awareness of changes, developing a school information audit and have appointed a Data Protection Officer (DPO).
The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018, covers all the countries in the EU and has been adopted by the UK. It works in conjunction with the Data Protection Act 2018 and as a school we have refined our approach to Data Protection, as it brings many enhancements to the rights of individuals in regards to their personal data. At its heart the GDPR changes the importance of Data Protection and emphasises accountability. Making Data Protection important means that as a school we will employ ‘Privacy by Design’ – thinking about how we use data in everything we do. There is also an emphasis on accountability which means that as a school we have had to increase the amount of documentation we use to record procedures and issues. As a school we have been developing our approach to ensure that we are compliant with GDPR and the aim of this page is to outline our GDPR compliance and share resources to explain the implications of GDPR and what it means for schools.
The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The link to the ICO’s GDPR website is below where you can read in depth information
about all aspects of GDPR. Click the links in this section to view our privacy notices on the use of pupil and staff data or read the schools Data Protection Policy.
In simple terms, we have a duty as a school to:
• Discover what data we are holding, where it is stored, why we hold it, who it is shared with and what access is available to this data by who in the school organisation.
• Manage the data held and processed in school by robust policies and procedures that are clear and transparent.
• Protect all data held through appropriate systems.
• Report what is done with data and record how data is discovered, managed and protected.
There are 6 key principles to the GDPR that the school is accountable for:
• There must be a lawful reason for collecting personal data and it must be done in a fair and transparent way.
• Data must only be used for the reason it is initially obtained.
• No more data than is necessary should be collected.
• Data has to be accurate and there must be mechanisms in place to keep it up to date.
• Data should not be retained for longer than is necessary.
• The protection of personal data must be upheld.
Key Protection Measures
The school has put a variety of measures in place to ensure that all personal data is protected. These include;
• Storing all pupil and staff personal data with the school Management Information System that is password protected and access to data is strictly limited to a needs to know basis.
• Data stored on the school Server is password protected and access rights for individual staff members is linked to their role within school. The retention of data on the server is governed by the Data Protection Policy and the retention schedule, which is enforced by the School Data Protection Officer.
• All passwords are changed every 42 days across the school server, MIS and email system, whilst also having a criteria of things that must be included to make passwords robust.
• No passwords are stored by automated means on any school equipment on or off site.
• No portable USB sticks or hard drives are permitted within school and no personal data is removed off the school site.
• A Virtual Private Network (VPN) is currently being established and will be made available to staff in March 2018 to ensure that school data remains stored within the school server.
• All visitors and staff use a digital sign in system, which ensures that no personal information is visible to other visitors. Pupils are signed in by the admin staff.
There is a range of terminology that is used to refer to aspects of GDPR that schools must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.
• Data Controller-the holder and gatherer of data who decides what to do with it (the school).
• Data processor-the person/organisation who does activities that the controller tells them to do with data and who is not a direct
employee. An example would be RM Education who host the School Management Information System known as Integris which
digitally stores all of the personal data about pupils, staff and parents or Parent Hub, which hosts the school communication system.
• Data Subject-the person who data belongs to. It is important to note that under the new GDPR regulations children have more rights
even though it is parents who give consent for the collection of certain types of data.
• Subject Access Request-the request by a data subject for information about the personal data that a data controller holds. This must
be made available in an accessible format within 40 days and 15 days if it is a request for a child’s education record.
• Data-all recorded information in any format (sound, text, electronic files, photographs, videos, voice recordings) which includes
statements and opinions.
• Personal Data-any data that relates to an individual which can identify them or link to other information which would lead to
• Sensitive Personal Data-data that relates to aspects of personal life/preferences such as race, political opinions, religion, disability,
sexuality, criminal offences etc.
• Processing Data-obtaining, recording, sorting, converting, disclosing, analysing, storing, sharing or destroying data by any means.
As a school we have reviewed all of the data that we currently hold and produced a “Data Asset Register” which documents the type of data, the data processor, where the data is stored, the reason that the data is stored and any potential risks that must be considered when developing policies/procedures around data protection. Included in this process has been making contact with any data processors to ensure that they are all GDPR compliant. Below is a list of the data processors used by the school (individual links to each provider will be added once their GDPR compliance policies/statements are finalised):
• RM Integris (School Management Information System)
• Tapestry (Online Learning Journals)
• Swiped on (Digital Sign in system)
• Trello (Secure Cloud based communication, collaboration and digital portfolio platform used internally within school by staff with individual logons and under supervision by children to store examples of computing into a class portfolio. Children do not have
individual accounts in Trello)
• Office Education 365 (Staff email system)
• Purple Mash (Digital learning tool that can be accessed within school and at home with individual logons from Y3-Y6 and class logons from YR-Y2.
• Junior Librarian (Online library catalogue of the school library with individual user barcodes to scan books in and out of the library)
• RM Maths (Digital maths activities that children access weekly with an individual logon)
• Active Learn (Digital reading books with accompanying comprehensions and digital maths activities for children with individual logons)
• CPOMS (Child Protection Online Monitoring System that incidents are stored on)
As a school we have looked at what data we need to obtain consent for under the GDPR, so that any data we collect is appropriate. To comply with the Department for Education (DFE) and Census obligations we request on admission a range of personal information that complies with our statutory duties on the emergency contact form. When changes to any of this data occurs and we are informed, this is updated as soon as possible within our Management Information System (MIS) RM Integris. For other types of data that we collect we seek consent though consent forms that provide parents with the opportunity to give or decline consent. Consent is only accepted if it is freely given and parents/cares are entitled to withdraw consent at anytime by contacting the School office, where the request will be put in place with immediate effect. Consent is requested for the types of data outlined below;
• The use of photographs/videos for different purpose-click here to download the consent form.
• The use of Tapestry-click here to download the consent/agreement form.
• The School Acceptable Use Agreement for use of Internet related services please see the E-safety & Online tab on this page to view and download the agreement.
What are subject access requests?
Individuals have the right to access the personal data and supplementary information we hold about them. This allows them to be aware of, and verify the lawfulness of, you processing this data. This right applies to everyone whose personal data our school holds, including staff, governors,
volunteers, parents, carers and pupils.
Who deals with subject access requests?
The school’s Data Protection Officer Mrs Ahmed will deal with all subject access requests received. This is based on advice from the Information Commissioner’s Office’s guidance.
How we will respond to subject access requests
On receiving a request in writing, our Data Protection Officer will contact the individual via phone to confirm the request was made. We will then verify the identity of the person making a request using ‘reasonable means’. Generally, this means we will ask for two forms of identification. In most cases, we will provide the information within 15 days, and free of change. If the request is complex or numerous, we will provide the information within 40 days. We recognise that school holidays are counted in the response time and if we receive a request in the school holidays, we will still respond within the same time frame.
‘Unfounded or excessive’ requests
If the request is unfounded or excessive, we will charge a reasonable fee, based on the administrative cost of providing the information. Usually, ‘unfounded or excessive’ means that the request is repetitive, or asks for further copies of the same information. How the information is provided We will provide the information in paper or electronic format.
Information that is exempt from SARs
Certain types of personal data are exempt from SARs because of its nature or effect its disclosure may have (e.g. safeguarding or legal issues) or where disclosure would involve information about another individual. In these cases, we will explain to the requester the reasons why information
requested cannot be disclosed.
Monitoring our compliance with responding to SARs
We retain a log of SARs received automatically on our School Management Information System (RM Integris). The log contains copies of the information supplied in response to the SAR together with copies of any material withheld and an explanation why. Compliance with dealing and responding to SARs is monitored and discussed at senior leadership level and with our Board of Governors.
Complaints about our Subject Access request procedure
If the requester believes that a request for information has not been dealt with properly, the requester should make a complaint to the school through our normal complaints procedure. If following the conclusion of the complaints procedure within the school, the requester is still
dissatisfied or the original decision is not reviewed, the requester can complain directly to the Information Commissioner’s Office.
E-Safety & Online Policies
The growing use of the internet for communicating and the many ways we can now access the internet means whist it is of huge benefit to us all in our daily lives it is also an increasing potential danger. Many of us are unaware of the possible challenges of keeping children safe online.
In our school, our scheme of work ensures that children start to consider e-safety from Reception and that each year these experiences are built on in a progressive way. Rather than viewing it as a separate area we ensure that e-safety is weaved throughout our curriculum so that by the time children leave in Year 6 they are able to safely make choices about the technology that they use. We want children to see the benefits of technology and we aim to use technology in our own practice as a model to the children. With this in mind we set up a school Twitter account as social media is a growing part of everyday life. Our usage policy can be read in this section, please see the link below. Due to our commitment to e-safety and the quality of our provision within school, we achieved the E-safety Quality Mark in February 2017, you can read the report on this page.
Our scheme of work considers three key elements:
• Content-what children view, download, search for and access.
• Contact-what and who they come into contact with.
• Conduct-how they behave as an individual and towards others whilst using technology.
We strive to regularly review our policies and teaching to ensure that new and emerging technologies are incorporated within our curriculum. Through our approach, we aim to teach children how to use the Internet safely and securely, so that they are able to make the best possible
choices when online. Our Internet filtering is inline with the Internet Watch Foundation (IWF) recommendations and our provider is listed on their approved list. Personal security is a fundamental part of this and ensuring that children know where and who they
can get help from if they see or experience problems whilst being online. This page aims to provide resources and research for learning more about the online world and how we can keep both ourselves and our children well educated and safe. Use the link below to view our School Acceptable Use Policy.
Each year Unsworth take part in Safer Internet Day, you can find information about what we got up to in our blog, see links below you can also find out more details from the Official Safer Internet Day website.
There are range of useful wesbite and resources available online, we have collated links to them on this page. Use the links below to find out about ways to keep your child safe with technology. Or why not download a conversation starters poster to try with your child or the E-safety fact sheet!
Vodafone have provided a useful free resource called “Digital Parenting” magazine, which gives excellent advice on E-Safety and various guides on how to protect children on-line. CEOP are an association who are working to protect children online and they have a website entitled
“ThinkuKnow” where there are free resources and guides to keeping children safe online. There is some really valuable information on the website and it is updated on a monthly basis. The Think U Know link below will take you to the parents section of the website.
Kid Guard is a technology services company that provides information & tools for parents to keep their kids safe online. The KidGuard Phone Monitoring service is a cell phone tracking software provided to parents to keep track on their kids text messages, monitor gps location, track phone logs, chats, allowing the parent to stay on top of issues such as cyberbullying, online predators, depression, and other risks to their children arising from the internet.
Below you will find links to useful resources and places to do further research.