From 25th May 2018, the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR). The GDPR is a new data protection regulation that’s designed to strengthen and unify the safety and security of all data held within an organisation.
Under current legislation schools already have a duty of care to ensure that this data is kept safe and secure. With the GDPR schools have an increased responsibility to ensure this information – regardless of what form it’s kept in – is managed in the right way in compliance with this new regulation.
To ensure compliance, Carbeile Junior School has followed the publication ‘Data protection: a toolkit for schools’ produced by the DfE in April 2018. This guides schools through the many processes required to become compliant with the legislation.
This Privacy Standard explains some of the terms used throughout this page:
Step 1: Raising awareness
All staff and governors (regardless of whether they come into contact with personal data or not) have been trained in the new legislation. Training has involved the explanation of what ‘Personal Data’ actually is and the processes in which they are permitted to use that information. The risks of data getting into the wrong hands has been explained. All teachers have had input into where data comes from/goes to through the information audit. Governors are clear about their oversight role in making sure the school is compliant. By linking data protection to child protection, all people become engaged to see that data protection matters in the context of pupil welfare.
Step 2: Creating a high level data map
Senior Leaders (with input from all staff) have produced a table which outlines the: data sent to school from someone else, data created within the school and data passed on from the school to someone else. Consideration has been taken regarding the types of data the school records and uses. The priority throughout this stage has been ‘personal data’, information that identifies a living individual.
Step 3: Turning data map into a data asset register
This is, in simple terms, a long list of all of the different data assets in the school, with some supplementary information about each of them. A data asset is a ‘thing’ that contains data. It could be a database, a system used, a spreadsheet, or a set of paper records. Time has been spent to get the level of detail right. The data asset register at Carbeile has assigned each ‘data asset’ on the data map a reference number. Each data asset has a reference number assigned in the spreadsheet. Each data asset is then analysed in detail.
Step 4: Documenting the reasons for processing data.
GDPR identifies 2 types of personal data:
- Special Category Personal Data – highly sensitive relating to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, data relating to criminal offences.
- Personal Data – all other data items relating to an individual, such as attendance marks, email addresses or examination results.
Step 5: Documenting how long we need to retain information
Please see our data retention policy that has been discussed and iterated with those who best understand our uses of data. Our data retention is based on justification – if we can justify it, we can keep it! When setting our data retention policy we have considered the following questions:
- Why are we holding the data?
- Do we need to pass it on?
- Once we have passed it on, are we required to keep it?
- What might Ofsted expect from us in terms of the length of time we can perform detailed reporting?
- As time goes on, can we delete some of the information?
Step 6: Reassurance and risks
Using the data asset register outlined in ‘Step 3’, we have identified high-level issues. Minimisation has been the key thing we have thought about:
- The minimum about of personal data that is needed to get the job done.
- The minimum amount of people that need access to personal data. People should only see the personal data they need to see to perform their role.
Step 7: Decide on our Data Protection Officer
Our Data Protection Officer (DPO) is Mr. Matthew Davey
Email address: email@example.com
Address: Carbeile Junior School, Trevol Road, Torpoint, Cornwall, PL11 2NH
We understand the responsibilities of the DPO. We have also ensured that the selected DPO has no conflict of interests in terms of being a member of the Senior Leadership Team or anyone related to any of the financial roles within the school. Our DPO is highly knowledgeable about data protection, GDPR, the schools operations, technology and security. He is also well placed to promote a data protection culture within the school.
The DPO role advises school leadership and staff about their data obligations, monitors compliance, including managing internal data protection activities, training and conducting internal audits. He will also need to advise on when data protection impact assessments are required and be available for data protection enquiries from parents. He will report directly to the governing board and be the point of contact for communication with the Information Commissioner.
Step 8: Communicating with data subjects
We are clear that pupils, staff, parents/carers and ex-pupils are our data subjects. Our key subjects’ rights are:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling
Data subjects have a right to access data. they can do this through a Subject Access Request, which can be a request to see part or all of the data a school holds about their child.
To clearly inform the data subjects, we have the following ‘Privacy Notice’.
Step 9: Keeping Data Protection ‘living’
The data that is processed, and the mechanisms through which the school undertakes that processing, will evolve over time. The ‘living documents’ at Carbeile (to ensure we keep up with any changes) are:
- the data map
- the data asset register
- the data protection impact assessments