Sacred Heart Catholic Primary School, Leigh
General Data Protection Regulations (GDPR) Policy
Live and Learn with Jesus.
We follow Jesus through fairness, kindness, love, friendship and happiness.
Statement of intent
- Legal framework
- Roles and Responsibilities
- Lawful Processing
- Data Subject’s Rights and Requests
- The right to be informed (Privacy Notices)
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Automated decision making and profiling
- Privacy by design and privacy impact assessments
- Data breaches
- Data security and Confidentiality
- Transfer Limitation
- Cloud Software Servces
- Publication of information
- CCTV and photography
- Data Retention
- DBS Data
- Training and Audit
- Policy Review
Statement of intent
Sacred Heart Catholic Primary School is required to keep and process certain information about its staff members and pupils in accordance with its legal obligations under the General Data Protection Regulation (GDPR).
Sacred Heart Catholic Primary School may, from time to time, be required to share personal information about its staff or pupils with other organisations, mainly the LA, other schools and educational bodies, and potentially children’s services.
This policy is in place to ensure all staff and governors are aware of their responsibilities and outlines how the school complies with the following core principles of the GDPR.
Organisational methods for keeping data secure are imperative, and Sacred Heart Catholic Primary School believes that it is good practice to keep clear practical policies, backed up by written procedures.
- Legal framework
- This policy has due regard to legislation, including, but not limited to the following:
- The General Data Protection Regulation (GDPR)
- The Freedom of Information Act 2000
- The Education (Pupil Information) (England) Regulations 2005 (as amended in 2016)
- The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004
- The School Standards and Framework Act 1998
- This policy will also have regard to the following guidance:
- Information Commissioner’s Office (2017) ‘Overview of the General Data Protection Regulation (GDPR)’
- Information Commissioner’s Office (2017) ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’
- DFE Guidance on cloud software services and the DFA
- DFE Guidance on Information Sharing
- This policy will be implemented in conjunction with the following other policies:
- Use of images and Photography Policy
- E-security Policy
- Freedom of Information Policy
- CCTV Policy
- Confidentiality Policy
- Social Media Policy
- Online Safety Policy
1.4 This policy applies to Sacred Heart Catholic Primary School.
Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.
Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.
Company Personnel: all employees, workers [contractors, agency workers, consultants,] directors, volunteers, governors, members and others.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO or refers to the Company data privacy team with responsibility for data protection compliance.
EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Privacy Notices (also referred to as Fair Processing Notices) or Privacy Policies: separate notices setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or pupil privacy notices) or they may be stand-alone, one time privacy statements covering Processing related to a specific purpose.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on
the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
- Roles and Responsibilities
- The Data Controller
- Sacred Heart Catholic Primary School, as the corporate body, is the data controller.
- Sacred Heart Catholic Primary School therefore has overall responsibility for ensuring that records are maintained, including security and access arrangements in accordance with regulations and that the school is complying with its obligations under the General Data Protection Regulation.
- The business manager along with the SLT deal with the day-to-day matters relating to data protection.
- The business manager is responsible for ensuring personal information relating to pupils, staff, volunteers, governors and visitors is processed correctly by the relevant staff.
- On occasion, personal information may be processed by outside organisations involved in data processing. By involving another organisation in data processing, the Trust increases certain risks. The security of the personal information is covered in a formal contract between the Trust and any outside organisation. See appendix 1 for an example of the formal contract used.
- The headteacher will ensure that all staff are aware of their data protection obligations, and oversee any queries related to the storing or processing of personal data. Staff are responsible for ensuring that they collect and store any personal data in accordance with this policy.
- All staff and governors will sign a privacy standard to acknowledge that they understand and will follow the procedures set by the school on how personal data is to be handled.
- The Acorn Trust is registered as a data controller with the Information Commissioner’s Office and renews this registration annually.
- The Data Protection Officer (DPO)
- A DPO will be appointed in order to:
- Inform and advise Sacred Heart Catholic Primary School and its employees about their obligations to comply with the GDPR and other data protection laws.
- Monitor Sacred Heart Catholic Primary School compliance with the GDPR and other laws, including managing internal data protection activities, advising on data protection impact assessments, conducting internal audits, and providing the required training to staff members.
- Be the first point of contact with the ICO and data subjects
- Sacred Heart Catholic Primary School must ensure that the appointed DPO’s day to day duties are compatible with the duties of the DPO and do not lead to a conflict of interests.
- The individual appointed as DPO will have professional experience and knowledge of data protection law, particularly that in relation to schools and childcare.
- The DPO will report to the highest level of management at Sacred Heart Catholic Primary School, which is the CEO.
- The DPO will operate independently and will not be dismissed or penalised for performing their task.
- Sufficient resources will be provided to the DPO to enable them to meet their GDPR obligations.
- Sacred Heart Catholic Primary School has appointed the following DPO: Mrs J Buckley.
- Sacred Heart Catholic Primary School adhere to the Principles relating to Processing of Personal Data set out in the GDPR which requires personal data to be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing
- and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Not transferred to another country without appropriate safeguards being in place
- Made available to data subjects and allowing them to exercise certain rights in relation to their personal data.
- The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.
- Sacred Heart Catholic Primary School will implement appropriate technical and organisational measures to demonstrate that data is processed in line with the principles set out in the GDPR.
- Sacred Heart Catholic Primary School will provide comprehensive, clear and transparent privacy policies.
- Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences.
- Internal records of processing activities will include the following:
- Name and details of the organisation
- Purpose(s) of the processing
- Description of the categories of individuals and personal data
- Retention schedules
- Categories of recipients of personal data
- Storage locations
- Description of technical and organisational security measures
- Details of transfers to third parties, including documentation of the transfer mechanism safeguards in place
- In order to create such records, data maps should be created which should include the details set out above together with appropriate data flows.
- Sacred Heart Catholic Primary School will implement measures that meet the principles of data protection by design and data protection by default, such as:
- Data minimisation.
- Allowing individuals to monitor processing.
- Continuously creating and improving security features.
- Data protection impact assessments will be used, where appropriate.
- The legal basis for processing data will be identified and documented prior to data being processed.
- Under the GDPR, data will be lawfully processed under the following conditions:
- The consent of the data subject has been obtained.
- Processing is necessary for:
- Compliance with a legal obligation.
- The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- For the performance of a contract with the data subject or to take steps to enter into a contract.
- Protecting the vital interests of a data subject or another person.
- For the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (This condition is not available to processing undertaken by the Acorn Trust in the performance of its tasks.)
- Sensitive data will only be processed under the following conditions:
- Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law.
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
- Processing relates to personal data manifestly made public by the data subject.
- Processing is necessary for:
- Carrying out obligations under employment, social security or social protection law, or a collective agreement.
- Protecting the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent.
- The establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
- Reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards.
- The purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
- Reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
- Archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).
- Data Subject’s Rights and Requests
- Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
- withdraw Consent to Processing at any time;
- receive certain information about the Data Controller's Processing activities;
- request access to their Personal Data that we hold;
- prevent our use of their Personal Data for direct marketing purposes;
- ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
- restrict Processing in specific circumstances;
- challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
- request a copy of an agreement under which Personal Data is transferred outside of the EEA;
- object to decisions based solely on Automated Processing, including profiling (ADM);
- prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
- be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
- make a complaint to the supervisory authority; and
- in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.
- Further information about these rights including the Acorn Trust procedures in dealing with these rights are detailed below. It is essential to verify the identity of an individual requesting data under any of the rights listed above (Personal data cannot be disclosed to third parties proper authorisation).
- Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes.
- Consent will only be accepted where it is freely given, specific, informed and an unambiguous indication of the individual’s wishes.
- Consent may need to be refreshed if the use of the Personal Data is for a different and incompatible purpose which was not disclosed when the Data Subject first consented.
- Where consent is given, a record will be kept documenting how and when consent was given.
- Sacred Heart Catholic Primary School ensures that consent mechanisms meet the standards of the GDPR. Where the standard of consent cannot be met, an alternative legal basis for processing the data must be found, or the processing must cease.
- Consent accepted under the DPA will be reviewed to ensure it meets the standards of the GDPR; Acceptable consent obtained under the DPA will not be reobtained.
- Consent can be withdrawn by the individual at any time.
- Where a child is under the age of 13 the consent of parents will be sought prior to the processing of their data, except where the processing is related to preventative or counselling services offered directly to a child.
- The right to be informed (Privacy Notices)
- Sacred Heart Catholic Primary School recognises that its staff and pupils need to know what it does with the information it holds about them.
- Sacred Heart Catholic Primary School issues a general privacy notice annually, detailing the purposes for which personal data collected by Sacred Heart Catholic Primary School will be used.
- If personal details are being recorded for a specific purpose, a specific privacy notice is issued.
- The general privacy notice is also published on Sacred Heart Catholic Primary School and schools’ website.
- The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.
- If services are offered directly to a child, Sacred Heart Catholic Primary School will ensure that the privacy notice is written in a clear, plain manner that the child will understand.
- In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:
- The identity and contact details of the controller (and where applicable, the controller’s representative) and the DPO.
- The purpose of, and the legal basis for, processing the data.
- The legitimate interests of the controller or third party.
- Any recipient or categories of recipients of the personal data.
- Details of transfers to third countries and the safeguards in place.
- The retention period of criteria used to determine the retention period.
- The existence of the data subject’s rights, including the right to:
- Withdraw consent at any time.
- Lodge a complaint with a supervisory authority.
- The existence of automated decision making, including profiling, how decisions are made, the significance of the process and the consequences.
- Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement, as well as any possible consequences of failing to provide the personal data, will be provided.
- Where data is not obtained directly from the data subject, information regarding the categories of personal data that the school holds, the source that the personal data originates from and whether it came from publicly accessible sources, will be provided.
- For data obtained directly from the data subject, this information will be supplied at the time the data is obtained.
- In relation to data that is not obtained directly from the data subject, this information will be supplied:
- Within one month of having obtained the data.
- If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.
- If the data are used to communicate with the individual, at the latest, when the first communication takes place.
- Personal information is only made available to staff, trustees and governors who need that particular information to do their jobs, and is only made available at the time that it is needed.
- Members of staff and parents/carers are responsible for checking that any information that they provide to the Trust, in connection with their employment or in regard to a child, is accurate and up-to-date.
- Sacred Heart Catholic Primary School cannot be held accountable for any errors unless the employee or parent has informed the Trust about such changes.
- Sacred Heart Catholic Primary School business manager is responsible for monitoring fair processing controls on an on-going basis.
- The right of access
- Individuals have the right to obtain confirmation that their data is being processed.
- Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.
- Sacred Heart Catholic Primary School will verify the identity of the person making the request before any information is supplied.
- A copy of the information will be supplied to the individual free of charge; however, Sacred Heart Catholic Primary School may impose a ‘reasonable fee’ to comply with requests for further copies of the same information.
- Where a SAR has been made electronically, the information will be provided in a commonly used electronic format.
- Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged.
- All fees will be based on the administrative cost of providing the information.
- All requests will be responded to without delay and at the latest, within one month of receipt.
- In the event of numerous or complex requests, the period of compliance will be extended by a further two months. The individual will be informed of this extension, and will receive an explanation of why the extension is necessary, within one month of the receipt of the request.
- Where a request is manifestly unfounded or excessive, Sacred Heart Catholic Primary School holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal.
- In the event that a large quantity of information is being processed about an individual, Sacred Heart Catholic Primary School will ask the individual to specify the information the request is in relation to.
- See Appendix 2 for example of SAR response letter.
- The right to rectification
- Individuals are entitled to have any inaccurate or incomplete personal data rectified.
- Where the personal data in question has been disclosed to third parties, the school will inform them of the rectification where possible.
- Where appropriate, Sacred Heart Catholic Primary School will inform the individual about the third parties that the data has been disclosed to.
- Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex.
- Where no action is being taken in response to a request for rectification, Sacred Heart Catholic Primary School will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
- The accuracy of any personal data must be checked at the point of collection and at regular intervals afterwards. Measures must be taken to destroy or amended inaccurate or out of date personal data.
- The right to erasure
- Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- Individuals have the right to erasure in the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws their consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed
- The personal data is required to be erased in order to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child
- Sacred Heart Catholic Primary School has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
- To exercise the right of freedom of expression and information
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes
- The exercise or defence of legal claims
- As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request.
- Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
- Where personal data has been made public within an online environment, the school will inform other organisations who process the personal data to erase links to and copies of the personal data in question.
- The right to restrict processing
- Individuals have the right to block or suppress Sacred Heart Catholic Primary School’s processing of personal data.
- In the event that processing is restricted, Sacred Heart Catholic Primary School will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.
- Sacred Heart Catholic Primary School will restrict the processing of personal data in the following cirriculum.
Adapted: Summer Term 2020
Review Summer Term 2022