GDPR & Data Protection Policy
Lead Person Wendy Vinson
Review Date July 2019
Policy Ratification Date 11th July 2018
Minster Church of England Primary School
GDPR & Data Protection Policy
‘Ready to Face the World’
Our school has a warm, Christian family ethos where our children thrive in a secure and happy atmosphere. They are fully supported and nurtured from when they join us until they leave our care.
Minster Primary School is a Church of England Primary School and our Christian values are at the heart of everything we do.
These are then underpinned by our learning values.
Our whole school ethos for learning and behaviour is guided by them. Each aspect of school life is encountered through these values to establish a forward thinking, diverse and innovative culture in which our entire school community flourishes. Every school policy is written with this in mind.
General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) is the law that protects personal privacy and upholds individual’s rights. It applies to anyone who handles or has access to people’s personal data.
This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the legislation. It will apply to personal information regardless of the way it is used, recorded and stored and whether it is held in paper files or electronically.
Scope of the Policy
Personal data is any information that relates to an identified or identifiable living individual who can be identified directly or indirectly from the information. The information includes factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a living individual. This includes any expression of opinion about an individual and intentions towards an individual. Under the GDPR personal information also includes an identifier such as a name, an identification number, location data or an online identifier.
The School collects a large amount of personal data every year including: pupil records, staff records, names and addresses of those requesting prospectuses, examination marks, references, fee collection as well as the many different types of research data used by the School. In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of Local Authorities (LAs), government agencies and other bodies.
The principles set out in the GDPR must be adhered to when processing personal data:
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed (data minimisation).
Personal data shall be accurate and where necessary kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay (accuracy).
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (storage limitation).
Appropriate technical and organisational measures shall be taken to safeguard the rights and freedoms of the data subject and to ensure that personal information are processed in a manner that ensures appropriate security of the personal data and protects against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (integrity and confidentiality).
In addition, personal data shall not be transferred to a country outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data as determined by the European Commission or where the organisation receiving the data has provided adequate safeguards.
This means that individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. It may also be possible to transfer data where the data subject has provided explicit consent or for other limited reasons. Staff should contact the DPO if they require further assistance with a proposed transfer of personal data outside of the EEA.
Lawful Basis for processing personal information
Before any processing activity starts for the first time, and then regularly afterwards, the purpose(s) for the processing activity and the most appropriate lawful basis (or bases) for that processing must be selected:
Data subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured. Consent may need to be reviewed if personal data is intended to be processed for a different and incompatible purpose which was not disclosed when the data subject first gave consent.
The decision as to which lawful basis applies must be documented, to demonstrate compliance with the data protection principles and include information about both the purposes of the processing and the lawful basis for it in the school’s relevant privacy notice(s).
When determining whether legitimate interests are the most appropriate basis for lawful processing (only where appropriate outside the school’s public tasks) a legitimate interests’ assessment must be carried out and recorded. Where a significant privacy impact is identified, a data protection impact assessment (DPIA) may also need to be conducted.
Sensitive Personal Information
Processing of sensitive personal information (known as ‘special categories of personal data’) is prohibited unless a lawful special condition for processing is identified.
Sensitive personal information is data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or orientation or is genetic or biometric data which uniquely identifies a natural person.
Sensitive personal information will only be processed if:
the individual (‘data subject’) has given explicit consent (which has been clearly explained in a Privacy Notice)
the processing is necessary for the purposes of exercising the employment law rights or obligations of the school or the data subject
the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent
the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim
the processing relates to personal data which are manifestly made public by the data subject
the processing is necessary for the establishment, exercise or defence of legal claims
the processing is necessary for reasons of substantial public interest
the processing is necessary for purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, the provision of social care and the management of social care systems or services
the processing is necessary for reasons of public interest in the area of public health.
The school’s privacy notice(s) set out the types of sensitive personal information that it processes, what it is used for, the lawful basis for the processing and the special condition that applies.
Sensitive personal information will not be processed until an assessment has been made of the proposed processing as to whether it complies with the criteria above and the individual has been informed (by way of a privacy notice or consent) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
Unless the School can rely on another legal basis of processing, explicit consent is usually required for processing sensitive personal data. Evidence of consent will need to be captured and recorded so that the school can demonstrate compliance with the GDPR.
Automated Decision Making
Where the school carries out automated decision making (including profiling) it must meet all the principles and have a lawful basis for the processing. Explicit consent will usually be required for automated decision making (unless it is authorised by law or it is necessary for the performance of or entering into a contract).
Additional safeguards and restrictions apply in the case of solely automated decision-making, including profiling. The School must as soon as reasonably possible notify the data subject in writing that a decision has been taken based on solely automated processing and that the data subject may request the school to reconsider or take a new decision. If such a request is received staff must contact the DPO as the school must reply within 21 days.
Data Protection Impact Assessments (DPIA)
All data controllers are required to implement ‘Privacy by Design’ when processing personal data.
Where processing is likely to result in high risk to an individual’s data protection rights (for example where a new technology is being implemented) a DPIA must be carried out to assess:
Staff should adhere to the Data Protection Toolkit for Schools from the DfE with reference to the DPIA template.
When carrying out a DPIA, staff should seek the advice of the DPO for support and guidance and once complete, refer the finalised document to the DPO for sign off.
Documentation and records
Written records of processing activities must be kept and recorded including:
As part of the School’s record of processing activities the DPO will document, or link to documentation on:
Records of processing of sensitive information are kept on:
The relevant purposes for which the processing takes place, including why it is necessary for that purpose
The lawful basis for our processing and
Whether the personal information is retained or erased in accordance with the Retention Schedule and, if not, the reasons for not following the policy.
The School should conduct regular reviews of the personal information it processes and update its documentation accordingly. This may include:
The school will issue privacy notices as required, informing data subjects (or their parents, depending on age of the pupil, if about pupil information) about the personal information that it collects and holds relating to individual data subjects, how individuals can expect their personal information to be used and for what purposes.
When information is collected directly from data subjects, including for HR or employment purposes, the data subject shall be given all the information required by the GDPR including the identity of the DPO, how and why the School will use, process, disclose, protect and retain that personal data through a privacy notice (which must be presented when the data subject first provides the data).
When information is collected indirectly (for example from a third party or publicly available source) the data subject must be provided with all the information required by the GDPR as soon as possible after collecting or receiving the data. The school must also check that the data was collected by the third party in accordance with the GDPR and on a basis which is consistent with the proposed processing of the personal data.
The School will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The School will issue a minimum of two privacy notices, one for pupil information, and one for workforce information, and these will be reviewed in line with any statutory or contractual changes.
Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
Personal data must not be used for new, different or incompatible purposes from that disclosed when it was first obtained unless the data subject has been informed of the new purposes and they have consented where necessary.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Staff may only process data when their role requires it. Staff must not process personal data for any reason unrelated to their role.
The School maintains a Retention Schedule to ensure personal data is deleted after a reasonable time for the purpose for which it was being held, unless a law requires such data to be kept for a minimum time. Staff must take all reasonable steps to destroy or delete all personal data that is held in its systems when it is no longer required in accordance with the Schedule. This includes requiring third parties to delete such data where applicable.
Staff must ensure that data subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice.
Staff as well as any other ‘data subjects’ have the following rights in relation to their personal information:
During their employment, staff may have access to the personal information of other members of staff, suppliers, clients or the public. The school expects staff to help meet its data protection obligations to those individuals.
If you have access to personal information, you must:
The school will use appropriate technical and organisational measures to keep personal information secure, to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
All staff are responsible for keeping information secure in accordance with the legislation and must follow their school’s acceptable usage policy.
The school will develop, implement and maintain safeguards appropriate to its size, scope and business, its available resources, the amount of personal data that it owns or maintains on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). It will regularly evaluate and test the effectiveness of those safeguards to ensure security of processing.
Staff must guard against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. Staff must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure.
Staff must follow all procedures and technologies put in place to maintain the security of all personal data from the point of collection to the point of destruction. Staff may only transfer personal data to third-party service providers who agree in writing to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.
Staff must maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
Confidentiality means that only people who have a need to know and are authorised to use the personal data can access it.
Integrity means that personal data is accurate and suitable for the purpose for which it is processed.
Availability means that authorised users can access the personal data when they need it for authorised purposes.
Staff must comply with and not attempt to circumvent the administrative, physical and technical safeguards the school has implemented and maintains in accordance with the GDPR and DPA.
Where the school uses external organisations to process personal information on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal information. Contracts with external organisations must provide that:
Before any new agreement involving the processing of personal information by an external organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval from the DPO.
Storage and retention of personal information
Personal data will be kept securely in accordance with the school’s data protection obligations.
Personal data should not be retained for any longer than necessary. The length of time data should be retained will depend upon the circumstances, including the reasons why personal data was obtained. Staff should adhere to the KCC Information Management Toolkit for Schools on KELSI with reference to the Record Retention Schedule, available at the following link: http://www.kelsi.org.uk/__data/assets/word_doc/0012/60213/InformationManagementToolkitforSchoolsv4-2.docx
Personal information that is no longer required will be deleted in accordance with the Schools Record Retention Schedule.
A data breach may take many different forms:
The school must report a data breach to the Information Commissioner’s Office (ICO) without undue delay and where possible within 72 hours, if the breach is likely to result in a risk to the rights and freedoms of individuals. The school must also notify the affected individuals if the breach is likely to result in a high risk to their rights and freedoms.
Staff should ensure they inform their line manager/DPO/Executive Headteacher/Head of School immediately that a data breach is discovered and make all reasonable efforts to recover the information, following the school’s agreed breach reporting process.
The school will ensure that staff are adequately trained regarding their data protection responsibilities.
Consequences of a failure to comply
The school takes compliance with this policy very seriously. Failure to comply puts data subjects whose personal information is being processed at risk and carries the risk of significant civil and criminal sanctions for the individual and the school and may in some circumstances amount to a criminal offence by the individual.
Any failure to comply with any part of this policy may lead to disciplinary action under the school’s procedures and this action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect.
If you have any questions or concerns about this policy, you should contact your line manager or the school’s DPO.
Review of Policy
This policy will be updated as necessary to reflect best practice or amendments made to the GDPR or DPA.
The Supervisory Authority in the UK
Please follow this link to the ICO’s website (https://ico.org.uk/) which provides detailed guidance on a range of topics including individuals’ rights, data breaches, dealing with subject access requests, how to handle requests from third parties for personal data etc.
Appendix 1 – Procedure for Access to Personal Information
Minster Church of England Primary School
Rights of access to information
Parents and pupils’ rights regarding personal data
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.
Parents also have the right to make a subject access request with respect to any personal data the school holds about them.
If you make a subject access request and if we do hold information about you or your child, we will:
Give you a description of it
Tell you why we are holding and processing it and how long we will keep it for
Explain where we got it from, if not from you or your child
Tell you who it has been, or will be, shared with
Let you know whether any automated decision-making is being applied to the data and any consequences of this
Give you a copy of the information in an intelligible form
Individuals also have the right for their personal information to be transmitted electronically to another organisation in certain circumstances.
Parents/carers also have a legal right to access to their child’s educational record. To request access, please contact Wendy Vinson, Business Support Officer.
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with the school in the first instance.
To make a complaint, please contact Executive Headteacher.
Alternatively, you can make a complaint to the Information Commissioner’s Office:
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our Headteacher in the first instance.
Minster Church of England Primary School, Molineux Road, Minster, Ramsgate, Kent, CT12 4PS
SPS DPO Services
SPS SPO Services, iSystems Integration, Devonshire House, 29-31 Elmfield Road, Bromley, Kent, BR1 1LT
 These may be provided by a legally binding agreement between public authorities or bodies, standard data protection clauses provided by the ICO or certification under an approved mechanism.
 The GDPR states that legitimate interests do not apply to processing carried out by public authorities in the performance of their tasks, Article 6 However, the ICO indicates that where there are other legitimate purposes outside the scope of the tasks as a public authority, legitimate interests may be considered where appropriate (particularly relevant for public authorities with commercial interests).