GDPR & Data Protection - Data Protection Act 2018
As an Academy Trust, Lutterworth Academy Trust (the 'Trust') are a Public Authority, and are obliged to have a Data Protection Policy that explains how we collect, manage and use data about pupils, staff, parents, carers and other third parties.
Our Data Protection Policy can be found within the Policies section of our website.
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 regulate our collection, use and storage of data.
If you have any queries or questions about GDPR & Data Protection please, in the first instance, contact the School Business Leader:
Mrs L. Kendrick - email@example.com
January 2021 update
As the UK transitional arrangements expired on 31 December 2020, there are some practical changes for Data Protection and the GDPR.
To comply with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 please note that every policy, notice and procedural guide that refers to ‘GDPR’ shall now be read as ‘UK GDPR’.
The rights, responsibilities and data protection that the Data Protection Act 2018 and the GDPR are not changed. Our procedures and arrangements will not change.
What is Data?
Any information that relates to a living person that identified them. This can be by name, address or phone number for example.
It also relates to details about that person, which can include opinions.
Some data is considered to be more sensitive, and therefore more important to protect. This is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic data, and biometric data where processed to uniquely identify a person.
Schools often collect sensitive data for Government (DfE) and Local Authority requirements and of course pupil data may contain information about safeguarding, SEN or health needs. Information about other family members may also be on the school file of an individual.
What are the key principles of the GDPR? Lawfulness, transparency and fairness.
The Trust must have a legitimate reason to hold data .
We explain this in the Data Privacy Notices in our Data Protection Policy. We often ask for consent to use data about an individual for a particular purpose. If you wish to withdraw consent please contact the Trust to allow us to process your request. There are some occasions when you cannot withdraw consent as explained in the Trust's Data Protection Policy.
Collection of data for a specific purpose and the use of it for that purpose
Data held by the Trust cannot be used for a purpose that it was not originally collected for, or where notice has not been given about how data may be used after collection.
Data controllers should only collect the minimum amount of data needed for a particular task or reason.
If there is a breach or a 'hack' of the system only limited information can therefore be lost.
Data collected should be accurate, and steps should be taken to check and confirm accuracy.
We do this when pupils join the school and continue to check the accuracy on a regular basis.
If a Data Subject feels that the information held is inaccurate, should not longer be held by the Controller or should not be held by the Controller in any event a dispute resolution process and complaint process can be accessed.
The Trust has adopted the Information and Records Management Society’s toolkit for schools Retention policy that explains how long we store records for.
We have processes in place to keep data safe. That might be paper files, electronic records or other information.
Who is a ‘data subject’ ?
Someone whose details the Trust keeps on file.
Some details are more sensitive than others. The GDPR sets out collection of details such as health conditions and ethnicity which are more sensitive than names and phone numbers.
Data subjects’ rights
Individuals have a right:
- – to be informed
- – of access to data stored about them or their children
- – to rectification if there is an error on the data stored
- – to erasure if there is no longer a need for school to keep the data
- – to restrict processing, i.e. to limit what is done with their data
- – to object to data being shared or collected
There are other rights that relate to automated decision making and data portability that are not directly relevant in schools.
Data subjects rights are also subject to child protection and safeguarding concerns, sharing information for the prevention and detection of crime. Schools also have legal and contractual obligations to share information with organisations such as the Department for Education, Social Care, the Local Authority and HMRC etc In some cases these obligations override individual rights.
Subject Access Requests
You can ask for copies of information that we hold about you or a pupil who you have parental responsibility for or are a parent of at school.
This Subject Access Request process is set out separately You will need to complete the Subject Access Request Form and you may need to provide identification evidence for us to process the request.
We have to provide the information within a month, but this can be extended if, for example, the school was closed for holidays. The maximum extension is up to two months.
When we receive a request we may ask you to be more specific about the information that you require. This is to refine any queries to make sure you access what you need, rather than sometimes getting a lot of information that may not be relevant to your query.
In some cases we cannot share all information we hold on file if there are contractual, legal or regulatory reasons.
We cannot release information provided by a third party without their consent, or in some cases you may be better to approach them directly, e.g. the Trust school nurse who is employed directly by the NHS.
We will supply the information in an electronic form.
If you wish to complain about the process, please follow our complaints process or see the information below.
Who is a ‘data controller’?
The Trust is the data controller.
The Trust has ultimate responsibility for how school manages data. They delegate this to data processors to act on their behalf.
Who is a ‘data processor’?
This is a person or organisation that uses, collects, accesses or amends the data that the controller has collected or authorised to be collected.
It can be a member of staff, a third-party company, possibly a governor, a contractor or temporary employee. It can also be another organisation such as the police or the LA.
Data controllers must make sure that data processors are as careful about the data as the controller themselves. The GDPR places additional obligations on organisations to make sure that Data Controllers require contractual agreements to ensure that this is the case.
Schools must have a reason to process the data about an individual. Our privacy notices in our Data Protection Policy set out how we use data.
The GDPR has 6 conditions for lawful processing and any time we process data relating to an individual it is within one of those conditions.
If there is a data breach we have a separate policy and procedure to follow to take immediate action to remedy the situation as quickly as possible.
The legal basis and authority for collecting and processing data in school are:
- consent obtained from the data subject or their parent
- performance of a contract where the data subject is a party
- compliance with a legal obligation
- to protect the vital interests of the data subject or other associated person
- to carry out the processing that is in the public interest and/or official authority
- it is necessary for the legitimate interests of the data controller or third party
- in accordance with national law.
In addition, any special categories of personal data are processed on the grounds of:
- explicit consent from the data subject or about their child
- necessary to comply with employment rights or obligations
- protection of the vital interests of the data subject or associated person
- being necessary to comply with the legitimate activities of the school
- existing personal data that has been made public by the data subject and is no longer confidential
- bringing or defending legal claims
- national laws in terms of processing genetic, biometric or health data.
Processing data is recorded within the school systems.
Data sharing is done within the limits set by the GDPR. Guidance from the Department for Education, health, the police, local authorities and other specialist organisations may be used to determine whether data is shared.
The basis for sharing or not sharing data is recorded in school.
Breaches & Non Compliance
If there is non compliance with the policy or processes, or there is a Data Protection Act breach as described within the GDPR and Data Protection Act 2018 then the guidance set out in the Breach & Non Compliance Procedure and Process needs to be followed.
Protecting data and maintaining data subjects rights is the purpose of this policy and associated procedures.
As an Academy Trust we will seek consent from staff, volunteers, young people, parents and carers to collect and process their data.
We will be clear about our reasons for requesting the data and how we will use it. There are contractual, statutory and regulatory occasions when consent is not required.
However, in most cases data will only be processed if explicit consent has been obtained.
Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
We may seek consent from young people also, and this will be dependent on the child and the reason for processing.
Data Protection Officer
We have a Data Protection Officer whose role is to:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations under the GDPR
- to monitor compliance with the GDPR and DPA
- to provide advice where requested about the data protection impact assessment and monitor its performance
- To be the point of contact for Data Subjects if there are concerns about data protection
- to cooperate with the supervisory authority and manage the breach procedure
- to advise about training and CPD for the GDPR
Our DPO is John Walker, his contact details are firstname.lastname@example.org or 0333 772 9763. He is independent of the Academy Trust
In the Trust, every secure area has individuals who are responsible for ensuring that the space is securely maintained and controlled if unoccupied, i.e. locked.
Offices and cupboards that contain personal data should be secured if the processor is not present.
The Premises Manager is responsible for authorising access to secure areas along with the Trust Business Manager.
All Staff, contractors and third parties who have control over lockable areas must take due care to prevent data breaches.
When disposal of items is necessary a suitable process must be used.
This is to secure the data, to provide a process that does not enable data to be shared in error, by malicious or criminal intent.
These processes, when undertaken by a third party are subject to contractual conditions to ensure GDRP and Data Protection Act compliance.
Complaints & the Information Commissioner Office (ICO)
The Trust complaint process deals with complaints about Data protection issues.
There is a right to complain if you feel that data has been shared without consent or lawful authority.
You can complain if you have asked to us to erase, rectify, not process data and we have not agreed to your request.
We will always try to resolve issues on an informal basis, and then through our formal complaints procedure. Please complete the form, and we will contact you with more details about the timescale and process.
A review of the effectiveness of GDPR compliance and processes will be conducted by the Data Protection Officer every 12/24 months.