Vyners Learning Trust Data Protection and Retention Policy

Transcription

1 Vyners Learning Trust Data Protection and Retention Policy 1. Background Vyners Learning Trust collects and uses personal information about staff, pupils, parents and other individuals who come into contact with each of the individual schools which make up the Trust. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that individual schools comply with their statutory obligations. This personal information must be handled properly and the Data Protection Act 1998 sets out a number of safeguards to ensure this. As a Data Controller, the Trust is registered with the Information Commissioner s Office (ICO) detailing the information held and its use. The details of our registration are available on the ICO s website. The Board of Directors of the Trust is ultimately responsible for the implementation of this policy. They delegate responsibility for day to day compliance with this policy to individual Headteachers. Further advice and information on the scope of the Data Protection Act is available from the Information Commissioner s Office, 2. Purpose This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 1998, and other related legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically. All staff involved with the collection, processing and disclosure of personal data will be made aware of their duty to adhere to these guidelines 3. Definition of personal information Personal information is defined as data which relates to a living individual who can be identified from that data, or other information held. The name of the individual need not necessarily be given. In the context of this document, personal data may include; School admission and attendance registers Pupil s curricular and attainment records Progress checks Records in connection with pupils entered for public examinations Staff and Governor records, including payroll Page 1

2 Pupil disciplinary records Personal information held for teaching purposes Records of contractors and suppliers If it is necessary for individual schools, or the Trust, to process certain personal data to fulfil its obligations to students or their parents / carers, then consent is not required. Consent is also not required where processing is necessary to exercise a right or obligation imposed on the individual school or Trust by law, or to protect the vital interests of an individual. Any information which falls under the definition of personal data and is not otherwise exempt will remain confidential. In these circumstances personal data will only be disclosed to third parties with the consent of the individual under the terms of this policy. 4. Definition of sensitive personal data Sensitive personal information includes the following: Ethnic or racial origin Political opinions Religious beliefs Other beliefs of a similar nature Membership of a trade union Physical or mental health condition Sexual life Offence or alleged offence Proceedings or court sentence. Where sensitive personal data is processed by the individual school or Trust, the explicit consent of the individual will be sought in writing unless processing is necessary to exercise a right or obligation imposed on the school by law, or to protect the vital interests of an individual. 5. Disclosure of Information to Third Parties The Trust confirms that it will not generally disclose information to third parties unless the individual has given their consent, or one of the exemptions under the Act applies. For clarity, however, the Trust will make the following third party disclosures: Confidential references to any education institution that a student may wish to attend Transfer of a student s educational record to any education institution that they will be registered at The publication of public examination results or other achievements of individual schools, or the Trust The release of medical information about a student where it is in their interest to do so (eg to the organiser of a school trip or to medical professionals where such information is required to facilitate treatment) Where an individual school receives a request to disclose information to a third party it will always take action to establish the identity of that third party before releasing any information. Page 2

3 6. Data Protection Principles The Trust shall, so far as is reasonably practicable, comply with the either Data Protection principles contained in the Act to ensure all data is: processed fairly and lawfully; only used for the specific and lawful purposes for which it is collected; adequate, relevant and not excessive; accurate and kept up to date; not kept for longer than necessary; processed in accordance with the rights of individuals under the Data Protection Act 1998; kept secure not transferred to a country or territory outside the European Economic Area, without adequate data protection. The Trust is committed to maintaining the above principles at all times. Therefore individual schools, acting on behalf of the Trust, will: Inform individuals why the information is being collected when it is collected Inform individuals when their information is shared, and why and with whom it was shared Check the quality and the accuracy of the information it holds Ensure that information is not retained for longer than is necessary Ensure that when obsolete information is destroyed that it is done so appropriately and securely Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded Share information with others only when it is legally appropriate to do so Set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as Subject Access Requests Ensure our staff are aware of and understand our policies and procedures 7. Right of Access Individuals have a right of access to information held on them by the Trust or by individual schools. The procedures to be followed for a subject access request are detailed at Annex 1. Certain data is exempt from the right of access under the Act. This can include Information which identifies other individuals Information which the individual school or Trust reasonably believes will cause damage or distress Information subject to legal professional privilege The school / Trust will also treat as confidential any reference given for the purpose of the education, training, employment or prospective education of any pupil. Page 3

4 The Trust acknowledges that individuals may have a right of access to any reference relating to them received by an individual school. Such a reference will only be disclosed if doing so does not identify the person supplying the reference or the referee has given their consent or is disclosure is considered reasonable. 8. Rights of Students Under the Data Protection Act, the rights to the data belong to the individual to whom the data relates. However, in most cases, individual schools will rely on parental consent to process data relating to students unless, given the circumstances, and the student s age and understanding, it is unreasonable to rely on the parents consent. Parents should be aware that, in such situations, they may not be consulted. These situations are very rare and it is general policy for individual schools to always seek parents consent before processing a student s personal data. Individual schools are legally required to give a student access to their personal data if, in the School s reasonable belief, the student understands the nature of the request and its implications. The School may, however, withhold access under Section 30 of the Exemptions to the Data Protection Act, if it considers that it is not appropriate for the student to see a particular document. Where a student raises private concerns with a member of staff and makes it clear they do not wish this information passed onto a parent or carer, the school will maintain confidentiality unless it has reasonable grounds to believe that the student does not fully understand the consequences of withholding their consent or where the individual school believes that disclosure is in the very best interests of the student or other students. Individual schools / the Trust cannot guarantee to keep any information confidential where it relates to a safeguarding matter. 9. Consent to use of personal information by the school As part of the entry procedure into schools which form part of Vyners Learning Trust, at any age, parents are asked to sign an agreement giving the school their consent to use their personal data. A copy of this Fair Processing Notice is contained at Annex 2. Parents/carers are reminded of the importance of ensuring that key personal and emergency contact data is kept upto date. Individual schools within the Trust will regularly send home a copy of information held by the school for students and it is important that parents take the time to check this information and advise the school of any inaccuracies. Parents are asked to notify the individual school at any time of changes required to the data held on their child in order that the records may be amended. The right to have inaccurate data corrected extends to factual information only, not opinions 10. CCTV It is common for schools to have CCTV cameras installed around their site. Images are monitored and recorded for the purposes of ensuring student safety and site security. No cameras are installed in classrooms or cover sensitive areas such as student toilets. Page 4

5 The Trust is registered for the installation and use of CCTV with the Office of the Information Commissioner. Where CCTV cameras are installed, appropriate signage is posted around the relevant School site. CCTV images are automatically overwritten after 30 days. maintained and the date stamp checked. The equipment is regularly Schools within the Trust reserve the right to make a copy of footage where an investigation is on-going into an incident. The copy taken will be limited to the specific incident under investigation. Access to the CCTV equipment and images generated is limited to members of the Facilities Team, authorised personnel from the relevant maintenance companies, and such other members of Trust staff as may be involved in the specific investigation of an incident. CCTV images are not routinely monitored and will only be disclosed to third parties in line with the provisions of the Data Protection Act. CCTV images are subject to the same rights of subject access as other personal information. 11. Retention of data Individual schools have a duty to retain certain items of staff and student data for a period of time following their departure from the school. This is mainly for legal reasons, but may also be for other reasons such as providing references. The attention of all parents / carers is particular drawn to the fact that their child s school file will be passed from the primary to secondary sector on transition at the end of Year 6, and will similarly be passed to any other school that a student transfers to during their period of compulsory education. Different categories of data will be kept for different period of times. The Trust follows the guidelines issues by the Information Records and Management Society and a copy of the retention guidelines are contained at Annex Complaints and Feedback Complaints will be dealt with in accordance with the Trust s Complaints Policy, a copy of which is available on each School website. Should you remain dissatisfied, complaints relating to information handling may be referred to the Information Commissioner (the statutory regulator). If you have any enquires in relation to this policy, please contact the Headteacher for the individual school who will also act as the contact point for any subject access requests. 13. Review This policy will be reviewed as it is deemed appropriate, but no less frequently than every 3 years. Page 5

6 Approval / Revision History Post Multi Academy Trust revision history: Revision By date March 2015 Vyners School Facilities Committee March 2015 Ryefield LGB March 2015 VLT Board of Directors March 2018 VLT Board of Directors Summary of Changes Made First issue. First issue This document has been distributed to: Name Title Date of Issue Version Page 6

7 Annex 1 Procedures governing subject access requests Rights of access to information Individuals have rights to information held by schools which operate as part of the Vyners Learning Trust under two specific pieces of legislation: The Data Protection Act 1998 gives any individual the right to make a request to access the personal information held about them. The Freedom of Information Act gives any individual the right to ask for other information held by the individual school or Trust This procedure covers requests for personal information under the Data Protection Act only. A separate Trust policy covers requests for information under the Freedom of Information Act. Actioning a subject access request 1. Requests for information must be made in writing (which includes ) and be addressed to the individual Headteacher. If the initial request does not clearly identify the information required, then the school will ask for the request to be clarified. 2. The identity of the requestor will be established before the disclosure of any information, and checks may also be carried out regarding proof of relationship to the child. Where the individual requesting data is not otherwise known to the individual school, they may be asked to provide documentary evidence to support their right of access. 3. Any individual has the right of access to information held about them. However with children, this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. Individual Headteachers reserve the right to discuss a request with a student and to take their views into account when making a decision. A student with competency to understand can refuse to consent to a request by their records. Where the student is not deemed to be competent to consent to a third party data request, an individual with parental responsibility or guardian will make the decision on their behalf. 4. The school may make a charge for the provision of information, dependant upon the following: Should the information requested contain the educational record then the amount charged will be dependent upon the number of pages provided. Should the information requested be personal information that does not include any information contained within educational records, the school reserves the right to charge up to 10 to provide it. If the information requested is only the educational record, viewing will be free, but a charge not exceeding the cost of copying the information can be made by the Headteacher. 5. The response time for subject access requests, once officially received, is 40 calendar days. However the 40 days will not commence until after receipt of fees or clarification of information sought Page 7

8 6. The Data Protection Act 1998 allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure. 7. Third party information is that which has been provided by another body, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party information consent will normally be obtained. In such cases, the individual school will continue to adhere to the 40 day statutory timescale. 8. Any information which may cause serious harm to the physical or mental health or emotional condition of the student or another will not be disclosed, nor will information that would reveal that the child is at risk of abuse, or information relating to court proceedings. 9. If there are concerns over the disclosure of information, then additional advice will be sought. 10. Where redaction (information blacked out/removed) has taken place then a full copy of the information provided will be retained in order to establish, if a complaint is made, what was redacted and why. 11. Information disclosed will be clear and any codes or technical terms will be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it may be retyped. 12. Information can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at face to face handover. The views of the applicant will be taken into account when considering the method of delivery. If postal systems have to be used then registered/recorded mail will be used. Destruction of records The Trust does unfortunately not have the space to retain every record indefinitely. It follows the document retention guidelines recommended by the Information and Records Management Society ( a copy of which is available on request from the school. All records will be disposed of securely at the end of the designated retention period. Page 8

9 Annex 2 Fair Processing Notice PRIVACY NOTICE - Data Protection Act 1998 for Students enrolled at Vyners School Vyners Learning Trust is a data controller for the purposes of the Data Protection Act. The School collects personal information about students and may receive information about students from their previous school and the Learning Records Service. We hold this personal data to: Support student learning; Monitor and report on student progress; Provide appropriate pastoral care; Facilitate student participation in extra-curricular and enrichment activities; and Assess how well the school is doing. Information about students that we hold includes parental contact details, national curriculum assessment results, attendance information and personal characteristics such as ethnic group, any special educational needs students may have and relevant medical information. If students are enrolling for post 14 qualifications the Learning Records Service will give us their unique learner number (ULN) and may also give us details about their learning or qualifications. Once students are aged 13 or over, the School is required by law to pass on certain information to providers of youth support services in the area. This is the local authority support service for young people aged 13 to 19 in England. We must provide the names and addresses of students and their parent(s), and any further information relevant to the support services role. We may also share data with post 16 providers to secure appropriate support on entry to post 16 provision. Parent(s) can ask that no information beyond names, addresses and student date of birth be passed to the support service. This right transfers to the student on their 16th birthday. Please write to the Work Related Learning Coordinator (at the school address) if you wish to opt out of this arrangement. For more information about young people s services, please go to the National Careers Service page at Biometric consent The School collects and holds biometric information in connection with its cashless catering system. Specific parental consent is sought to hold and process this information. Use of Images Page 9

10 The School will periodically take photographs, videos and audio recordings of students engaged in learning and extra curricular activities. These images and data files may be used for marketing purposes (such as the school website, prospectus, and used around the school site) and are also shared with other students within the school. These images and recording are stored securely on the school servers, but may also be posted publically via the school s YouTube, Facebook and Twitter accounts. Explicit consent is sought from all parents on joining the school for the taking and use of such images of their child. Data sharing with third parties We will not give information about students to anyone without consent unless the law and our policies allow us to. Please note that the School is required by law to pass some information about students to the Department for Education (DfE) and, in turn, this will be available for the use of the LA. If you want to receive a copy of the information that we hold or share, please contact Miss K Williams, Business Manager. If you need more information about how the LA and DfE store and use student information, then please go to the following websites: or If you cannot access these websites, please contact the LA or DfE as follows: The Data Protection Officer, Legal Services (3E/04), London Borough of Hillingdon, Civic Centre, High Street, Uxbridge, UB8 1UW. Public Communications Unit Department for Education Sanctuary Buildings Great Smith Street London SW1P 3BT Website: education Telephone: Page 10