Data Protection Policy

Transcription

1 Data Protection Policy Effective Nov 2014

2 Contents 1. Aim & Scope page 3 2. Purpose page 3 3. Key Definitions page 3 4. Data Protection Principles page 3 5. General Statement page 4 6. Data Security page 5 7. Responsibilities of Staff page 5 8. Data Subjects Rights page 5 9. Publication of Schools Exam Results page Disclosing Personal Data page Subject Access Requests page Complaints page Contacts page 8 APPENDIX A - Privacy Notice page 9 APPENDIX B - Procedure for responding to a Subject Access Request page 11 Policy Review Form page 13 Page 2

3 Aim In adopting this policy the aim is to: ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 1998 (the Act ), and other related legislation; inform staff and others involved in the collection, processing and disclosure of personal data so that they are aware of their duties and responsibilities. Scope This policy applies to all governors and staff of Summerlea Community Primary School, any person who is required to control or process data on behalf of the school and to parents, pupils and others providing person their data. This policy should be read in conjunction with West Sussex County Council s Data Protection Policy. Purpose Summerlea CP School collects and uses personal information about staff, pupils, parents and other individuals who come into contact with the school. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the school complies with its statutory obligations. Schools have a duty to be registered, as Data Controllers, with the Information Commissioner s Office (ICO) detailing the information held and its use. These details are then available on the ICO s website. Schools also have a duty to issue a Fair Processing Notice to all pupils/parents, this summarises the information held on pupils, why it is held and the other parties to whom it may be passed on. This policy is intended to provide a summary of the relevant legislation and to highlight the requirements when collecting, processing and disclosing personal data. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically. Key Definitions The following are key definitions used in the Act: Data Controller: means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In this case, the School is the Data Controller. Data Processor: in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Data Subject: means an individual who is the subject of personal data. Personal Data: is defined as data which relates to a living individual who can be identified from that data or other information held. Processing: in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data. Sensitive Personal Data: includes information such as: (a) the racial or ethnic origin of the data subject, Page 3

4 (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Data Protection Principles The Data Protection Act 1998 establishes eight enforceable principles that must be adhered to at all times: 1. Personal data shall be processed fairly and lawfully. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary. 6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act Personal data shall be kept secure: appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. General Statement on Data Protection in School The school is committed to maintaining the above principles at all times. Therefore the school will: Inform individuals why the information is being collected when it is collected. Inform individuals when their information is shared, and why and with whom it was shared. Check the quality and the accuracy of the information it holds. Ensure that information is not retained for longer than is necessary. Ensure that when obsolete information is destroyed that it is done so appropriately and securely. Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded. Share information with others only when it is legally appropriate to do so. Set out procedures to ensure compliance with the duty to respond to requests for access to personal Page 4

5 information, known as Subject Access Requests. Ensure our staff are aware of and understand our policies and procedures. Data Security All staff are responsible for ensuring that: Any personal data that they hold is kept securely. Personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. Personal information should: Be kept in a locked filing cabinet, drawer, or safe; or If it is computerised, be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up; and If a copy is kept on a USB, disc or other removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe. Responsibilities of Staff All staff are responsible for: Checking that any information that they provide to the School in connection with their employment is accurate and up to date. Informing the School of any changes to information that they have provided, e.g. change of address, either at the time of appointment or subsequently. The school cannot be held responsible for any errors unless the staff member has informed the school of such changes. If and when, as part of their responsibilities, staff collect information about other people (e.g. about a student s course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff set out in this policy and the Schools Data Protection Code of Practice. Data Subject s Rights Right to know Data subjects have the right to know what data is held about them, who is collecting it, for what purpose it is collected and who will see it. Summerlea CP School shall provide this information when collecting personal data. Right of access to personal data See relevant section below. Right to prevent processing causing damage or distress Subject to certain exemptions, data subjects have the right to serve a notice on data controllers requiring them to stop processing personal data in a way which is likely to cause substantial unwarranted damage or distress to that data subject or another. Page 5

6 Right to correct inaccurate data Data subjects may also apply for a court order to require the data controller to rectify, block, erase or destroy inaccurate data about the data subject. Publication of Exam Results Publishing examination results is a common and accepted practice. However, schools do have to act fairly when publishing results. Summerlea CP School will let all pupils and parents know that results are intended to be published and how they will be published. Pupils have a right to assert their Human Right to Privacy and to object. Any objections must be taken seriously. Schools do not have to gain the written consent of pupils and parents before publishing exam results. Disclosing Personal Data General Principles Summerlea CP School will always check each page of a file before a disclosure of personal data to ensure that there is no information about another person in it. If there is information about another person in it, we will edit that information to ensure that person s anonymity. If this is not possible because the information is inextricably linked then the Act, in section 7(4) and 7(6), directs us to seek consents or disclose if it is reasonable in all the circumstances to do so. We will not share personal data with anyone other than the data subject without consent of the data subject unless one of the conditions in Schedule 2 of the Data Protection Act is satisfied. We will not share sensitive personal data with anyone other than the data subject without consent of the data subject unless one condition in Schedule 2 and one condition in Schedule 3 of the Data Protection Act are present. We will take greater care when processing sensitive personal data. We will keep a record of disclosures. Requests from police/fraud office Section 29(3) of the Act allows disclosure of personal data to the police where it is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or similar. The police should be able to show that if the school does not disclose the information, the above purposes would be prejudiced. The police should make the request in writing on headed paper and the school should check that the individual making the request is indeed from the police/ fraud office. The sort of information the police usually require is the current address of a child s parents. Court orders for disclosure The school will refer such requests, which may come from the police, the Crown Prosecution Service or the defence to a court case, to the Legal Services Unit at West Sussex County Council. Education agencies Please refer to the Privacy Notice Appendix A. Page 6

7 Other third parties The general rule is that personal data should not be disclosed to these third parties unless the school has the consent of the data subject or their parent. Subject Access Requests Requests for personal data by Pupil/Parent What rights exist for access to a pupil s personal information? There are two distinct rights to information held by schools about pupils. 1. The subject access right under the Act a pupil has the right to a copy of their own information. In certain circumstances requests may be made by a parent on behalf of their child. 2. Rights to the educational record under the Education (Pupil Information) (England) Regulations 2005, (the Regulations), a parent has the right to access their child s educational record. Under the subject access right parents will only be able to see all the information about their child when the child is unable to act on their own behalf or gives their written consent. At what age can a child make their own subject access request? The Act does not specify an age at which a child can make their own request for access to their information. When a request is received from a child for access to their own information, those responsible for responding should take into account whether: the child wants their parent (or someone with parental responsibility for them) to be involved in the request; and the child properly understands what is involved in making the request and the type of information they will receive. As a general guide, a child of 12 or older is expected to be mature enough to understand the request they are making. Can any other information be withheld? Information about another person (including a parent) should not be disclosed without consent of that person. Information about the data subject where: information might cause serious harm to the physical or mental health of the pupil or another individual; the disclosure would reveal a child is at risk of abuse; information contained in adoption and parental order records information given to a court in proceedings under the Magistrates Courts (Children and Young persons) Rules 1992; copies of examination scripts providing examination marks before they are officially announced legal advice which is protected by legal professional privilege. What are the timescales for dealing with requests? Requests for information from pupils, or parents, for information that contains, wholly or partly, an educational record must receive a response within 15 school days. Unless a parent simply asks to see the official educational record under the Regulations, schools and authorities are entitled to receive any fee first. The school is entitled to ask for a fee of 10 on each occasion that access is requested, although the school does have the discretion to waive this. Page 7

8 Most requests for information are likely to ask for at least some information in the educational record. However, should a subject access request be made just for personal information outside the educational record, a response must be made promptly and at most within 40 calendar days. However, the 40 days does not begin until after the fee and any further information required is received. Further information regarding the process of making a Subject Access Request is in Appendix B. Complaints Complaints will be dealt with in accordance with the school s complaints policy. Complaints relating to information handling may be referred to the Information Commissioner (the statutory regulator). Contact Information If you have any enquires in relation to this policy, please contact the Head Teacher who will also act as the contact point for any subject access requests. Further advice and information is available from the Information Commissioner s Office, or telephone: Page 8

9 APPENDIX A Privacy Notice The Local Authority (LA) uses information about children for whom it provides services. This enables it to carry out specific functions for which it is responsible, such as the assessment of any special educational needs the child may have. It also uses the information to derive statistics to inform decisions on, for example, the funding of schools, and to assess the performance of schools and set targets for them. The statistics are used in such a way that individual children cannot be identified from them. The LA will use information about its school workforce for research and statistical purposes, and to evaluate and develop education policy and strategies. The statistics are used in such a way that individual staff cannot be identified from them. The LA may also use it to support and monitor schools regarding sickness and recruitment of staff. Primary Care Trusts (PCTs) use information about pupils for research and statistical purposes, to monitor the performance of local health services and to evaluate and develop them. The statistics are used in such a way that individual pupils cannot be identified from them. Information on the height and weight of individual pupils may, however, be provided to the child and its parents. This will require the PCTs to maintain details of pupils names for this purpose for a period designated by the Department of Health, following the weighing and measuring process. PCTs may also provide individual schools and LAs with aggregate information on pupils height and weight. Summerlea CP School is a data controller for the purposes of the Data Protection Act. We collect information from pupils and may receive information about them from their previous school and the Learning Records Service. We hold this personal data and use it to: Support teaching and learning; Monitor and report pupils progress; Provide appropriate pastoral care, and Assess how well the school is doing. This information includes contact details, national curriculum assessment results, attendance information and personal characteristics such as ethnic group, any special educational needs and relevant medical information. We will not give information about pupils to anyone outside the school without consent unless the law and our rules allow us to. We are required by law to pass some information about pupils to the Local Authority and the Department for Education (DfE). Personal data is held by the school/local Authority about those employed or otherwise engaged to work at the school. This is to assist in the smooth running of the school and/or enable individuals to be paid. The collection of this information will benefit both national and local users by: Improving the management of school workforce data across the sector; Enabling a comprehensive picture of the workforce and how it is deployed to be built up; Informing the development of recruitment and retention policies; Allowing better financial modeling and planning; Enabling ethnicity and disability monitoring; and Page 9

10 Supporting the work of the School Teacher Review Body and the School Support Staff Negotiating Body. This personal data includes some or all of the following - identifiers such as name and National Insurance Number and characteristics such as ethnic group; employment contract and remuneration details, qualifications and absence information. We will not give information about those employed or otherwise engaged to work at the school to anyone outside the school or Local Authority (LA) without their consent unless the law and our rules allow us to. We are required by law to pass on some of this data to the Local Authority and the Department for Education (DfE). Page 10

11 APPENDIX B Procedure for responding to Subject Access Requests made under the Data Protection Act 1998 Rights of access to information There are two distinct rights of access to information held by schools about pupils. 1. Under the Data Protection Act 1998 any individual has the right to make a request to access the personal information held about them. 2. The right of those entitled to have access to curricular and educational records as defined within the Education Pupil Information (Wales) Regulations These procedures relate to subject access requests made under the Data Protection Act Actioning a subject access request 1. Requests for information must be made in writing; which includes , and be addressed to the Headteacher. If the initial request does not clearly identify the information required, then further enquiries will be made. 2. The identity of the requestor must be established before the disclosure of any information, and checks should also be carried out regarding proof of relationship to the child if considered necessary because there is any doubt over the requestor's identity. Evidence of identity can be established by requesting production of: passport driving licence utility bills with the current address Birth / Marriage certificate P45/P60 Credit Card or Mortgage statement (This list is not exhaustive.) 3. Any individual has the right of access to information held about them. However with children, this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The Headteacher should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent an individual with parental responsibility or guardian shall make the decision on behalf of the child. 4. The school may make a charge for the provision of information, dependent upon the following: Should the information requested contain the educational record then the amount charged will be dependent upon the number of pages provided. Should the information requested be personal information that does not include any information contained within educational records schools can charge up to 10 to provide it. If the information requested is only the educational record viewing will be free, but a charge not exceeding the cost of copying the information can be made by the Headteacher. Page 11

12 5. The response time for subject access requests, once officially received, is 40 days (not working or school days but calendar days, irrespective of school holiday periods). However the 40 days will not commence until after receipt of fees or clarification of information sought 6. The Data Protection Act 1998 allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure. 7. Third party information is that which has been provided by another, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party information consent should normally be obtained. There is still a need to adhere to the 40 day statutory timescale. 8. Any information which may cause serious harm to the physical or mental health or emotional condition of the pupil or another should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court proceedings. 9. If there are concerns over the disclosure of information then additional advice should be sought. 10. Where redaction (information blacked out/removed) has taken place then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and why. 11. Information disclosed should be clear, thus any codes, acronyms or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped. 12. Information can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at face to face handover. The views of the applicant should be taken into account when considering the method of delivery. If postal systems have to be used then registered/recorded mail must be used. Page 12

13 Policy Review Form Please complete this section when reviewing and updating this document. Author Name Date Simon Trahern October 2012 Reviews Name Review Period (to be carried out every 2 years) Kerry Dolan Emma Green October 2012 November 2014 Information Source Name Date Information Commissioner s Office ( November 2014 Change Control Sections Amended Author Date All sections re-formatted into new policy template Emma Green November 2014 Privacy Notice moved to Appendix Aim & Scope added Key Definitions added Data Security added Responsibilities of Staff added Page 13