Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone, Director of Digital Strategy A. Related Truro School Policies This policy is intended to ensure that personal data is dealt with correctly and securely, in accordance with the Data Protection Act 1998, and other related legislation. It should be read along with the following policies: Admissions Policy; Complaints Policy; E-Safety Policy; School Network and Internet Acceptable Use Policy; Mobile Devices Policy; B. Data Protection Introduction Truro School (including Truro School Prep, Truro School Enterprises, Truro School Foundation and Truro School Former Pupils Association) collects and processes personal data, including some sensitive personal data. This policy is intended to ensure that personal data is dealt with correctly and securely, in accordance with the Data Protection Act 1998, and other related legislation. It will apply to personal data regardless of the way it is collected, used, recorded, stored or destroyed, and irrespective of whether it is held in paper files or electronically. All staff involved with the collection, processing and disclosure of personal data will be made aware of their duties and responsibilities and will be required to adhere to these guidelines. C. Processing of personal data C1. Collection and processing of personal data Truro School collects and processes personal data for the following reasons: To enable us to provide education and training conducted outside the state system; To enable us to provide welfare and educational support services; To administer school property and library services; To maintain our own accounts and records; 1
For administration in connection with boarding; For administration in connection with rental of facilities, including the Sir Ben Ainslie Sports Centre and Burrell Theatre; For the organisation of alumni associations and events; For fundraising purposes; To support and manage our staff. Our processing also includes the use of CCTV to maintain the security of the premises and for preventing and investigating crime. In those locations where CCTV is used, we display clear signage to indicate this. Truro School is registered, as a Data Controller, with the Information Commissioner s Office. Details of the data that we hold and how data is used are available on the Data Protection Public Register at https://ico.org.uk/esdwebpages/search. A Fair Processing / Privacy Notice forms part of the Terms and Conditions and there is a Privacy Notice on our web pages; these notices summarise the data held, why it is held and the other parties to whom it may be passed. C2. Types/classes of data processed Truro School process data relevant to the above reasons/purposes. This may include: Personal details; Family details; Lifestyle and social circumstances; Financial details; Education and employment details; Disciplinary and attendance records; Vetting checks; Visual images, personal appearance and behavior; Details of goods and services provided. We also process sensitive personal data that may include: Physical or mental health details; Sexual life; Racial or ethnic origin; Religious or other beliefs; Trade union membership; Data relating to offences or alleged offences. C3. Who the data is processed about Truro School process personal data relating to: Employees; Pupils and students; Professional advisers and consultants; Governors and members of school boards; Sponsors and supporters; Services providers and suppliers; Members of the Sports Centre; Customers of Truro School Enterprises; Complainants, enquirers; 2
Individuals captured by CCTV images. C4. Who the data may be shared with We sometimes need to share the personal data we process with the individual and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act 1998. What follows is a description of the types of organisations with which we may need to share some of the personal data we process with for one or more reasons. Where necessary, or required, we share appropriate data with: Educators, carers and examining bodies; Staff, students, governors and school boards; Current, past and prospective employers; Family, associates and representatives of the person whose personal data we are processing; Central and local government; Healthcare professionals, social and welfare organisations; Police, courts, tribunals and security organisations; Voluntary and charitable bodies; The media; Financial organisations; Suppliers; Service providers; The Truro School Former Pupils Association; Professional advisers. C5. Transfers It may sometimes be necessary to transfer personal data overseas. Any transfers made will be in full compliance with the Data Protection Act 1998. Before pupils join Truro School we will request details of medical records and their discipline record and any special needs from their previous school. Additionally we seek cooperation of parents in providing such information in order that suitable plans can be made where necessary. When a pupil moves on to another establishment, we will always provide discipline records if requested. For misdemeanors that resulted in Safeguarding or Child Protection issues, or significant sanctions such as suspension or expulsion, we would always provide this information voluntarily to the appropriate staff or professional bodies, as appropriate. C6. What is Personal Data? Personal data means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other data which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. C7. What is Sensitive Personal Data? Sensitive personal data means personal data consisting of data as to - (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a 3
similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. C8. Data Protection Principles The Data Protection Act 1998 establishes eight enforceable principles that must be adhered to at all times: 1. Personal data shall be processed fairly and lawfully; 2. Personal data shall be obtained only for one or more specified and lawful purposes; 3. Personal data shall be adequate, relevant and not excessive; 4. Personal data shall be accurate and where necessary, kept up to date; 5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes; 6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998; 7. Personal data shall be kept secure i.e. protected by an appropriate degree of security; 8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection. C9. Our Commitment as Data Controller A Data Controller is an organization which determines the purposes for which and the manner in which any personal data are, or are to be, processed. As a Data Controller, Truro School is committed to maintaining the above principles at all times. Therefore Truro School will: Inform individuals why data is being collected, when it is collected; Inform individuals when their data is shared, why and with whom it was shared; Check the quality and the accuracy of the data it holds; Ensure that data is not retained for longer than is necessary; Ensure that when obsolete data is destroyed, it is done so appropriately and securely; Ensure that clear and robust safeguards are in place to protect personal data from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded; Share data with others only when it is legally appropriate to do so; Set out procedures to ensure compliance with the duty to respond to requests for access to personal data, known as Subject Access Requests; Ensure our staff are aware of and understand our policies and procedures. C10. Staff Obligations Data protection is the responsibility of all members of staff. Staff must not disclose to a third party personal data associated with another member of staff, a pupil or a pupil s family. When sending emails, staff should ensure the anonymity of addressees by making use of the BCC (blind carbon copy) functionality when addressing emails to groups of recipients outside the school, such as groups of parents. Staff must ensure that when they obtain personal data from the school or from a parent or pupil in the course of their work, they do not retain copies of this personal data on their personal devices. 4
Printed materials containing personal data should be processed in accordance with the principles of the data protection act, including not putting printouts containing personal data into regular rubbish bins, recycling or reusing the paper for scrap. All such materials should be shredded before disposal. Staff must ensure that computing devices connected to school accounts are kept secure whilst in and out of school and report any loss of data, or loss of connected electronic equipment to the Network Manager, or Director of Digital Strategy immediately. Staff must not store personal data or commercially sensitive information on personal cloud folders, USB sticks or external hard drives. OneDrive folders associated with school email addresses are held on secure servers in Europe, in compliance with the Data Protection Act 1998. In this case, it is acceptable for staff to temporarily store digital copies of files containing limited personal data, such pupil names and pupil photographs, as mark books or lists, but these files should contain only necessary information and should be processed in accordance with the eight principles of the data protection act and the data must not be used for purposes other than educational administration. Sensitive personal data should not be stored by staff on cloud-based services, USB sticks or external hard drives. Selected sensitive personal data may be made available to parents through the school portal. Responsibility for what is shown on the Portal lies with the Deputy Headmaster. The Director of Digital Strategy is responsible for ensuring that appropriate security is maintained on the Portal. In exceptional circumstances, permission may be given by the Headmaster or Director of Digital Strategy for sensitive personal data to be stored on a portable device, for example for use by the Designated Safeguarding Lead (DSL). In this case, data will be stored in an encrypted form, will be password protected, the device will be for the exclusive use of the member of staff. Any loss of hardware or data will be immediately reported to the Network Manager or Director of Digital Strategy. Staff must not disclose personal data to third parties without authorisation from the Headmaster or Director of Digital Strategy. The processing of subject Access Requests is discussed below. C11. Complaints Complaints will be dealt with in accordance with the school s complaints policy. Complaints relating to data handling may be referred to the Information Commissioner (the statutory regulator). C12. Review This policy will be reviewed as it is deemed appropriate, but no less frequently than every 2 years. The policy review will be undertaken by the Headmaster, or nominated representative. C13. Contacts If you have any enquires in relation to this policy, please contact Andrew Gordon-Brown, Headmaster at Truro School, Trennick Lane, Truro, TR1 1TH, who will also act as the contact point for any subject access requests. Further advice and data is available from the Information Commissioner s Office, www.ico.org.uk or telephone their helpline on 0303 123 1113. 5
D. Processing of Subject Access Requests D1. Right of access to data This right, commonly referred to as subject access, is created by section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be: told whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; given a copy of the information comprising the data; and given details of the source of the data (where this is available). An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). D2. Actioning a subject access request 1. Requests for data must be made in writing; which includes email, and be addressed to Andrew Gordon-Brown, Headmaster, Truro School, Trennick Lane, Truro, TR1 1TH. If the initial request does not clearly identify the data required, then further enquiries will be made. 2. The identity of the requestor must be established before the disclosure of any data, and checks should also be carried out regarding proof of relationship to a child. Evidence of identity can be established, for example, by requesting production of: Passport; Driving licence; Utility bills with the current address; Birth / Marriage certificate; P45/P60; Credit Card or Mortgage statement. 3. Any individual has the right of access to data held about them. However with children, this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The Headmaster should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent, an individual with parental responsibility or guardian shall make the decision on behalf of the child. 4. The school may make a charge for the provision of data, dependent upon the following: Should the data requested contain the educational record then the amount charged will be dependent upon the number of pages provided; Should the data requested be personal data that does not include any data contained within educational records, Truro School may charge up to 10; 6
If the data requested is only the educational record, viewing will be free, but a charge not exceeding the cost of copying the data may be made by the Headmaster. 5. The response time for subject access requests, once officially received, is 40 days (not working or school days but calendar days, irrespective of school holiday periods). However the 40 days will not commence until after receipt of fees or clarification of data sought. 6. The Data Protection Act 1998 allows exemptions as to the provision of some data; therefore all data will be reviewed prior to disclosure. 7. Third party data is that which has been provided by another, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party data consent should normally be obtained. There is still a need to adhere to the 40 day statutory timescale. 8. Any data which may cause serious harm to the physical or mental health or emotional condition of the pupil or another should not be disclosed, nor should data that would reveal that the child is at risk of abuse, or data relating to court proceedings. 9. If there are concerns over the disclosure of data then additional advice should be sought. 10. Where redaction (data blacked out/removed) has taken place then a full copy of the data provided should be retained in order to establish, if a complaint is made, what was redacted and why. 11. Data disclosed should be clear, thus any codes or technical terms will be clarified and explained. If data contained within the disclosure is difficult to read or illegible, then it will be retyped. 12. Data can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at a face to face handover. The views of the applicant should be taken into account when considering the method of delivery. If postal systems have to be used then registered / recorded mail will be used. D3. Complaints Complaints about the above procedures should be made to the Chairman of the Governing Body, who will decide whether it is appropriate for the complaint to be dealt with in accordance with the school s complaint procedure. Complaints which are not appropriate to be dealt with through the school s complaint procedure can be dealt with by the Information Commissioner. Up-to-date contact details of both will be provided with the disclosure data. D4. Contacts If you have any queries or concerns regarding these policies / procedures then please contact Andrew Gordon-Brown, Headmaster, Truro School, Trennick Lane, Truro, TR1 1TH. Further advice and data can be obtained from the Information Commissioner s Office, www.ico.org.uk. 7
E. Appendix: further information and contacts Information Sharing: advice for practitioners providing safeguarding services, DfE, March 2015 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/419628/i nformation_sharing_advice_safeguarding_practitioners.pdf Data Protection Act 1998, the eight principles are found on the web site http://www.legislation.gov.uk/ukpga/1998/29/schedule/1 8