The Independent Grammar School: Durham
DATA PROTECTION POLICY
IGS: Durham is responsible for ensuring that all records are maintained in accordance with the law as it applies to education in general and to personal information specifically. The legislation covering this area is contained within the Data Protection Acts of 1984 and 1998.
What this Involves
The school will obtain and process personal data fairly and lawfully by making all data subjects aware of why information about them is being held, who might access that information and the data subjects’ rights in terms of access. Where any form is used to gather information of any kind, other than in trivial cases, this information will be printed there.
Some useful definitions are:
· Processing means obtaining, recording or holding information or using the information for any reason
· Data subject is the person who is the subject of the information being obtained, recorded etc.
· Personal data means any information relating to a living person who can be identified. This includes names and addresses and may also include photographs (see Photography Policy)
· Parent is any person having parental responsibility for a child, as set out in the Education Act (1996).
Obtaining and Keeping Reliable Data
We aim to do this by ensuring the following:
We will maintain data which is as up to date and as accurate as possible. If a data subject lets us know of any changes to his or her personal information, we will make the change immediately (or as soon as is reasonably practicable given the importance of doing so). Every data subject will receive a print of their personal data sheet every two years so it can be verified. Should a data subject for any reason challenge the accuracy of data shown, and we cannot amend it straightaway, it will be marked “challenged” until the matter is resolved. Ultimately the School Board might have to be called upon to resolve the issue.
Length of Time
Data should not be kept longer than is necessary. The school will make sensible judgements, based on the relevant published guidelines, as to how long data may be retained. The responsible person (the Executive Principal) will ensure that no data is retained for longer than necessary. In all cases, time-elapsed data must be securely shredded (i.e. shredded on site).
All data subjects may have access to data held about them. Given the sensitive nature of this area, a formal process for making requests for information is essential. The school policy is that requests from pupils will be received on the same basis as any other request but, apart from in the case of a pupil aged 16 and above, will be referred to parents
Requests made by parents for information on their own child(ren) will be processed as if the parent were the data subject and a copy of the information will be sent in a sealed envelope to the parent(s).
Subject Access Requests
A request for Data Subject Access should be made to the Executive Principal in writing. All such requests should be recorded in a log book and should record the date, name and address of person making the request, name of data subject, type of information required, and the planned date of supplying the information (normally within 40 days of the request but in the case of a parent requesting information about a pupil the period is 15 days). In practice we will try to respond much more quickly than that.
The school will normally only give out information about a person having first obtained his or her consent. There are however certain circumstances in which information might be disclosed without such consent. These circumstances are strictly limited to the following:
· Pupil data which is necessary in allowing a school to perform its legal duties
· Pupil data disclosed to authorised recipients in relation to a child’s health and safety
· Pupil data disclosed to parents in respect of a child’s progress at school etc.
· Staff data released to relevant authorities e.g. in respect of payroll
· Unavoidable disclosures, e.g. external IT staff working on the school computer system. Such staff are required to sign a document promising not to disclose such data outside school.
Only authorised and trained staff may disclose personal data to external bodies. No data may be released by any other member of staff apart from when it is clear than the request is from someone legitimately working within the school who needs to know the information in order to fulfil their responsibilities.
No person other than a member of the School Board or teaching staff or an authorised member of the administration or support teams may use the staff room. All staff are responsible for keeping any information displayed on notice boards in staff rooms absolutely confidential. In particular, under no circumstances must anyone outside the above categories, e.g. a parent or other visitor, be allowed to enter the staff room.
The school will never disclose anything to anyone which might be reasonably thought to give rise to risk to a pupil’s health, welfare or safety. This includes anything which might suggest that he or she is, or has been, either the subject of, or at risk from, child abuse.
All sensible security measures will be implanted to protect data held in school. Filing cabinets and offices where data is held are locked at night. All visitors to school are required to sign in, wear a visitor sticker and where appropriate be accompanied at all times. A password protocol is in place in respect of electronic files and only a very small number of authorised users are allowed access. Regular back-up is implemented.
All staff will receive training in Data Protection as part of the programme of training held before the beginning of every school year.
Responsibility for legal compliance with Data Protection legislation lies with the Executive Principal. All staff, however, have responsibility for ensuring that procedures are followed. Staff should not hesitate to refer any questions or uncertainties in this area to the Executive Principal.
This policy should be read in conjunction with the Child Protection (Safeguarding) Policy, the Photography Policy and other relevant Policies.