Seven Steps to Success with Data Protection

Seven steps to …………… success with Data Protection

This is a brief guide, which supplements the detailed guidance available elsewhere. The guidance is relevant to any situation where information is held on a living individual.

Step One - Appoint a Data Controller

The school should choose one person who makes it their business to keep up-to-date on Data Protection issues. The Data Controller would be expected to attend training, to make sure procedures are followed, and to know where to go for detailed advice. The role would not be limited to the administrative network, but relates to all data held within the school, including the curriculum network. The Data Controller need not be the headteacher, but should be someone with the delegated authority to act on issues in respect of information security.

For example http://www.surreycc.gov.uk/sccwebsite/sccwspages.nsf/LookupWebPagesByTITLE_RTF/Access+to+pupil's+records?opendocument for guidance on pupil records and access to them, or http://www.informationcommissioner.gov.uk/ for general advice for Data Controllers on Data Protection. The Wandsworth School Financial guidelines also contain detailed advice on Data Protection. Local advice can be sought from Gary Hipple at .

Step Two - Make sure that you have notified the Commissioner

Schools must have notified the Data Protection Commissioner that they handle data. This can be done as part of the service offered by the Wandsworth ICT Trading Account, or can be done simply and quickly at http://forms.informationcommissioner.gov.uk/cgi-bin/dprproc?page=7.html. It would be wise at this time to collect information as to what data is held within the school.

Step Three - Collect your data properly

It is good practice to let anyone who is giving you information about themselves (e.g. parents making applications) that you abide by the Data Protection Act. A suitable form of words might be: “All information that you supply will be treated in the strictest confidence. It will be subject to the conditions of the Data Protection Act”. You can also use the “padlock” logo from the Data Protection Commissioner to indicate your compliance with the Act. It can be found at http://www.informationcommissioner.gov.uk/eventual.aspx?pg=SR&cID=234 and copied by using a right mouse click and “save picture as”. You might also ask people supplying information to sign to the effect that “I give consent to the school to use this data within the boundaries of the Data Protection Act”.

The data they give you, if it is passed to the Education Department (which is perfectly permissible within the Act) will be equally treated correctly. You may already be aware that if parents apply to the Council for certain benefits (e.g. Housing Benefit) they give the council permission to use other information already held in order to prevent fraud. This would include data that you have collected.

You also need to be aware that people have the right to see all data that you hold about them. This applies to pupils, to parents, and to staff, to paper records and to computer files, to hand-written notes and to correspondence. There are exceptions, for instance

· material whose disclosure would be likely to cause serious harm to the physical or mental health or emotional condition of the pupil or someone else

· material concerning actual or suspected child abuse

· references supplied to potential employers of the pupil, any national body concerned with student admissions, another school, an institution of further or higher education, or any other place of education and training

· reports by a school to a juvenile court.

Step Four - Keep your data safe

Back-up copies of data on computers must be made regularly. Detailed guidance is available in the School Financial Guidelines. The key thing to remember is that you are guarding your data against disasters such as fire or theft, so the back-up tapes have to be kept in a safe or taken off-site.

Computer users should make sure that other people can’t easily see data on screen, so screens should be placed out of the line of site of visitors. Screen savers with a short activation time should be used, preferably with a password to unlock them.

Access to data should be regulated systematically, with permissions only given to those who need to use that data. Some people will only need permission to view the data, others will need to be able to change it as well.

Anti-virus software isn’t a once-in-a-lifetime purchase: new viruses appear all the time, so the software needs to be regularly updated.

Data held on paper, including academic records, should be stored in locked filing cabinets.

Step Five - Dispose of data correctly

http://publications.teachernet.gov.uk/eorderingdownload/FOIRecord.doc has the most recent advice on how to handle academic records. Wandsworth guidance on retention of records is that financial records should be kept for 7 years, other records for 5 years. Academic records of pupils for whom no destination school is known should therefore be kept for 5 years.

Paper records relating to living individuals should be shredded when they are no longer needed.

It is good practice to keep a record or register of what has been done with outdated records.

Step Six - Make sure your e-mails are safe

Computer viruses are easily introduced via e-mail. Caution should be exercised when you get e-mails from an unknown source with an apparently irrelevant subject heading.

Security can be increased by a policy that restricts staff to use of the Internet and e-mail for school business only. The decision as to the introduction of such a policy is a matter for the school. As a minimum staff should be expected to abide by rules concerning offensive or abusive material in e-mails, not to download unlicensed software, and to use the Internet for private purposes in such a way as not to interfere with their work.

Step Seven - Write a policy

Your policy on Data Protection, or more grandly on Information Security Management, can be written quite simply as an account of school procedures following the first six steps. The policy should be approved by Governors. There is a template for the policy attached as Appendix 1.

Dick Cooper

January 2002. Revised March 2004
Appendix 1

Data Protection Policy/Information Security Management Policy template

Highlighted sections need to be made relevant to the individual school.

All staff of XXXXXXXXXXXXX school recognise the importance of following the principles of the Data Protection Act 1998 and of making sure that information is securely and appropriately managed.

The Eight Data Protection Principles

The principles state that data must be:-

· Obtained and processed fairly and lawfully

· Processed for limited purposes

· Adequate, relevant and not excessive

· Accurate

· Not kept longer than necessary

· Processed in accordance with the Data Subject’s rights

· Secure

· Not transferred to countries which do not have similar protective legislation

The Data Controller

The key person at XXXXXXXXXXXXXXXX school is the Data Controller. That person is currently XXXXXXXXXXXXXXXXX (date). The Data Controller is required to undergo training as necessary, to make sure that the procedures in this policy are followed, and to provide detailed guidance where required.

The Data we hold

We are registered with the Data Protection Commissioner. The data we hold is as follows:

How held / What type of system / Where stored
Manual / Pupils academic records / School office
Manual / Class lists / School office
Manual / Staff Personnel files / Head’s office
Computerised / SIMS – STAR module / Admin computer network
Computerised / SIMS – Attendance module / Admin computer network
Computerised / SIMS – Personnel module / Admin computer network
Etc
Etc
etc

The data is used by authorised members of school staff to support the legitimate interests of the school, i.e. the provision of education. Relevant parts of the data may be disclosed legitimately to authorised personnel within the school, to Wandsworth LEA, to Health advisers, Social workers and other relevant agencies, to prospective employers and to the data subjects themselves.

Data processing is done internally by authorised school staff and externally by LEA officers.

Data collection

We follow the principles of the Data Protection Act in collecting only relevant and necessary information. Our forms include the following wording “All information that you supply will be treated in the strictest confidence. It will be subject to the conditions of the Data Protection Act” and those giving information are asked to sign to signify agreement to “I give consent to the school to use this data within the boundaries of the Data Protection Act”.

We are aware of individuals’ rights to see what data we hold whether manually or on computer, with the following exceptions:

· material whose disclosure would be likely to cause serious harm to the physical or mental health or emotional condition of the pupil or someone else

· material concerning actual or suspected child abuse

· reports by a school to a juvenile court.

We send home a copy of the basic data held in SIMS (name, address, contact details, emergency contacts etc) each year to ensure accuracy. Parents can also access this data on the Internet via the SIMS Parents’ Gateway.

Under the Data Protection Act 1998 all pupils are entitled to have their educational records disclosed to them, free of charge, within 15 school days of making a written request. Where a young pupil seeks access to his or her records we will try to establish whether the pupil understands the nature of the request. If we form the view that the pupil does not understand owing to youth or immaturity then the request need not be complied with. A record is kept of all requests and decisions.

Under the Education (Pupil Information) (England) Regulations 2000 parents are entitled to have their child's educational records disclosed to them, free of charge, within 15 school days of making a written request. A parent will be supplied with a copy of their child's educational record at no greater cost than that of supplying it.

Data storage

Electronic data is stored on the Administration computer network and on the curriculum network. This is password protected and access rights are restricted to authorised personnel. The data is ‘backed up’ every night onto tape and these tapes are kept in a secure safe in the office. Computer screens are sighted so that they are not easily seen by visitors to the office, and passworded screen savers are used to increase security.

Anti-virus software is installed on the network and is updated every month.

Data held on paper is stored in the school office in locked filing cabinets.

Disposal of data

Records are destroyed when no longer relevant, paper formats by shredding, with the following constraints:

· Records that are part of the financial records (e.g. dinner registers) of the school are kept for seven years;

· Other records (e.g. attendance registers) are kept for five years;

· When pupils change school the academic records are sent to the new school within 15 days of the pupil being taken off our school roll. If it is not know which school the child transfers to records will be sent within 15 days of a request from a new school. Failing that the record will be kept for 5 years. An entry is made in the school admission register showing where records have been sent.

A record is kept by the Data Controller of other data that has been destroyed.

Electronic transmission of data

XXXXXXXXXXXXXXXX school is moving towards electronic transmission as the main method of data transfer. The PLASC is transmitted electronically, teaching staff are increasingly using electronic means (SIMS assessment module) to record pupil assessments, and parents are encouraged to use our data via SIMS Parents’ Gateway.

E-mail will become an increasingly common method of communication. Staff are urged to delete unread e-mails from unknown sources and with irrelevant subject headings in order to minimise the risks of virus transmission. Pupil data is transferred to the LEA, when necessary, by secure file transfer.

Although staff are not restricted to the use of e-mail for school business only, it is expected that

· Private use will not interfere with the performance of their normal duties

· Staff will not include abusive or offensive materials in e-mails.

Review of this policy

This policy will be reviewed every two years. The next review will be on (date)

Approved by Governors’ XXXXXX Committee Date XXXXX