Delph Primary School

Data Protection Policy

Introduction

Delph Primary School is committed to protecting the rights and privacy of individuals, including pupils, staff and others, in accordance with the Data Protection Act.

The school needs to process certain information about its staff, pupils and otherindividuals with whom it has a relationship for various purposes such as, but not limited to:

the recruitment and payment of staff

emergency contact details and medical information

attendance, special educational needs and ethnic group data

the monitoring and recording ofpupil’s progress e.g. National Curriculum assessment results

collecting fees

complying with legal obligations to funding bodies and government statistics

From time to time we are required to pass on some of this data to the Local Education Authority, to another school to which the pupil is transferring orto the Department of Education.To comply with various legal obligations, including the obligations imposed on it by the Data Protection Act, 1998, Delph Primary School must ensure that all this information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.

The Data Protection Act, 1998

The Data Protection Act 1998 is designed to protect the privacy of individuals and toensure that personal data is processed fairly and lawfully.It protects personal data by setting terms and conditions that all staff must follow when processing details about any living individual, including children.

What is 'Personal Data'?

Personal data is anything that identifies a living person and includes:

a name and address, telephone number, personal email address

financial information

a national insurance number

a birth certificate

a passport

a driving licence

photographic / CCTV images

electronic records / manual files

sensitive details, such as religion, health records, or ethnic origin

What is 'Sensitive Personal Data'?

Sensitive personal data is identified separately in the Act because further conditions needto be applied before it can be used.Explicit consent from the person concerned is required before those details can beshared or passed to others in order to provide a particular service.Of course there are times when our 'duty of care' or legal duty requires us to informothers, perhaps for example, following an assessment of identified risks relating to aspecific individual.

Rights of individuals provided by the Act

All individuals who are the subject of personal data have a general right of access to the personal data which relates to them. Individuals canexercise the right to gain access to their information by means of a ‘subject access request’.

Compliance

Compliance with the legislation is the personal responsibility of all members of the schoolwho process personal information.Any breach of this policy, or of the Act itself will be considered an offence and the school’s disciplinary procedures will be invoked. As a matter of best practice, other agencies and individuals working with Delph Primary School, and who have access to personal information, will be expected to comply with this policy. Individuals who provide personal data to the school are responsible for ensuring that theinformation is accurate and up-to-date e.g. staff, parents and guardians.

Responsibilities under the DPA

Delph Primary School will be the ‘data controller’ under the terms of the legislation – this means it

is ultimately responsible for controlling the use and processing of the personal data.The Headteacher will be responsible for all day-to-day data protection matters, and she willbe responsible for ensuring that all members of staff and relevant individuals abide by thispolicy, and for developing and encouraging good information handling within the school.

The Head is also responsible for ensuring that the school’s notification is kept accurate.Details of the school’s notification can be found on the Office of the InformationCommissioner’s website

Data Protection Principles

The legislation places a responsibility on every data controller to process any personal datain accordance with the eight principles of the Data Protection Act. In order to comply with its obligations, Delph Primary School undertakes to:

  1. Process personal data fairly and lawfully

We will make all reasonable efforts to ensure that individuals who are the focusof the personal data (data subjects) are informed of the identity of the data controller; thepurposes of the processing; any disclosures to third parties that are envisaged; given anindication of the period for which the data will be kept, and any other information which maybe relevant.

  1. Process the data for the specific and lawful purpose for which it collected that data, and

not further process the data in a manner incompatible with this purpose

  1. Personal data shall be adequate, relevant and not excessive in relation to the purpose

or purposes for which it is being processed.

  1. Personal data shall be accurate and, where necessary, kept up to date.
  1. Personal data processed for any purpose or purposes shall not be kept for longer than

is necessary for that purpose or those purposes.

School will undertake a regular review of the information held and implement a weeding

process when, eg. pupils or a member of staff leaves the school. Disposal of personal data will be done in a way that protects the rights andprivacy of the individual concerned e.g. secure electronic deletion; shredding and disposal ofhard copy files as confidential waste.

  1. Personal data shall be processed in accordance with the rights of the data subjects

under this Act.

  1. Appropriate technical and organisational measures shall be taken against unauthorised

or unlawful processing of personal data and against accidental loss or destruction of, ordamage to, personal data.

All members of staff are responsible for ensuring that any personal data which they hold is

kept securely and not disclosed to any unauthorised third parties.We will ensure that all personal data is accessible only to those who have a valid reason for using it.

School have in place appropriate security measures including:

  • ensuring that hard copy personal data is kept in lockable filing cabinets/ cupboards

withcontrolled access

  • keeping all personal data in a lockable room with key-controlled access
  • password protecting personal data held electronically including encrypted hard drives and USB sticks
  • archiving personal data on disks / hard copy which are then kept securely (lockable cupboard/safe)
  • placing any PCs or terminals, that show personal data sothat they are not visible except to authorised staff
  • ensuring that PC screens are not left unattended without a password protected

screen-saver being used.

  • Hard drives of redundant PCs will be wiped clean before disposal, or, if that is not possible,destroyed physically. Records /certificates of disposal will be kept.

This policy also applies to staff and pupils who process personal data ‘off-site’, e.g. when

working at home, and in such circumstances additional care must be taken regarding the

security of the data

  1. Personal data shall not be transferred to a country or territory outside the European

Economic Area unless that country or territory ensures an adequate level of protection forthe rights and freedoms of data subjects in relation to the processing of personal data.

This also applies to publishing information on the Internet as transfer of data can

include placing data on a website that can be accessed from outside the EEA. Delph Primary

School will always seek the consent of parents before placing any photographs of children

on its website.

Consent as a basis for processing

Although it is not always necessary to gain consent from individuals before processing their

data, it is advisable, to ensure that data is collected and processed in an open andtransparent manner.Consent is especially important when schools are processing any sensitive data, as defined

by the legislation. Delph Primary School understands consent to mean that the individual has been fully informed ofthe intended processing and has signified their agreement (eg. via signing a form).If the individual does not give his/ her consent for the processing, and there is no other lawful basis on which to process the data, then steps will be taken to ensure that processing of that data does not take place.

Applying to see personal data

Subject Access Request (SAR)

Individuals have a right to access any personal data relating to them which are held by the school/ Council. Any individual wishing to exercise this rightmust complete the relevant SAR form and return this to the Information Manager at Oldham Council, together withevidence of identification along with the £10 fee.

Disclosure of Data

Staff and pupils should exercise caution when asked to disclose personal dataheld on another individual or third party. Delph Primary School undertakes not to disclose personal data to unauthorised third parties,including family members, friends and government bodies. In no circumstances will Delph PrimarySchool sell any of its databases to a third party.

Protecting Yourself

If as an employee of Oldham Council you do not wish to receive advertising literature through direct mailing, you also havethe right to inform the data controller in writing, and to agree a reasonabletime limit for this to cease.Staff can also ensure that their telephone number is no longer available to organisations,including charities and voluntary organisations who may telephone staff with offers andinformation they do not wish to receive.This can be done by contacting the company directly or you can register with a centralregister - the Telephone Preference Service. (This is a free service)

Publication of school information

Staff records appertaining to individual staff will remain of a confidential nature between theHeadteacher and the member of staff.

Email

Under the DPA and Freedom of Information legislation, the contents of email mayhave to be disclosed in response to a request for information.

Policy Review

This policy will be updated as necessary to reflect best practice in data management,security and

control and to ensure compliance with any changes or amendments to the DPA and other relevant legislation.

Who to contact?

Oldham Council Data Protection Co-ordinator should be the first point of contact for any query.

Information Manager

Civic Centre
West Street
Oldham, OL1 1UG

Tel0161 770 4827

Fax0161 911 3701

For independent data protection and freedom of information advice please contact the Office of the Information Commissioners.

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

Tel0162 554 5745

Fax0162 552 4510

Approved by: Governors Premise, H&S, Pastoral Committee

Date: 11thFebruary 2015

Review Date: Spring Term 2018

Updated Feb 20151