The General Data Protection Regulation (GDPR) has come into effect on the 25th May 2018 and will cover all the countries in the EU and will be adopted by the UK. It is heavily based on the Data Protection Act 1998 but will lead to us as a school having to refine our approach to Data Protection, as it brings many enhancements to the rights of individuals in regards to their personal data. At its heart the GDPR changes the importance of Data Protection and emphasises accountability. Making Data Protection important means that as a school we will employ ‘Privacy by Design’ – thinking about how we use data in everything we do. There is also an emphasis on accountability which will inevitably mean that as a school we will have to increase the amount of documentation we use to record procedures and issues. As a school we have been developing our approach to ensuring that we are fully compliant with GDPR for the 25th May and the aim of this page is to outline our GDPR compliance and share resources to explain the implications of GDPR and what it means for schools.
The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Discover what data we are holding, where it is stored, why we hold it, who it is shared with and what access is available to this data by who in the school organisation.
- Manage the data held and processed in school by robust policies and procedures that are clear and transparent.
- Protect all data held through appropriate systems.
- Report what is done with data and record how data is discovered, managed and protected.
There are 6 key principles to the GDPR that the school is accountable for:
- There must be a lawful reason for collecting personal data and it must be done in a fair and transparent way.
- Data must only be used for the reason it is initially obtained.
- No more data than is necessary should be collected.
- Data has to be accurate and there must be mechanisms in place to keep it up to date.
- Data should not be retained for longer than is necessary.
- The protection of personal data must be upheld.
Key Protection Measures
The school has put a variety of measures in place to ensure that all personal data is protected. These include;
- Storing all pupil and staff personal data with the School Information Management System (SIMS) that is password protected and access to data is strictly limited to a needs to know basis.
- Data stored on the school Server is password protected and access rights for individual staff members is linked to their role within school. The retention of data on the server is governed by the Data Protection Policy, which is enforced by the School Data Protection Officer.
- All passwords are changed every 42 days across the school server, SIMS and email system, whilst also having a criteria of things that must be included to make passwords robust.
- No passwords are stored by automated means on any school equipment on or off site.
- No portable USB sticks or hard drives are permitted within school and no personal data is removed off the school site.
- All visitors and staff use a digital sign in system, which ensures that no personal information is visible to other visitors.
There is a range of terminology that is used to refer to aspects of GDPR that schools must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.
- Data Controller – the holder and gatherer of data who decides what to do with it (the school).
- Data processor – the person/organisation who does activities that the controller tells them to do with data and who is not a direct employee. An example would be RM Education who host the School Management Information System known as Integris which digitally stores all of the personal data about pupils, staff and parents or Parent Hub, which hosts the school communication system.
- Data Subject-the person who data belongs to. It is important to note that under the new GDPR regulations children have more rights even though it is parents who give consent for the collection of certain types of data.
- Subject Access Request-the request by a data subject for information about the personal data that a data controller holds. This must be made available in an accessible format within 40 days and 15 days if it is a request for a child’s education record.
- Data-all recorded information in any format (sound, text, electronic files, photographs, videos, voice recordings) which includes statements and opinions.
- Personal Data-any data that relates to an individual which can identify them or link to other information which would lead to identification.
- Sensitive Personal Data-data that relates to aspects of personal life/preferences such as race, political opinions, religion, disability, sexuality, criminal offences etc.
- Processing Data-obtaining, recording, sorting, converting, disclosing, analysing, storing, sharing or destroying data by any means.
As a school we have reviewed all of the data that we currently hold and produced a “Data Asset Register” which documents the type of data, the data processor, where the data is stored, the reason that the data is stored and any potential risks that must be considered when developing policies/procedures around data protection. Included in this process has been making contact with any data processors to ensure that they are all GDPR compliant. Below is a list of the data processors used by the school (individual links to each provider will be added once their GDPR compliance policies/statements are finalised, which will highlight them below as blue):
- Arbor school information management system
- Office Education 365 (Staff email system)
- Purple Mash (Digital learning tool that can be accessed within school and at home with individual logons from Y3-Y6 and class logons from YR-Y2.
- CPOMS (Child Protection Online Monitoring System that incidents are stored on)
- School Ping parental engagement system
- Parent Pay school payment system
As a school we have looked at what data we need to obtain consent for under the GDPR, so that any data we collect is appropriate. To comply with the Department for Education (DFE) and Census obligations we request on admission a range of personal information that complies with our statutory duties on the emergency contact form. When changes to any of this data occurs and we are informed, this is updated as soon as possible within our Management Information System (MIS) RM Integris. For other types of data that we collect we seek consent though consent forms that provide parents with the opportunity to give or decline consent. Consent is only accepted if it is freely given and parents/cares are entitled to withdraw consent at anytime by contacting the School office, where the request will be put in place with immediate effect.