Thamesmead School Data Protection Policy Introduction
Thamesmead School is committed to data protection and supports the data protection rights of all those with whom it works, including, but not limited to staff, students, governors and visitors. Our Data Protection Policy sets out the accountability and responsibilities of the school, its staff and its students to comply fully with the provisions of the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.
The School has appointed a Data Protection Officer (DPO) to monitor and advise on compliance with the GDPR. Information can be obtained from the DPO who can be contacted via firstname.lastname@example.org.
Purpose of Policy
The Data Protection Policy sets out the responsibilities of the School, its staff and its students to comply with the provisions of the GDPR. The policy forms the framework for which everybody processing personal data should follow to ensure compliance with the data protections legislation.
The Data Protection Policy applies to all staff and students in all cases where the School is the data controller or the School is a processor of personal data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the equipment used.
Status of Policy
This policy does not form part of the formal contract between the School and staff or students, but compliance with it is a condition of employment and expectations of students to abide by the Schools rules and policies.
Responsibilities under the policy
The School is the data controller and has the responsibility to implement and comply with data protection legislation. In determining the purposes for which, and the manner in which, personal data is processed, the School must adhere to the Data Protection Principles as set out in the legislation. Details of the principles and main requirements for compliance can be found in the Data Protection Policy.
All users of personal data with the School must ensure that personal data is always held securely and not disclosed to any unauthorised third party either accidentally, negligently or intentionally.
The School provides data subjects with a “Privacy Notice” to let them know how and for what purpose their personal data is processed.
Responsibilities of Data users
The Headteacher, Senior Leadership Team, Heads of Department, Managers of Administrative and Support Services have a responsibility to ensure compliance with the Data Protection Policy, and to develop and encourage good information handling practices within their areas of responsibility. All data users of personal data within the School have a responsibility to ensure that they process the data in accordance with Principles and the other conditions set down in the legislation. The policy provides detailed guidance to assist with fulfilling these obligations.
Data Subject Rights
The GDPR contains data subject rights the School must comply with – the rights to information, subject access, to rectification, to object, to erasure, to portability, to restrict processing and in relation to automated decision-making and profiling. These rights can be restricted for personal data used in research.
Subject Access Requests and the right to data portability
Individuals have the right to request to see or receive copies of any information the School holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine readable format so it can be forwarded to another data controller. The School will respond to these requests within one calendar month. It is a personal criminal offence to delete relevant personal data after a subject access requests has been received.
Subject access requests should be submitted in writing, either using the attached Subject Access Request (SAR), by letter or email to the DPO.
Those not completed using the form should include:
- Name of Individual
- Relationship to the school
- Correspondence address
- Contact number and email address
- Details of the information requested
Right to erasure, to restrict processing, to rectification and to object
In certain circumstance data subjects have the right to have their data erased. This only applies
- Where the data is no longer required for the purposes for which it was originally collected
- Where the data subject withdraws consent or
- Where data is being processed unlawfully
In some circumstance, data subjects may not wish to have their data erased but rather have any further processing restricted.
If personal data is inaccurate, data subjects have the right to require the School to rectify inaccuracies. In some circumstances, if personal data is incomplete, the data subject can also require the controller to complete the data, or to record a supplementary statement.
Rights in relation to automated decision making and profiling
In the case of automated decision making and profiling that may have significant effects on data subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to the DPO immediately.
Data Protection Breaches
Thamesmead School is responsible for ensuring appropriate and proportionate security for the personal data that it holds. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. The School makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples, of personal data incidents might occur through, but not limited to:
- Loss or theft of data or equipment on which data is stored
- Equipment failure
- Unauthorised disclosure (e.g. email sent to incorrect recipient)
- Human error
- Unforeseen circumstances such as a fire or flood
- Hacking attack
Any data protection incident must be brought to the attention of the School’s DPO who will investigate and decide if the incident constitutes a data protection breach. If a reportable data protection breach occurs, the School is required to notify the Information Commissioner’s Office (ICO) as soon as possible, and not later the 72 hours after becoming aware of the breach.
When reporting a breach, you will be required to provide information about the nature of the breach i.e. what happened, and whether any personal data was involved. Once the DPO has determined whether the incident constitutes an actual data protection breach, actions will be taken accordingly to help contain the incident and, where necessary, assist with notifying the affected subjects. The DPO will also, where required, notify the Headteacher, Business Manager and Governors and the Information Commissioner’s Office. A record will be kept of all data protection incidents and breaches including the actions taken to mitigate the breach.