The General Data Protection Regulation (GDPR) will come into effect on the 25th May 2018 and will cover all the countries in the EU and will be adopted by the UK. It is heavily based on the Data Protection Act 1998 but will lead to us as a school having to refine our approach to Data Protection, as it brings many enhancements to the rights of individuals in regards to their personal data. At its heart the GDPR changes the importance of Data Protection and emphasises accountability. Making Data Protection important means that as a school we will employ ‘Privacy by Design’ – thinking about how we use data in everything we do. There is also an emphasis on accountability which will inevitably mean that as a school we will have to increase the amount of documentation we use to record procedures and issues. As a school we have been developing our approach to ensuring that we are fully compliant with GDPR for the 25th May and the aim of this page is to outline our GDPR compliance and share resources to explain the implications of GDPR and what it means for schools.
The information Commissioners Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. If you click here you can visit the ICO's GDPR website to read in depth information about all aspects of GDPR.
We are currently developing our privacy notices on the use of pupil and staff data. In simple terms, we have a duty as a school to:
There are 6 key principles to the GDPR that the school is accountable for:
Key Protection Measures
The school has put a variety of measures in place to ensure that all personal data is protected. These include;
Storing all pupil and staff personal data with the school Management Information System that is password protected and access to data is strictly limited to a needs to know basis.
Data stored on the school Server is password protected and access rights for individual staff members is linked to their role within school. The retention of data on the server is governed by the Data Protection Policy and the retention schedule, which is enforced by the School Data Protection Officer.
All passwords are changed every 42 days across the school server, MIS and email system, whilst also having a criteria of things that must be included to make passwords robust.
No passwords are stored by automated means on any school equipment on or off site.
No portable USB sticks or hard drives are permitted within school and no personal data is removed off the school site.
A Virtual Private Network (VPN) is currently being established and will be made available to staff in March 2018 to ensure that school data remains stored within the school server.
All visitors and staff use a digital sign in system, which ensures that no personal information is visible to other visitors. Pupils are signed in by the admin staff.
There is a range of terminology that is used to refer to aspects of GDPR that schools must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.
Data Controller-the holder and gatherer of data who decides what to do with it (the school).
Data processor-the person/organisation who does activities that the controller tells them to do with data and who is not a direct employee. An example would be RM Education who host the School Management Information System known as Integris which digitally stores all of the personal data about pupils, staff and parents or Parent Hub, which hosts the school communication system.
Data Subject-the person who data belongs to. It is important to note that under the new GDPR regulations children have more rights even though it is parents who give consent for the collection of certain types of data.
Subject Access Request-the request by a data subject for information about the personal data that a data controller holds. This must be made available in an accessible format within 40 days and 15 days if it is a request for a child’s education record.
Data-all recorded information in any format (sound, text, electronic files, photographs, videos, voice recordings) which includes statements and opinions.
Personal Data-any data that relates to an individual which can identify them or link to other information which would lead to identification.
Sensitive Personal Data-data that relates to aspects of personal life/preferences such as race, political opinions, religion, disability, sexuality, criminal offences etc.
Processing Data-obtaining, recording, sorting, converting, disclosing, analysing, storing, sharing or destroying data by any means.