On 25 May 2018 rules surrounding the way personal data is used changed. Roman Fields aim is to ensure all personal data collected about staff, pupils, parents, Management Committee, visitors and other individuals is stored and processed in accordance with the General Data Protection Regulation (GDPR) and the provisions set out in the Data Protection Act 2018 (DPA 2018)
We know that complete GDPR compliance can only be achieved through a collaborative and transparent approach and we also want to ensure that this is comprehensive and complete.
We have been working on the following:
• Identification of a Data Protection Officer
• Data mapping and Data Asset Register
• Embedding data privacy into all our processes
• Information security risk
• Third party risk and our data partners
• Responding to data subject access requests (DSARs)
• Data Privacy Breach procedures
• Ongoing monitoring
GDPR Roll Out
a) We have rolled out new GDPR privacy notices (please click on the links below).
Privacy Notice for Staff
Privacy Notice for Parents and Carers
Privacy Notice for Young People
Privacy Notice for Management Committee
c) We will ensure that all processing of data done in school complies with GDPR
There are six lawful processing conditions:
• Compliance with a legal obligation
• Performance of a contract
• Legitimate interest
• Public interest
• Vital interest
Consent is changing to be more explicit and transparent so at the point of data collection, the individual will be informed by the relevant privacy notice how their data will be used and who it will be shared with.
Management Committee Structure and Data Protection Officer
Data privacy is discussed regularly at each Management Committee meeting and regularly reviewed by senior leaders within school.
Roman Fields named Data Protection Practitioner (DPP) is Mandy Crow (School Business Manager) and the DPO is Matt Bullard Data Protection Link Governor.
Mandy will lead in helping teams across the school embed data privacy into operations whilst also monitoring activity on an ongoing basis. Matt will oversee this work and act as an auditor and critical friend. There will be regular training for all staff to ensure a deeper level of understanding, allowing them to identify any risks and stop them from happening.
Data Mapping and Data Asset Register
We are completing our data mapping exercise and these documents will be continuously revised and revisited. Data mapping ensures we know what data we have, where it is held, how we access it, the classification of the data, records for transfer and flow charts to show how it moves between systems and processes.
A lot of information that already exists is held across a number of systems, so we have implemented a Data Asset Register, which will capture all data processing, aiding transparency and supporting the tight controls which are required to ensure compliance.
Embedding Data Privacy into day to day life of the school – Training and Awareness
We have completed training with our staff during insets and staff meetings to ensure our team members do the right thing:
• We will ensure we know what we can do with data, and if unsure, we’ll ask
• We will be clear about how we’re going to use data
• We will ensure we protect the data we hold/process
• We will ensure compliance, both individually and as a team
We have also put up posters across the site to remind staff about compliance.
Information Security Risk
We have robust systems in place to manage our school network. This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data and restricted access to personal data, protection of our physical premises and hard assets and maintaining security measures for our staff.
Third Party Risk and our Data Partners
Due diligence prior to working with a third party is key to ensure data has been gathered lawfully, and to ensure any data we share will be secure.
Responding to data subject access requests (DSARs)
DSARs from parents in respect of their own son/daughter where a young persons does not have sufficient maturity to understand their rights should be processed as requests made on behalf of the data subject (the young person), subject to any court orders which may be in place. Where the school considers the young person to be mature enough (usually over the age of 13) to understand their rights to request their data following receipt of a request from a parent, the school should ask the young person for their consent to disclose the personal data (subject to any enactment or guidance which permits the school to disclose the personal data to a parent without the young person’s consent). If consent is not given to disclose, the school should not disclose the personal data as to do so would breach the data protection principles.
DSAR will be responded to within 30 days of receipt SAR form with proof of identity. There is normally no charge for DSARs.
We have a breach management plan in place which we will continue to review and enhance as required.
Should individuals become aware of a breach they must contact the DPP and DPO without undue delay. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours of becoming aware of the incident.
Internally we conduct audits and ad-hoc walk-throughs to make sure we are doing the right thing. An action plan is in place to ensure we continue to address any outstanding compliance requirements.
Please ensure that you copy in both emails so that one of us can deal with your enquiry expeditiously.
Author: Mandy Crow