1.0 Policy statement
Beckfoot Trust is required to keep and process certain information about its staff and students in accordance with its legal obligations under the General Data Protection Regulation (UKGDPR).
This policy is in place to ensure the Trust Board and all Trust staff are aware of their responsibilities and it outlines how the Trust and Trust schools comply with the following core principles of the UKGDPR.
Organisational and technical methods for keeping data secure are imperative, therefore Beckfoot Trust have implemented a Trust Privacy Compliance Framework – see Appendix 1.
2.0 Scope and purpose
2.1 Legal framework
This policy has due regard to legislation, including, but not limited to the following:
- The UK General Data Protection Regulation (UKGDPR)
- The Education (Student Information) (England) Regulations 2005 (as amended in 2016)
- The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004
- The School Standards and Framework Act 1998
This policy will also have regard to guidance produced by the Information Commissioner’s Office (ICO)
This policy will be implemented in conjunction with the following Trust policies, procedures;
- Trust CCTV Protocol
- Trust Online Safety, ICT and Social Media Policy (inc. Photography and Videos)
- Trust Child Protection and Safeguarding Policy
- Trust Records Management Protocol
- Trust Data Protection Impact Assessments (DPIA) Procedure
- Trust Data Breach Management Procedure
- Trust Data Subject Access Request Procedure
2.2 Controller and Processor
Beckfoot Trust and Trust schools are both a “Controller” and “Processor” of personal data. Beckfoot Trust are registered as a “Controller” with the Information Commissioner’s Office.
- A “Controller” determines the purpose and means of processing personal data.
- A data “Processor” processes personal data on behalf of the data controller.
2.3 Applicable data
Applicable data For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual e.g. employee, job applicant, student, parent/carer, volunteer, contractor, freelancer, board member, and LSC member. The UKGDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria:-
- Personal data includes information such as name, address, date of birth, National Insurance Number; email address (personal and business), chronologically ordered data and pseudonymised data e.g. Unique Pupil Numbers, Admission Numbers, Employee Numbers, key-coded data and online identifiers, e.g. IP addresses.
- Sensitive personal data is referred to in the UKGDPR as ‘special categories of personal data’, which are broadly the same as those in the Data Protection Act (DPA) 1998. These specifically include the processing of racial or ethnic origin, political opinions, religious or philosophical beliefs, Trade Union membership, genetic data, biometric data, health, sex life and sexual orientation. In schools this could also be staff sickness absence, diversity monitoring, photos etc. There are strict rules surrounding the processing of special categories of personal data.
3.0 Overarching principles
In accordance with the requirements outlined in the UKGDPR, personal data must be:-
- Processed lawfully
- For a specific purpose
- Kept to a minimum
- Accurate and up-to-date
- Retained only for as long as it is needed
- Kept securely
The UKGDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”. Beckfoot Trust is both a Data Controller and a Data Processer.
4.0 Responsibilities and arrangements
4.1 Accountability
Beckfoot Trust, as a publicly funded organisation, has to appoint a Data Protection Officer (DPO), this is the Risk and Compliance Manager. Their duties will include:
- Informing and advising the Trust and staff about their obligations to comply with the UKGDPR and other data protection laws
- Monitor the Trust and Trust school’s compliance with the UKGDPR and other laws, including managing internal data protection activities, advising on data protection impact assessments, conducting internal audits, and ensuring the Trust and Trust employees receive appropriate training and data protection awareness communications.
The DPO will update Beckfoot Trust Board on UKGDPR compliance, UKGDPR compliance will be overseen by the Audit and Risk Committee.
4.2 Lawful processing
The legal basis for processing data will be identified and documented prior to data being processed. Processing is the collection, recording, organisation structuring, storage, adoption or alteration, retrieval, consultation or use, disclosure, destruction or erasure of personal data.
Under the UKGDPR, data will be lawfully processed under the following conditions:
- Legal Obligation – The performance of a task for statutory/legal reasons
- Public Interest – The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Contractual Obligation – For the performance of a contract with the data subject or to take steps to enter into a contract e.g. Staff Contracts
- Vital Interest – Protecting the vital interests of a data subject or another person e.g. emergency medical situation
- Legitimate Interest – For the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (This condition is not available to processing undertaken by the school in the performance of its tasks).
- Consent – Where processing cannot be categorised under the above conditions, the consent of the data subject must be held or obtained e.g. sharing photographs, news stories and individual examination results
Special Categories of Data “Sensitive data” will only be processed under the following conditions:
- Explicit consent of the data subject
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
- Processing relates to personal data manifestly made public by the data subject
- Where special category personal data is processed, the Trust shall have both a legal basis from Article 6 for using that personal data and at least on of the exemptions from Article 9(2) shall apply.
Processing is necessary for:
- Carrying out obligations under employment, social security or social protection law, or a collective agreement.
- Protecting the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent.
- The establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
- Reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards.
- The purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
- Reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
- Archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).
4.3 Consent
Consent must be: | Consent cannot be obtained from the following: |
1.0 Freely given (a positive indication) 2.0 Specific 3.0 Informed 4.0 An unambiguous indication of an individual’s wishes 5.0 A form of firm confirmation or positive opt-in, such as ticking boxes on a webpage 6.0 Easily able to be withdrawn | 7.0 Silence 8.0 Pre-ticked boxes 9.0 Inactivity |
Where consent is given, a record will be kept documenting how and when consent was given on student records and staff files or other storage mechanism. This information must be readily available for staff to check that consent has been obtained e.g. use of student photographs.
Beckfoot Trust and Trust schools must ensure that consent mechanisms meet the standards of the UKGDPR. Where the standard of consent cannot be met, an alternative legal basis for processing the data must be found, or the processing must cease.
NOTE: Where processing is deemed to require “Consent”, Beckfoot Trust and Trust Schools are aware that this “Consent” can be withdrawn by the individual at any time. It is therefore extremely important that schools consider any processing activities whereby data is shared or processed and becomes outside the control of Beckfoot Trust and Trust schools, in these instances, specific “informed” consent will need to be obtained.
Where a child is under the age of 16 [or younger if the law provides it (up to the age of 13)], the consent of parent/carer (person with legal responsibility)/legal guardian) will be sought prior to the processing of their data, except where the processing is related to preventative, or counselling services offered directly to a child.
4.4 The right to be informed/sharing personal data (privacy notices)
The UKGDPR requires us to inform individuals if we collect, process, or share personal information about them. We are also required to share personal information about its staff or students with other organisations, mainly with the local authority, other schools, and educational bodies, and potentially children’s services and various contracted school services and systems.
We will issue Privacy Notices as outlined below. Copies can also be obtained on school websites and upon request from the school.
Beckfoot Trust adopt the DfE Model Privacy Notices for schools as the basis of our Privacy Notices and wherever possible will ensure that the privacy notice is written in a clear, plain manner.
- Student Privacy Notices will be built into School Admission Forms which are signed by the parent/carer (person with legal responsibility)/legal guardian) and the student where relevant upon entry to the school
- Staff Privacy Notices will be issued with the contract documentation
- Privacy Notices for “Other Individuals” will be issued where necessary e.g. Board Member, Contractors, Volunteers, Visitors etc. where we will be processing their personal data
4.5 The right of access
Individuals have the right to obtain confirmation that their data is being processed and the right to submit a data subject access request (DSAR) to gain access to their personal data in order to verify the lawfulness of the processing or obtain copies of their records for other purposes.
Trust staff should follow the Trust Data Subject Access Request Procedure. See Flowchart at Appendix 2.
The Trust SharePoint Data Protection and UKGDPR Page has guidance for individuals wishing to make a data subject access request.
Although individuals are entitled to submit a DSAR to any member of staff, they should be made (if possible) to the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444).
Responses to SARs shall normally be made within one calendar month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed. Any extension will be dependent upon the terms of the UKGDPR, the Data Protection Act (2018) and associated ICO guidance.
4.6 The right to rectification
Individuals are entitled to have any inaccurate or incomplete personal data rectified and can do this through a request to the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444). Upon receiving a request for rectification, the Trust or Trust school should take the following action immediately:-
- Check the validity of the request e.g. confirm identity of the person requesting the change
- If the request is valid, amend the information where possible and record the actions taken
- Where the personal data in question has been disclosed to third parties, the school will inform them of the rectification where possible
- Where appropriate, the school will inform the individual about the third parties that the data has been disclosed to
- Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex
- Where no action is being taken in response to a request for rectification, the school will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy
4.7 The right to erasure
Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If an individual wishes to exercise this right they should contact the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444).
Individuals have the right to erasure in the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws their consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed
- The personal data is required to be erased in order to comply with a legal obligation
- The personal data is processed in relation to the offer of information society services to a child
The school has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
- To exercise the right of freedom of expression and information
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes
- The exercise or defence of legal claims
As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request.
- Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so
- Where personal data has been made public within an online environment, the school will inform other organisations who process the personal data to erase links to and copies of the personal data in question
4.8 The right to restrict processing
Individuals have the right to block or suppress the Trust or Trust school’s processing of personal data. If an individual wishes to exercise this right, they should contact the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444)
Such a restriction may affect the Trust or Trust school carrying out their legal and contractual obligations. It may also be believed that the data is being processed under the public interest, vital Interest or legitimate interest conditions of processing. In these circumstances guidance from the DPO and/or the Information Commissioner’s Officer to determine that the request is valid should be sought.
In the event that request is valid and the processing is restricted, the school will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.
The school will restrict the processing of personal data in the following circumstances:
- Where an individual contests the accuracy of the personal data, processing will be restricted until the school has verified the accuracy of the data
- Where an individual has objected to the processing and the school is considering whether their legitimate grounds override those of the individual
- Where processing is unlawful and the individual opposes erasure and requests restriction instead
- Where the school no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim
- If the personal data in question has been disclosed to third parties, the school will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so
The school will inform individuals when a restriction on processing has been lifted.
4.9 The right to data portability
Individuals have the right to obtain and reuse their personal data for their own purposes across different services. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability.
The right to data portability only applies in the following cases:
- To personal data that an individual has provided to a controller
- Where the processing is based on the individual’s consent or for the performance of a contract
- When processing is carried out by automated means
Personal data will be provided in a structured, commonly used and machine-readable form.
The school will provide the information free of charge, and;
- Where feasible, data will be transmitted directly to another organisation at the request of the individual
- The school is not required to adopt or maintain processing systems, which are technically compatible with other organisations
- In the event that the personal data concerns more than one individual, the school will consider whether providing the information would prejudice the rights of any other individual
- The school will respond to any requests for portability within one month
- Where the request is complex, or a number of requests have been received, the timeframe can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request
- Where no action is being taken in response to a request, the school will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy
4.10 The right to object
The school will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information. If an individual wishes to exercise this right they should contact the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444).
Individuals will have the right to object to the following:
- Processing based on legitimate interests or the performance of a task in the public interest
- Direct marketing
- Processing for purposes of scientific or historical research and statistics
Where personal data is processed for the performance of a legal task or legitimate interests:
- An individual’s grounds for objecting must relate to his or her particular situation
- The school will stop processing the individual’s personal data unless the processing is for the establishment, exercise or defence of legal claims, or, where the school can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
Where personal data is processed for direct marketing purposes:
- The school will stop processing personal data for direct marketing purposes as soon as an objection is received
- The school cannot refuse an individual’s objection regarding data that is being processed for direct marketing purposes
- Where personal data is processed for research purposes:
- The individual must have grounds relating to their particular situation in order to exercise their right to object
- Where the processing of personal data is necessary for the performance of a public interest task, the school is not required to comply with an objection to the processing of data
Where the processing activity is outlined above, but is carried out online, the school will offer a method for individuals to object online.
4.11 Automated decision making and profiling
Individuals have the right not to be subject to a decision when:
- It is based on automated processing, e.g. profiling
- It produces a legal effect or a similarly significant effect on the individual
- The school will take steps to ensure that individuals are able to obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it
When automatically processing personal data for profiling purposes, the school will ensure that the appropriate safeguards are in place, including:
- Ensuring processing is fair and transparent/carer (person with legal responsibility)/legal guardian by providing meaningful information about the logic involved, as well as the significance and the predicted impact
- Using appropriate mathematical or statistical procedures
- Implementing appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors
- Securing personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects
Automated decisions must not concern a child or be based on the processing of sensitive data, unless:
- The school has the explicit consent of the individual
- The processing is necessary for reasons of substantial public interest on the basis of UK law.
4.12 privacy by design and privacy impact assessments
The key aims of Privacy by Design are:
- Proactive not reactive measures
- Privacy as a default setting
- Privacy embedded
- Privacy throughout project life cycle
The school will act in accordance with the UKGDPR by adopting a privacy by design approach and implementing technical and organisational measures, which demonstrate how the Trust and Trust schools have considered and integrated data protection into their processing activities.
Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with the school’s data protection obligations and meeting individuals’ expectations of privacy.
DPIAs will allow the school to identify and resolve problems at an early stage, thus reducing associated costs and preventing damage from being caused to the school’s reputation, which might otherwise occur.
A DPIA will be carried out when using ‘new technologies’ or when the processing is likely to result in a high risk to the rights and freedoms of individuals.
Where a DPIA indicates high-risk data processing, the school will consult the ICO to seek its opinion as to whether the processing operation complies with the UKGDPR.
Trust employees should follow the Trust Data Protection Impact Assessment (DPIA) Procedure.
4.13 Data breaches
Trust employees should following the Trust Data Breach Management Procedure – see flowchart at Appendix 3.
The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- All personal data breaches must be reported immediately to the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444)
- If a personal data breach occurs and that breach is likely to result in a high risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. This decision will be made in line with ICO guidance.
- In the event that a personal data breach is likely to result in a high risk to to the rights and freedoms of data subjects. the Data Protection Officer must ensure that all effected data subjects are informed of the breach directly and without delay.
Please refer to the Trust Breach Management Procedure for further information.
Failure to report a breach when required to do so may result in a fine, as well as a fine of up to €20 million, or 4% of an organisations global turnover for the breach itself.
4.14 Third party processors/or other authorised persons
The Trust requires all third party processors who have access to or process personal data on behalf of the Trust, to provide written confirmation that they will comply with the requirements of the UKGDPR and maintain adequate physical and IT security controls to protect our data.
We will request contractors, suppliers, and system providers who may process our personal data to provide written assurance/contract terms to confirm that:
- Any personal data you receive from us in the course of your performance of the relevant contract or service level agreement will only be processed in accordance with our documented instructions.
- No personal data will be transferred to any country outside the EEA or any international organisation without obtaining our prior written consent.
- Any of your employees, sub-contractors or other personnel who may be involved in the processing of the personal data are bound by written contractual obligations to keep the personal data confidential.
- No third party will be engaged to carry out any processing activities in respect of the personal data without our prior written consent, and if consent is given, the third party will be subject to a written contract containing the same data protection obligations as set out between you and us in the contract or service level agreement, and the provisions of this letter.
- Appropriate organisational and technical security measures are in place to protect any personal data, which may be processed or handled under the contract or service level agreement, and to assist us in complying with our obligations to deal with requests from data subjects to exercise their rights under the GDPR.
- Appropriate systems to investigate and report data breaches are in place and that all breaches will be notified to Beckfoot Trust immediately and the ICO within 72 hours (where relevant).
- You will assist us in complying with our obligations in relation to security of processing, dealing with data breaches and carrying out privacy impact assessments.
- When the services under the contract or service level agreement end, you will (at our option) delete or return all personal data and copies of the same.
- You will make information demonstrating compliance with the above obligations available to us on request and will allow for and contribute to any audits or inspections that we may conduct.
We will seek written confirmation from other authorised persons e.g. job applicants, students, volunteers, contractors, freelancers, board members, LSC members that they will comply with Trust and School policies and procedures and that we expect appropriate physical and IT data security controls to be exercised if given access to personal data and systems.
5.15 Data security
Beckfoot Trust will obtain and maintain Cyber Essentials Accreditation to demonstrate our IT Security Management Systems are effective. We also comply with the RPA requirements regarding offline back-ups, National Cyber Security Centre training. registration with the police scheme ‘Cyber Alarm’ and having a Cyber Response Plan.
Schools will ensure that the physical security of the school’s buildings and storage systems, and access to them, is reviewed on a regular basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place.
Beckfoot Trust, its employees and others with authorised access to personal data will ensure that appropriate IT and physical data security controls are used to protect unauthorised access to confidential records e.g.
- Keep passwords secure, regularly change them and don’t share with others.
- Lock PC/Laptop screen or log off when away from your desk.
- Position computer screens so they are not visible to “unauthorised persons” when in use.
- Exercise caution when using Laptops in public areas and only connect to secure Wi-Fi connections.
- Be aware of who can overhear sensitive conversations, take necessary precautions.
- Operate a “Clear Desk Policy” and securely store papers/files that contain personal data when not in use.
- Be careful when opening emails and attachments if you don’t recognise the sender or the heading looks suspicious) or visiting new websites e.g. virus aware.
- Dispose of personal data securely e.g. shred/confidential waste bin.
- Encrypt or password protect personal information on attachments/devices/memory sticks.
- Update personal data as soon as you are made aware of any changes e.g. notify the Admin/HR Team.
- Ensure old devices/laptops/hard drives are given to IT/School Business Manager to dispose of securely.
- Follow Trust Data Sharing Guidance and check there is a legal basis or that we hold a signed Privacy Notice or Data Subject Access Request before sharing personal information about staff, students and others.
- Report breaches or potential breaches and fraudulent attempts to access data.
4.16 CCTV and photography
The Trust and Schools understand that recording images of identifiable individuals constitutes as processing personal information, so it is done in line with data protection principles.
CCTV
Trust staff will follow the Trust CCTV Protocol for information in relation to the use and purpose of CCTV monitoring in schools.
Photographs and non-CCTV recording images
The Trust will request consent for taking photographs and recording/videoing of students, staff and others and will only use them for the purposes covered on the appropriate Trust Privacy Notices. If the Trust or Schools require to use images for any other purpose, permission will obtained from the individual or for students, the parent/carer (person with legal responsibility/legal guardian) if under the age of consent.
Precautions will be taken, as outlined in the Trust Online Safety, ICT and Social Media Policy in relation to the taking and publishing photographs of students, in print, video or on the school website.
Images/videos captured by individuals for recreational/personal purposes
For clarification, Images captured by individuals for recreational/personal purposes, and videos made by a parent/carer for family use, are exempt from the GDPR, however, the Trust and Schools do require that permission be obtained from the Trust/school beforehand.
4.17 Data retention
Under the GDPR, Data must not be kept for longer than is necessary. It is therefore extremely important that the Trust and schools have effective policies and procedures in place to ensure the timely secure disposal or deletion of data e.g. paper records disposed of via confidential waste bins and appropriate IT controls for electronic data.
Some records relating to former students or employees of the school may be kept for an extended period for legal reasons, but also to enable the provision of references or academic transcripts.
Trust employees will follow the guidance set out in the Trust Records Management Protocol.