In light of the changes to Data Protection with the introduction of the GDPR (General Data Protection Regulation) on the 25th May 2018, we have made some changes to the way we collect, use and share your data.
The GDPR is an updated set of rules designed to harmonise data privacy laws across Europe and gives greater protection and rights to individuals.
The GDPR implements 6 principals:
- Lawfulness, Fairness and Transparency – Organisations must have legitimate reasons for collecting and processing your personal or sensitive data.
- Purpose – Organisations should only collect data for a specified, explicit and legitimate purpose
- Data Minimisation – Organisations should only collect data which is adequate, relevant and limited to what is necessary in relations to the purpose for which they are processed.
- Accuracy – Data held by organisations should be accurate and where necessary kept up to date.
- Retention – Data should be kept in a form which permits identifications of data subjects for no longer than is necessary for the purpose for which the personal data is processed.
- Security – Data should be processed in a matter what ensures appropriate security of its personal data.
We have recently updated our Privacy notice which can be found on our website which details the information which we collect, the purpose for which we collect it, any 3rd parties who this may be shared with and how long we will retain it.
Under the GDPR, there is an enhancement of individuals rights:
- The right to be informed – You should know about the collection and use of personal data.
- The right of access – You can ask about your personal data we hold in the form of a subject access request (SAR)
- The right of rectification – You can ask us to correct the information we hold which is incorrect
- The right to erase – You can have your data removed
- The right to restrict processing – You can limit what your data is being used for
- The right to withdraw consent – Where consent has been given, you have the right to withdraw at any time.
It is important to note, where organisations have a legitimate purpose for the collection, use, sharing and storage of data these will therefore overrule individual’s rights and processing can continue.
Subject access requests (SAR)
If you wish to contact the Academy to obtain information that we hold, please complete the form available on the website or retrieve a paper copy in house. Proof of ID will need to be provided in order for the request to be completed and a response will be issued within one month from the date the request is received.
Reporting a Data Breach
If you believe that your personal or sensitive data has been compromised, please complete the 'Reporting a Breach' form available on collection from the office. All forms will be given to the Data Protection Officer (Mr Doney) to investigate (email: firstname.lastname@example.org).
What is GDPR?
GDPR stands for: General Data Protection Regulation. Although the school has been working in line with the Data Protection Act from 1998, new regulations in relation to your personal data come into effect from 25th May. Claypole Church of England Primary School will ensure that personal data is protected and kept safely and securely. It will ensure that its policy for data protection is used as the basis for collecting, storing, accessing, sharing and deleting personal data. The school will use the General Data Protection Regulations (GDPR) as the benchmark for its standard for protecting personal data.
- To ensure that decision makers and key people in school comply with the statutory changes to the GDPR which will officially come into force in May 2018;
- To ensure that there will be regular reviews and audits of the information we hold to ensure that we fully meet the GDPR statutory requirements;
- To document the personal data we hold, where it came from and with whom it will be shared.;
- To ensure that data collection, data handling, data storage and data disposal procedures are in line with the GDPR and cover all the rights individuals have, including how personal data is deleted and destroyed.
- Data access request procedures will handled within the timescales set out in the GDPR and we provide any additional information in line with the GDPR guidance;
- The processing of personal data will be carried out on a lawful basis as required by the GDPR;
- Where the school needs to seek consent, it will do so in a manner that meets GDPR standards;
- Any records of consent and the management of the process for seeking consent will also meet the GDPR standard;
- Where there is a personal data breach the procedures used to detect, report and investigate it will meet the requirements of the GDPR;
- The systems the school puts into place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity will meet the standard set in the GDPR;
- Data protection by design and data protection impact assessments will meet with the ICO’s code of practice on privacy impact assessments as well as with the latest guidance;
- The school will have a Data Protection Officer who will be given responsibility for data protection compliance;
- When the school requests data we will provide appropriate privacy notices to explain why data is being and the purposes for which it is used.
The requirements of the GDPR will be met by this school as the basis for collecting, storing, accessing, sharing and deleting personal data. Data will be processed fairly lawfully and in a transparent manner. It will be used for specified, explicit and legitimate purposes in a way that is adequate, relevant and limited. It will be accurate and kept up to date and kept no longer than is necessary. Data will be processed in a manner that ensures appropriate security of the data.