Maytree Nursery and Infant School
G8a Data Protection Policy
Data protection advice for school –ICO
WHAT IS THE POLICY FOR?
This policy statement covers the uses of personal information about past and prospective staff, pupils, parents and other individuals who come into contact with the school. All school staff and governors involved with the collection, use, processing or disclosure of personal data will be aware of their duties and responsibilities and will adhere to this policy.
Personal data may be collected and used in order to meet legal requirements and legitimate interests set out in Data Protection Legislation, namely:
- (the General Data Protection Regulation ((Regulation (EU) 2016/679);
- the Law Enforcement Directive (Directive (EU) 2016/680):
- the Data Protection Act 2018 (subject to Royal Assent) to the extent that it relates to processing of personal data and privacy; and
- all applicable law about the processing of personal data and privacy.
The information is collected, used and stored to enable the provision of education and other associated functions. In addition, it may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of government. The personal information will be dealt with in line with the Data Protection Legislation regardless of the way that it has been collected, recorded and used.
WHY IS IT NECESSARY?
Maytree Nursery and infants School is registered as a Data Controller, with the Information Commissioner’s Office (ICO), and its registration number is Z6373016. Details are available on the ICO website: https://ico.org.uk/esdwebpages/search
The personal data is used for the following reasons:
- To support pupil learning.
- To monitor and report on pupil progress.
- To provide appropriate pastoral care.
- To assess the quality of our service.
- To comply with the law regarding data sharing.
WHAT INFORMATION IS COLLECTED?
All data within the school’s control shall be identified as personal, sensitive, or both, to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
Data Protection Legislation applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Data Protection Legislation refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
The information collected includes contact details, national curriculum assessment results, attendance information and personal characteristics, such as ethnicity, any special educational needs, and relevant medical information.
The categories of pupil information that we collect, hold and share include:
- Personal information (such as name, unique pupil number and address)
- Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Academic progress / assessment data
- Relevant medical information
- Special educational needs information
- Exclusions / behavioural information
Our school regards the lawful and correct treatment of personal information as very important to the successful operation maintenance of confidence between individuals and ourselves. We ensure that personal information is treated lawfully and correctly.
To this end we fully endorse and adhere to the six principles of data protection, as detailed in Data Protection Legislation.
DATA PROTECTION PRINCIPLES
Under Data Protection Legislation, there are 6 data protection principles that set out the main responsibilities for organisations, including schools.
Personal data shall be:
- Principle 1- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Principle 2- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Principle 3- Adequate, Relevant and limited to what is necessary.
- Principle 4- Accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Principle 5- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Principle 6- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing.
As the data controller, the school is responsible for, and must be able to demonstrate compliance with these principles.
The school is committed to maintaining the above principles at all times. Therefore the school will:
- Observe fully the conditions regarding the fair collection and use of information.
- Meet its legal obligations to specify the purposes for which information is used.
- Collect and process the appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- Ensure the quality of information used is accurate and kept up to date
- Apply strict checks to determine the retention periods of information held
- Guarantee the rights of people about whom information is held can be fully exercised under Data Protection Legislation (these include the right to be informed that processing is being undertaken); ensure the public have the right of access to personal records held about them.
- Ensure individuals have the right to access one’s personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong information.
- Ensure that for all personal data, appropriate security measures are taken, both technically & organisationally, to protect against damage, loss or abuse.
- Ensure that personal information is not transferred abroad without suitable safeguards.
- Adopt the key principles of BS7799 – the British Standard on Information Security Management.
- Regularly review this policy and safeguards that relate to it annually, to ensure that the contents are still relevant, efficient and effective.
- Ensure CCTV systems are used in compliance with Data Protection Legislation.
- Adhere to the duty of confidence.
- Everyone managing and handling personal information understands that they are responsible for following good data protection practice and are appropriately trained to do so.
- Queries about handling personal information are promptly and courteously dealt with.
We shall be transparent and provide assessable information about the proposed processing of data and communicate these intentions via notification to staff, parents and pupils.
We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.
We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.
We are required to share information about our pupils with Southampton City Council (SCC) and the DfE under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
We also share pupil information to:
- Meet our statutory duty to create and maintain an admission register under the Education (Pupil Registration) (England) Regulations 2006 and subsequent amendments, without which schools are unable to enrol a pupil.
- Support teaching and learning. In order to facilitate this, we may share information with the software supplier to set up the systems needed for pupils and parent/carers to access.
- Monitor and report on academic progress.
- Provide appropriate pastoral care (Keeping Children Safe in Education 2016).
- Assess how well we, as an education provider, are doing.
- Co-operate with SCC and external partners to improve the well-being of children, under the duty of the Children Act 2004.
- Share information with SCC and external partners to support the duty to safeguard and promote the welfare of children, under the Children Act 1989, Section 17.
- Share data with professionals commissioned by the school or working with a pupil such as the School Nurse or health services.
- Comply with our statutory duty under the Education (Pupil Information) (England) Regulations 2005 Statutory Instrument and subsequent amendments in The Education (Pupil Information) (England) (Amendment) 2008 to create a Common Transfer File when a child ceases to be registered at a school and becomes a registered pupil at another school in England or Wales. This would also apply to pupils who are dually registered at more than one school. If a Common Transfer File cannot be sent to a new school when a pupil leaves, one must be sent to the DfE Lost Pupil Database.
- Send pupil information to SCC on a regular basis in accordance with our information sharing agreement to enable the local authority to meet its duty under data protection legislation to ensure that the data it holds is accurate and also to carry out its official functions, or a task, in the public interest.
- Notify SCC on a termly basis of all pupils on a reduced timetable so that the local authority can comply with statutory Ofsted requests for data at the time of inspection.
- Comply with the statutory requirements of the Education (Pupil Registration) (England) Regulations 2006 and subsequent amendments, notifying SCC if a child leaves the school and providing forwarding details. A failure to provide this information will result in pupils being record as a “Child Missing Education”, in accordance with the government definition.
- Provide attendance information to SCC so that it’s duties under the Anti-Social Behaviour Act 2003, Section 444 of the Education Act 1996 and Section 36 of the Children Act 1989 (Education Supervision Orders) can be met.
- Provide exclusion information to SCC so that its duty Under Section 19 of the Education Act 1996 can be met.
- Meet our duty to provide information about any exclusions within the last 12 months to the Secretary of State and (in the case of maintained schools and PRUs) the local authority, in accordance with The Education (Information About Individual Pupils) (England) Regulations 2006.
When your child applies for further education or training, the school / SCC may forward information to colleges or providers in order to aid your child’s transition into further education or training.
There shall be restricted access to the person information, giving access only to only people (staff and governors) who need particular information to do their job, and only when they need it. This covers access to written and electronic staff and pupil records, and recorded CCTV images. Any proposed change to the processing of individual’s data shall first be notified to them.
PHOTOGRAPHY AND MEDIA FOOTAGE
Images of staff and pupils may be captured at suitable times and as part of educational activities for use in school only. Any images will only be used for the purpose that has been specified.
In the event that an education organisation decides to use surveillance technology, i.e. CCTV and body worn video it will be done in line with current data protection legislation.
Individuals will be made aware they may be recorded and appropriate measures will be put in place to keep the recorded images secure.
If you wish to be supplied with personal information we hold about you (a subject access request) please make a request addressed to the School’s Data Protection Officer.
Complaints will be dealt with in accordance with the school’s complaints policy.
If you have any concerns or queries about how the School is processing your personal data, please contact the School’s Data Protection Officer:
[Enter Name Meenu Grewal (temp)
By Post: School Business Manager
By Phone: 023809630522
By email: firstname.lastname@example.org
For independent advice about data protection, please contact the Information
Information Commissioner’s Office
By Phone: 0303 123 1113 (local rate) or 01625 545 745, if you prefer to use a national rate number
By email: email@example.com
Policy reviewed annually
Review Date: Summer 2019