Data Protection Policy

Revision History

Version Date Comments Review Date
6 Summer 2016 Amended (typographical only), approved and issued Summer 2017
5 Summer 2015 Amended, approved & Issued Summer 2016
4 Summer 2014 Approved and issued (no amendments) Summer 2015
3 Summer 2013 Approved & issued (no amendments) Summer 2014
2 February 2013 2nd Draft
1 February 2013 First draft

This document is a statement of the aims and principals of St John’s CE (A) Primary School for enforcing the confidentiality of sensitive information relating to staff, pupils, parents/carers and governors.

Introduction

St John’s CE (A) Primary School needs to keep certain information about its employees and pupils to allow it to monitor performance achievements health and safety.  It is also necessary to process information for staff recruitment, payment and fulfils legal obligations to the Government, LA and funding bodies.  To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.  To do this St John’s CE (A) Primary School must comply with the Data Protection Principles which are set out in the Data Protection Act 1998.  In summary these state that personal data:

  • Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for that purpose.
  • Be accurate and kept up to date.
  • Not be kept longer than is necessary for that purpose.
  • Be processed in accordance with the data subject’s rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.

St John’s CE (A) Primary School and all staff or other users who process or use personal information, must ensure that they follow these principals at all times.  In order to ensure that this happens the school has developed this Data Protection Policy.

Personal Information

Staff should note that unauthorised disclosure will usually be a disciplinary matter.  All personal information should be kept in a locked cabinet/drawer/safe.  If it is computerised it should be code encrypted or password protected or both on a network drive/hard drive that is regularly backed up, if a copy is kept on a removeable storage device that the media itself must be kept in a locked filing cabinet safe or drawer.

Rights to access information

All parents/carers and other uses are entitled to:

  1. Know what information the school holds and possesses about them, their child and why.
  2. Know how to gain access to it.
  3. Know how to keep it up to date.
  4. Know what the school is doing to comply with its obligations under the 1998 Act.

This policy document and the schools Data Protection code of practice helps address the last three points.  Point 1, the school will provide all staff, parents/carers and other relevant users with a statement regarding the personal data held about them.  This will state all the types of data the school holds and processes about them and the reasons for which they are processed.

All staff, parents/carers and other users have a right under the 1998 Act to access certain personal data being kept about them or their child either on computer or in files.  Any person who writes to exercise this right should complete a personal data access request form and submit it to the designated data controller.  The school will make a charge of £10 on each occasion that access is requested although the school has discretion to waive this.

The school will aim to comply with requests for access to personal information as quickly as possible but will ensure that it provided with 40 days as required by the 1998 Act.

Subject Consent

In many cases the school can only process personal data with the consent of the individual.  In some cases if the data is sensitive, as defined by the 1998 Act, express consent must be obtained.  However agreements to the school processing some specified classes of personal data is a condition of acceptance of employment for staff.  This includes information about previous criminal convictions.

The School has a duty under the Children’s Act 1989 to ensure that all staff are suitable for the job and under its duty of care for staff and pupils to make sure that those who use the school facilities do not pose a threat or danger to other users.  The school may also seek information about particular health needs, e.g., allergies, medical conditions.  The school will only use this information in the protection of the health and safety of the individual but will need consent to process this data in the event of a medical emergency for example.

Process Sensitive Information

Sometimes it is necessary to process information about a person’s health, criminal convictions, or race.  This may be to ensure that the school is a safe place for everyone, or to operate other school policies, such as the Sick Pay Policy or the Equal Opportunities Policy.  Because this information is considered sensitive under the 1998 Act, staff (and pupils where appropriate) will be asked to give their express consent for the school to process this data.  An offer of employment may be withdrawn if an individual refuses to consent to this without good reason.

Publication of School Information

Certain items of information relating to school staff will be made available via searchable directories on the website in order to meet the legitimate needs of researchers, parents/carers and visitors seeking to make contact with the school.

Retention of Data

The school has a duty to retain some staff and student personal data for a period of time following their departure from the school. Mainly for legal reasons, but also for other purposes such as being able to provide references or academic transcripts.  Different categories of data will be retained for different periods of time.

Data Protection Policy – Version 6 – Summer 2016