Data Protection Policy

KCSP Data Protection Policy

 

Approving Body Board of Directors

Approval Date March 2017

Review Date March 2019

 

“By knowledge the upright are safeguarded” [Proverbs 11/9]

 

1. Statement of purpose

 The purpose of this policy is to ensure that records are maintained, including security and access arrangements, in accordance with Education Regulations and all other statutory provisions. The Kent Catholic Schools’ Partnership (“The Trust”) will comply fully with the requirements and principles of the Data Protection Act 1984 and the Data Protection Act 1988. All staff involved with the collection, processing and disclosure of personal data are aware of their duties and responsibilities within these guidelines.

2. Fair obtaining and processing

Each Academy in KCSP undertakes to obtain and process data fairly and lawfully by informing all data subjects of the reasons for data collection, the purposes for which the data are held, the likely recipients of the data and the data subject’s right of access. Information about the use of personal data is printed on the appropriate collection form. If details are given verbally, the person collecting will explain the issues before obtaining the information.

“Processing” means obtaining, recording or holding the information or data or carrying out any or set of operations on the information or data.

“Data subject” means an individual who is the subject of personal data or the person to whom the information relates.

“Personal data” means data, which relates to a living individual who can be identified. Addresses and telephone numbers are particularly vulnerable to abuse, along with names and photographs if published in the press, Internet or media.

“Parent” has the meaning given in the Education Act 1996, and includes any person having parental responsibility or care of a child.

“Legal disclosure” is the release of personal information from the computer to someone who requires the information to do his or her job within or for the Academy, provided that the purpose of that information has been registered.

“Illegal disclosure” is the release of information to someone who does not need it, or has no right to it, or one which falls outside the Academy’s registered purposes.

3. Registration

The Trust is registered with the Information Commissioners Office (https://ico.org.uk/). Please see Appendix 1 for the Trust’s certificate of registration. General information about the Data Protection Act can be obtained from the Data Protection Commissioner (Information Line 08456 306060 or 01625 545 745 or website www.ico.gov.uk).

4. Data Protection Act 1984

The Act is based on eight data protection principles, or rules for ‘good information handling’. Please see below for the principles and information on compliance.

i. Data must be processed fairly and lawfully

To comply with this provision you should:

  • have legitimate grounds for collecting and using the personal data;
  • not use the data in ways that have unjustified adverse effects on the individuals concerned;
  • be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
  • handle people’s personal data only in ways they would reasonably expect; and
  • make sure you do not do anything unlawful with the data.

ii. Personal data shall be obtained only for one or more specific and lawful purposes.

To comply with this provision you should:

  • be clear from the outset about why you are collecting personal data and what you intend to do with it
  • comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data
  • comply with what the Act says about notifying the Information Commissioner
  • ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair

iii. Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.

To comply with this provision you should:

  • you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and
  • you do not hold more information than you need for that purpose.

iv. Personal data shall be accurate and where necessary kept up to date

To comply with this provision you should:

  • take reasonable steps to ensure the accuracy of any personal data you obtain;
  • ensure that the source of any personal data is clear;
  • carefully consider any challenges to the accuracy of information1; and
  • consider whether it is necessary to update the information.

v. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose.

To comply with this provision you should:

  • review the length of time you keep personal data
  • consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
  • securely delete information that is no longer needed for this purpose or these purposes; and
  • update, archive or securely delete information if it goes out of date

vi. Personal data shall be processed in accordance with the rights of data subjects under the 1998 Data Protection Act.

This is the sixth data protection principle, and the rights of individuals that it refers to are:

  • a right of access to a copy of the information comprised in their personal data;
  • a right to object to processing that is likely to cause or is causing damage or distress;
  • a right to prevent processing for direct marketing;
  • a right to object to decisions being taken by automated means;
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
  • a right to claim compensation for damages caused by a breach of the Act.

vii. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

  • design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
  • be clear about who in your organisation is responsible for ensuring information security;
  • make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
  • be ready to respond to any breach of security swiftly and effectively

viii. Personal data shall not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Trust, and its academies, does not send data to countries outside the EEA.

5. Processing subject access requests

Requests for access must be made in writing. A Subject Access request form is available on the Kent

Catholic Schools’ Partnership website at http://www.kcsp.org.uk/ and attached as Appendix 2.

However, any request in writing will be considered as a valid request.

Completed forms (or requests in other formats) should be submitted to the Headteacher of the relevant academy (please see the academy website for contact details) or the Company Secretary of the Trust (acting as Data Protection Compliance Manager, please see KCSP website for contact details http://www.kcsp.org.uk/ ). Provided that there is sufficient information to process the request, an entry will be made in the (virtual) Subject Access log book, showing the date of receipt, the data subject’s name, the name and address of requester (if different), the type of data required (e.g. Student Record, Personnel Record), and the planned date of supplying the information (normally not more than 40 days from the request date). Should more information be required to establish either the identity of the data subject (or agent) or the type of data requested, the date of entry in the log will be date on which sufficient information has been provided.

The Trust is entitled to charge for processing subject access requests. Please see the Subject access code of practise for charging details and amounts (https://ico.org.uk/media/fororganisations/documents/1065/subject-access-code-of-practice.pdf).

Note: In the case of any written request from a parent regarding their own child’s record, access to the record will be provided within 15 school days in accordance with the current Education (Pupil Information) Regulations.

Any questions or concerns, or if you consider that the policy has not been followed in respect of personal data about yourself or others you should raise the matter with the KCSP Company Secretary.

6. Authorised disclosures

Each Academy will, in general, only disclose data about individuals with their consent. However there are circumstances under which the Academy’s authorised officer2 may need to disclose data without explicit consent for that occasion.

These circumstances are strictly limited to:

  • Student data disclosed to authorised recipients related to education and administration necessary for the Academy to perform its statutory duties and obligations
  • Student data disclosed to authorised recipients in respect of their child’s health, safety and welfare
  • Student data disclosed to parents in respect of their child’s progress, achievements, attendance, attitude or general demeanour within or in the vicinity of the Academy
  • Staff data disclosed to relevant authorities e.g. in respect of payroll and administrative matters
  • Unavoidable disclosures, for example to an engineer during maintenance of the computer system. In such circumstances the engineer would be required to sign a form promising not to disclose the data outside the Academy. Officers and I.T. personnel writing on behalf of the Local Authority are I.T. liaison/data processing officers, for example in the LA, are contractually bound not to disclose personal data.

Only authorised and trained staff are allowed to make external disclosures of personal data. Data used within an academy by administrative staff, teachers and welfare officers will only be made available where the person requesting the information is a professional legitimately working within the Academy who needs to know the information in order to do their work. The Academy will not disclose anything on students’ records which would be likely to cause serious harm to their physical or mental health or that of anyone else – including anything that suggests that they are, or have been, either the subject of or at risk of child abuse.

Address

St Joseph's Catholic Primary School
St Peter’s Park Road
Broadstairs
Kent
CT10 2BA

Contact

Tel / Fax: 01843 861738
Email: office@st-josephs-broadstairs.kent.sch.uk

KCSP

Kent Catholic Schools Partnership
Website: kcsp.org.uk
Telephone: 01622 232662

Headteacher
Mrs Linda Briggs

 

Chair of Governors
Mr John Darby