Privacy Notice - GDPR
Re; General Data Protection Regulations (GDPR)
We already highly value and protect all of our student, parents and staff data and will update or practices and procedures to keep up-to-date with current data protection regulations. For further information about GDPR please visit the ICO website. We have appointed a Data Protection Officer (DPO) to oversee the way the school handles data and ensure that requests for data are dealt with in accordance with GDPR. Any subject access requests (SAR), Freedom of Information requests (FOI) and queries you have about the way in which your data is handled please contact our DPO.
The 25th May 2018 marked the enforcement of the General Data Protection Regulation (GDPR). The GDPR replaced the Data Protection Act 1998 and is designed to strengthen the safety and security of all data held within an organisation, and make sure processing and storage procedures are consistent.
First and foremost, it is important that you understand your rights under the GDPR; you have the right to:
- Be informed about how we use your personal data.
- Request access to the personal data that the school holds.
- Request that your personal data is amended if it is inaccurate or incomplete.
- Request that your personal data is erased where there is no compelling reason for its continued processing.
- Request that the processing of your data is restricted.
- Object to your personal data being processed.
The GDPR resulted in some significant changes for the school, meaning that the school now have to prove their compliance with the GDPR, by having effective policies in place. There were also changes to the rights that individuals have – such as the right to have your information erased.
Privacy notices must also include new information, such as an individual’s right to complain to the Information Commissioner’s Officer (ICO). The GDPR takes into account the information of children too – parental consent is needed for children up to the age of 13, at which point, the child may be able to consent for themselves.
A data breach notification duty is applied to all schools, and those that are likely to cause damage, e.g. identity theft, have to be reported to the ICO within 72 hours – failure to do so can result in a fine. A data protection impact assessment will be completed, which will likely be carried out when using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals.
One of the biggest changes has been in terms of consent; consent must be a ‘positive indication’, which means that it has to be opted into, clear and unambiguous. Any parental consent given to the school under the Data Protection Act 1998 has been reviewed and we have asked all our parents to complete and return a multi-purpose consent form. Parental consents not covered by the multi-purpose consent form may be requested and we will ensure that we ask for your consent as it becomes appropriate to do so.
We are pleased to be able to announce that we have appointed one of our school governors to the role of Data Protection Governor. This role will focus on monitoring the schools policies and procedures to ensure compliance with the new GDPR legislation and present an annual report to governors. Finally, schools are required to appoint a data protection officer (DPO) - see information above.
Please read the school’s privacy notices on the school website. It is important that you read and understand the privacy notice, as the school wants to ensure that you know what we are doing with your data and that you know we are acting legally.
Policies are published on the school’s website. Click here to go to the Policies Page
For data protection enquiries to the school, please email: firstname.lastname@example.org
Subject Access Requests or other GDPR concerns, please email our Data Protection Officer: email@example.com