DATA PROTECTION POLICY
incorporating the introduction of the General
Data Protection Regulation (25th May 2018)
August 2023
To be reviewed: August 2024
Data Protection Policy
Contents
1 Policy statement
2 About this policy
3 Definition of data protection terms
4 Data protection officer
5 Data protection principles
6 Fair and lawful processing
7 Processing for limited purposes
8 Notitying data subjects
9 Adequate relevant and non-excessive
10 Accurate data
11 Timely processing
12 Processing in line with data subject's rights
13 Data security
14 Data protection impact assessments
15 Disclosure and sharing of personal information
16 Data processors
17 Images and videos
18 Changes to this policy
ANNEX Definition of terms
Policy Statement
Data Protection Law has been updated and is now encapsulated in the General Data Protection Regulation (GDPR). Here at Savvy Education we are committed to ensuring that the way we handle data is transparent, fair and in accordance with the law. This policy sets out how we will achieve that.
Everyone has rights with regard to the way in which their personal data is handled. During the course of our activities at Savvy Education we will collect, store and process personal data about our pupils, workforce, parents and others. This makes us a data controllerin relation to that personal data.
We are committed to the protection of all personal data and special category personal data for which we are the data controller.
The law imposes significant fines for failing to lawfully process and safeguard personal data and failure to comply with this policy may result in those fines being applied.
All members of our workforce must comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary or other action and could result in very large fines.
About this policy
The types of personal data that we may be required to handle include information about pupils, parents, our workforce, and others that we deal with. The personal data which we hold is subject to certain legal safeguards specified in the General Data Protection Regulation (‘GDPR’), the [Data Protection Act 2018], and other regulations (together ‘Data Protection Legislation’).
This policy and any other documents referred to in it set out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
This policy does not form part of any employee's contract of employment and may be amended at any time.
This policy sets out rules on data protection and the legal conditions that must be satisfied when we process personal data.
Definition of data protection terms
All defined terms in this policy are indicated in bold text, and a list of definitions is included in the Annex to this policy.
Data Protection Officer
We have a Data Protection Officer (“DPO”). Our DPO is Mr Michael Leishman, Director, and he can be contacted on 01326 567 443.
The DPO is responsible for ensuring compliance with the Data Protection Legislation and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.
The DPO is also the central point of contact for all data subjectsand others in relation to matters of data protection.
Data protection principles
Anyone processing personal data must comply with the data protection principles. These provide that personal data must be:
Personal Data must also:
We will comply with these principles in relation to any processing of personal data by Savvy Education.
Fair and lawful processing
Data Protection Legislation is not intended to prevent the processingof personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
For personal data to be processed fairly, data subjects must be made aware:
· that the personal data is being processed;
· why the personal data is being processed;
· what the lawful basis is for that processing (see below);
· whether the personal data will be shared, and if so with whom;
· the period for which the personal data will be held;
· the existence of the data subject’s rights in relation to the processing of that personal data; and
· the right of the data subject to raise a complaint with the Information Commissioner’s Office in relation to any processing.
We will only obtain such personal data as is necessary and relevant to the purpose for which it was gathered, and will ensure that we have a lawful basis for any processing.
For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation. We will normally process personal data under the following legal grounds:
· where the processing is necessary for the performance of a contract between us and the data subject, such as an employment contract;
· where the processing is necessary to comply with a legal obligation that we are subject to, (e.g., the Education Act 2011);
· where the law otherwise allows us to process the personal data or we are carrying out a task in the public interest; and
· where none of the above apply then we will seek the consent of the data subjectto the processing of their personal data.
When special category personal data is being processed then an additional legal ground must apply to that processing. We will normally only process special category personal data under following legal grounds:
· where the processing is necessary for employment law purposes, for example in relation to sickness absence;
· where the processing is necessary for reasons of substantial public interest, for example for the purposes of equality of opportunity and treatment;
· where the processing is necessary for health or social care purposes, for example in relation to pupils with medical conditions or disabilities; and
· where none of the above apply then we will seek the consent of the data subjectto the processing of their special category personal data.
We will inform data subjects of the above matters by way of appropriate privacy notices which shall be provided to them when we collect the data or as soon as possible thereafter, unless we have already provided this information such as at the time when a pupil joins us.
If any data user is in doubt as to whether they can use any personal data for any purpose, then they must contact the DPO before doing so.
Vital Interests
There may be circumstances where it is considered necessary to process personal data or special category personal data in order to protect the vital interests of a data subject. This might include medical emergencies where the data subject is not in a position to give consent to the processing. We believe that this will only occur in very specific and limited circumstances. In such circumstances we would usually seek to consult with the DPO in advance, although there may be emergency situations where this does not occur.
Consent
Where none of the other bases for processing set out above apply then Savvy Education must seek the consent of the data subject before processing any personal data for any purpose.
There are strict legal requirements in relation to the form of consent that must be obtained from data subjects.
When pupils and/or our Workforce join Savvy Education a consent form will be required to be completed in relation to them. Where appropriate third parties may also be required to complete a consent form.
If consent is required for any other processing of personal data of any data subject,then the form of this consent must:
· Inform the data subject of exactly what we intend to do with their personal data;
· Require them to positively confirm that they consent – we cannot ask them to opt-out rather than opt-in; and
· Inform the data subject of how they can withdraw their consent.
Any consent must be freely given, which means that we cannot make the provision of any goods or services or other matter conditional on a data subjectgiving their consent.
The DPO must always be consulted in relation to any consent form before consent is obtained.
A record must always be kept of any consent, including how it was obtained and when.
Processing for limited purposes
In the course of our activities at Savvy Education, we may collect and process the personal dataset out in our Schedule of Processing Activities. This may include personal data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and personal data we receive from other sources (including, for example, local authorities, other schools, parents, other pupils or members of our workforce).
We will only process personal data for the specific purposes set out in our Schedule of Processing Activities or for any other purposes specifically permitted by Data Protection Legislation or for which specific consent has been provided by the data subject.
Notifying data subjects
If we collect personal data directly from data subjects, we will inform them about:
· our identity and contact details as Data Controller and those of the DPO;
· the purpose or purposes and legal basis for which we intend to process that personal data;
· the types of third parties, if any, with which we will share or to which we will disclose that personal data;
· whether the personal data will be transferred outside the European Economic Area (‘EEA’) and if so the safeguards in place;
· the period for which their personal data will be stored;
· the existence of any automated decision making in the processing of the personal data along with the significance and envisaged consequences of the processing and the right to object to such decision making; and
· the rights of the data subject to object to or limit processing, request information, request deletion of information or lodge a complaint with the ICO.
Unless we have already informed data subjects that we will be obtaining information about them from third parties (for example in our privacy notices), then if we receive personal data about a data subject from other sources, we will provide the data subject with the above information as soon as possible thereafter, informing them of where the personal data was obtained from.
Adequate, relevant and non-excessive processing
We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject, unless otherwise permitted by Data Protection Legislation.
Accurate data
We will ensure that personal data we hold is accurate and kept up to date.
We will take reasonable steps to destroy or amend inaccurate or out-of-date data.
Data subjects have a right to have any inaccurate personal data rectified. See further below in relation to the exercise of this right.
Timely processing
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all personal data which is no longer required.
Processing in line with data subject's rights
We will process all personal data in line with data subjects' rights, in particular their right to:
· request access to any personal data we hold about them;
· object to the processing of their personal data, including the right to object to direct marketing;
· have inaccurate or incomplete personal data about them rectified;
· restrict processing of their personal data;
· have personal data we hold about them erased
· have their personal data transferred; and
· object to the making of decisions about them by automated means.
The Right of Access to Personal Data
Data subjects may request access to all personal data we hold about them.
The Right to Object
In certain circumstances data subjects may object to us processing their personal data. This right may be exercised in relation to processingthat we are undertaking on the basis of a legitimate interest or in pursuit of a statutory function or task carried out in the public interest.
An objection to processing does not have to be complied with where the service can demonstrate compelling legitimate grounds which override the rights of the data subject.
Such considerations are complex and must always be referred to the DPO upon receipt of the request to exercise this right.
In respect of direct marketing any objection to processing must be complied with.
Savvy Education is not however obliged to comply with a request where the personal data is required in relation to any claim or legal proceedings.
The Right to Rectification
If a data subject informs Savvy Education that personal data held about them by Savvy Education is inaccurate or incomplete, then we will consider that request and provide a response within one month.
If we consider the issue to be too complex to resolve within that period then we may extend the response period by a further two months. If this is necessary, then we will inform the data subjectwithin one month of their request that this is the case.
We may determine that any changes proposed by the data subject should not be made. If this is the case then we will explain to the data subject why this is the case. In those circumstances we will inform the data subject of their right to complain to the Information Commissioner’s Office at the time that we inform them of our decision in relation to their request.
The Right to Restrict Processing
Data subjects have a right to “block” or suppress the processing of personal data. This means that Savvy Education can continue to hold the personal data but not do anything else with it.
Savvy Education must restrict the processing of personal data:
· Where it is in the process of considering a request for personal data to be rectified (see above);
· Where Savvy Education is in the process of considering an objection to processing by a data subject;
· Where the processing is unlawful but the data subject has asked Savvy Education not to delete the personal data; and
· Where Savvy Education no longer needs the personal data but the data subject has asked Savvy Education not to delete the personal databecause they need it in relation to a legal claim, including any potential claim against Savvy Education.
If Savvy Education has shared the relevant personal data with any other organisation, then we will contact those organisations to inform them of any restriction, unless this proves impossible or involves a disproportionate effort.
The DPO must be consulted in relation to requests under this right.
The Right to Be Forgotten
Data subjects have a right to have personal data about them held by Savvy Education erased onlyin the following circumstances:
· Where the personal data is no longer necessary for the purpose for which it was originally collected;
· When a data subject withdraws consent – which will apply only where Savvy Education is relying on the individuals consent to the processing in the first place;
· When a data subject objects to the processing and there is no overriding legitimate interest to continue that processing – see above in relation to the right to object;
· Where the processing of the personal data is otherwise unlawful;
· When it is necessary to erase the personal data to comply with a legal obligation.
Savvy Education is not required to comply with a request by a data subject to erase their personal data if the processing is taking place:
· To exercise the right of freedom of expression or information;
· To comply with a legal obligation for the performance of a task in the public interest or in accordance with the law;
· For public health purposes in the public interest;
· For archiving purposes in the public interest, research or statistical purposes; or
· In relation to a legal claim.
If Savvy Education has shared the relevant personal data with any other organisation, then we will contact those organisations to inform them of any erasure, unless this proves impossible or involves a disproportionate effort.
The DPO must be consulted in relation to requests under this right.
Right to Data Portability
In limited circumstances a data subject has a right to receive their personal data in a machine readable format, and to have this transferred to another organisation.
If such a request is made, then the DPO must be consulted.
Data Security
We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
Security procedures include:
Two factor authorisation. Only those who have activated two-factor authorisation will have access to personal information.
Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.) Staff should always operate a clear desk routine.
Clear Walls and Noticeboards. No personal or special category data should be displayed on walls or noticeboards in offices, classrooms or corridors where there is any likelihood of a non-staff member seeing it. This means that all areas accessible to members of the public, staff from other schools, contractors or casual workers must be clear of all personal and special category data at all times.
Methods of disposal.Paper documents containing personal information should be shredded. All other documents which do not contain personal information can be recycled. Digital storage devices should be physically destroyed when they are no longer required by returning to the IT department. IT assets must be disposed of in accordance with the Information Commissioner’s Office guidance on the disposal of IT assets.
Equipment.Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended. Additionally, users must change their passwords every year.
Working away from the premises – paper documents. Wherever possible staff should avoid taking paper documents from secure locations. Where this is unavoidable (such as for marking at home) then staff must make every effort to keep the documents safe at all times. This includes using only student codes/initials for all students.
Staff transporting documents must do so in a lockable container such as a briefcase.
Staff must never leave documents in a vehicle.
Where staff need to leave documents at home or in another setting, such as a hotel room, they must be locked in an appropriate cupboard or safe at all times when not in use.
Working away from the premises – electronic working. Electronic working away can be:
All school provided equipment comes with a high level of inbuilt security and as such is unlikely to be accessed inappropriately except where a member of staff has left the device unlocked. Staff must avoid working where there is any chance they could be overlooked. Devices must be locked if the member of staff leaves the device, even when working at home.
Staff who access online databases (Zoho) through a personal device at home, should never download documents to that device, or where they do, ensure that they are deleted prior to closing down that device. Staff must avoid working where there is any chance of being overlooked. They should never leave the device unattended and ensure that it is locked if they do.
Staff/consultants should never use memory stick.
Data Security Breaches
Staff are encouraged to report any data breaches or suspected data breaches to the DPO immediately they discover the breach.
Data Protection Impact Assessments
Savvy Education takes data protection very seriously, and will consider and comply with the requirements of Data Protection Legislation in relation to all of its activities whenever these involve the use of personal data, in accordance with the principles of data protection by design and default.
In certain circumstances the law requires us to carry out detailed assessments of proposed processing. This includes where we intend to use new technologies which might pose a high risk to the rights of data subjects because of the types of data we will be processing or the way that we intend to do so.
Savvy Education will complete an assessment of any such proposed processing and has a template document which ensures that all relevant matters are considered.
The DPO should always be consulted as to whether a data protection impact assessment is required, and if so how to undertake that assessment.
Disclosure and sharing of personal information
We may share personal data that we hold about data subjects, and without their consent, with other organisations. Such organisations include the Department for Education, [and/or Education and Skills Funding Agency “ESFA”], Ofsted, health authorities and professionals, the Local Authority, examination bodies, other schools, and other organisations where we have a lawful basis for doing so.
Savvy Education will inform data subjects of any sharing of their personal data unless we are not legally required to do so, for example where personal data is shared with the police in the investigation of a criminal offence.
In some circumstances we will not share safeguarding information. Please refer to our Child Protection Policies.
Further detail is provided in our Schedule of Processing Activities.
Data Processors
We work with various organisations who provide services to Savvy Education, including:
In order that these services can be provided effectively we are required to transfer personal data of data subjects to these data processors.
Personal data will only be transferred to a data processor if they agree to comply with our procedures and policies in relation to data security, or if they put in place adequate measures themselves to the satisfaction of Savvy Education. Savvy Education will always undertake due diligence of any data processorbefore transferring the personal dataof data subjects to them.
Contracts with data processors will comply with Data Protection Legislation and contain explicit obligations on the data processor to ensure compliance with the Data Protection Legislation, and compliance with the rights of Data Subjects.
Images and Videos
Parents and others attending Savvy Education events are not allowed to take photographs and videos of those events for domestic purposes.
Savvy Education asks that parents and others do not post any images or videos which include any child other than their own child on any social media or otherwise publish those images or videos.
At Savvy Education we want to celebrate the achievements of our pupils and therefore may want to use images and videos of our pupils within promotional materials, or for publication in the media such as local, or even national, newspapers covering school events or achievements. We will seek the consent of pupils, and their parents/carers where appropriate, before allowing the use of images or videos of pupils for such purposes.
Whenever a pupil begins their attendance at Savvy Education, they, or their parent where appropriate, will be asked to complete a consent form in relation to the use of images and videos of that pupil. We will not use images or videos of pupils for any purpose where we do not have consent.
Changes to this policy
Savvy Education will review this policy on a yearly basis and may make changes. In addition, we may change this policy at any time if any circumstances change. Where appropriate, we will notify data subjects of those changes.
ANNEX
DEFINITIONS
Term
Definition
Data
is information which is stored electronically, on a computer, or in certain paper-based filing systems
Data Subjects
for the purpose of this policy include all living individuals about whom we hold personal data. This includes pupils, our workforce, staff, and other individuals. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information
Personal Data
means any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data Controllers
are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with Data Protection Legislation. We are the data controller of all personal data used in our business for our own commercial purposes
Data Users
are those of our workforce (including Governors and volunteers) whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times
Data Processors
include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions
Processing
is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring personal data to third parties
Special Category Personal Data
includes information about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or genetic or biometric data
Workforce
Includes, any individual employed by Savvy Education such as staff and those who work in any capacity.
Copyright © 2024 Savvy Education - All Rights Reserved.