Data Protection Policy

Contents
1. Introduction
2. Application
3. What information falls within the scope of this policy
4. Your obligations
5. Personal Data must be processed fairly, lawfully and transparently
6. You must only process Personal Data for limited purposes and in an appropriate way
7. Personal Data held must be adequate and relevant for the purpose
8. You must not hold excessive or unnecessary Personal Data
9. The Personal Data that you hold must be accurate
10. You must not keep Personal Data longer than necessary
11. You must keep Personal Data secure
12. You must not transfer Personal Data outside the EEA without adequate protection
13. Sharing Personal Data outside the School – dos and don’ts
14. Sharing Personal Data within the School
15. Individuals’ rights in their Personal Data
16. Requests for Personal Data (Subject Access Requests)
17. Data breaches
18. What is a data breach?
19. Immediate action following a data breach
20. Roles and responsibilities
21. Containment and recovery
22. Establishing and assessing the risks
23. Notification
24. Contacting affected individuals
25. Internal Breach Register
26. Evaluation
27. Breach of this policy
28. Appendix

1. Introduction
a) This policy is relevant to all staff and explains the School’s expectations of staff under data protection
legislation. It provides an explanation of key data protection principles as well as detailed guidance on what to
do in the event of a data breach.
b) Data protection is about regulating the way that the School uses and stores information about identifiable
people (Personal Data). It also gives people various rights regarding their data – such as the right to access the
Personal Data that the School holds on them.
c) As a school, we collect, store and process Personal Data about our staff, pupils, parents, suppliers and other
third parties. We recognise that the correct and lawful treatment of this data will maintain confidence in the
School.
d) You are obliged to comply with this policy when processing Personal Data on our behalf. Any breach of this
policy may result in disciplinary action.
e) All queries concerning data protection matters should be raised with the school’s nominated Privacy Office
who is Jane O’Halloran.

2. Application
a) This policy is for all staff working in the School (whether directly or indirectly), whether paid or unpaid,
whatever their position, role or responsibilities. It includes employees, contractors, people on work experience
and volunteers.
b) This policy does not form part of your contract of employment and may be amended by the School at any time.

3. What information falls within the scope of this policy:
a) Data protection concerns information about individuals.
b) Personal Data is data which relates to a living person who can be identified either from that data, or from the
data and other information that is available. Information as simple as someone’s name and address is their
Personal Data.
c) In order for you to do your job, you will need to use and create Personal Data. Virtually anything might include
Personal Data.
d) Examples of places where Personal Data might be found are:
✓ on a computer database;
✓ in a file, such as a pupil report;
✓ a register or contract of employment;
✓ pupils’ exercise books and mark books;
✓ health records; and email correspondence.
Examples of documents where Personal Data might be found are:
✓ a report about a child protection incident;
✓ a record about disciplinary action taken against a member of staff;
✓ photographs of pupils;
✓ details of a job interview;
✓ contact details and other personal information held about pupils, parents and staff and their families;
✓ contact details of a member of the public who is enquiring about placing their child at the School;
✓ information on a pupil’s performance;
✓ a report from an outside agency.
These are just examples – there may be many other things that you use and create that would be considered
Personal Data.
You must be particularly careful when dealing with Personal Data which falls into any of the categories
below
✓ information concerning child protection matters;
✓ information about serious or confidential medical conditions and information about special educational needs;
✓ information concerning serious allegations made against an individual (whether or not the allegation amounts
to a criminal offence and whether or not the allegation has been proved);
✓ financial information (for example about parents and staff);
✓ information about an individual’s racial or ethnic origin;
✓ political opinions;
✓ religious beliefs or other beliefs of a similar nature;
✓ trade union membership;
✓ physical or mental health or condition;
✓ sexual orientation;
✓ genetic information;
✓ information relating to actual or alleged criminal activity;
These categories are referred to as special categories of personal data in this policy. If you have any questions
about your processing of these categories of Personal Data please speak to the Privacy officer.

4. Your obligations
a) Have strong passwords that are kept safe and confidential
b) Encrypt emails that contain personal data
c) Ensure devices and screens are locked if personal data is accessible
d) Any data or devices taken out of school should be encrypted, pass worded and kept securely
e) Paper data should be COVERED, LOCKED AWAY or SHREDDED
f) Data, including photos should be deleted from personal devices within 72 hours

5. Personal Data must be processed fairly, lawfully and transparently
a) “Processing” covers virtually everything which is done in relation to Personal Data, including using, disclosing,
copying and storing Personal Data.
b) People must be told what data is collected about them, what it is used for and who it might be shared with,
unless it is obvious. They must also be given other information, such as what rights they have in their
information, how long we keep it for and about their right to complain to the Information Commissioner’s
Office (the data protection regulator).
c) This information is provided in a document known as a data privacy notice. Copies of the School’s privacy
notices can be accessed on the School’s website. You must familiarise yourself with the School’s privacy notice.
d) If you are using Personal Data in a way which you think an individual might think is unfair please speak to the
School’s privacy officer.
e) You must only process Personal Data for the following purposes:
✓ ensuring that the School provides a safe and secure environment;
✓ providing pastoral care;
✓ providing education and learning for our pupils;
✓ providing additional activities for pupils and parents (for example activity clubs);
✓ protecting and promoting the School’s interests and objectives e.g fundraising, liaising with ‘Old Boys’ and
prospective parents, and parent communication.
✓ safeguarding and promoting the welfare of our pupils;
✓ to fulfill the School’s contractual and other legal obligations; or
✓ as outlined in the relevant privacy notices(s).
If you want to do something with Personal Data that is not on the above list, or is not set out in the relevant
privacy notice(s), you must speak to the Privacy Officer or, in their absence, the Deputy Privacy Officer,
Annalisa Webb, before you do anything outside of the areas listed. This is to make sure that the School has a
lawful reason for using the Personal Data.
We may sometimes rely on the consent of the individual to use their Personal Data. This consent must meet
certain requirements and therefore you should speak to the Privacy Officer if you think that you may need to
obtain consent.

6. You must only process Personal Data for limited purposes and in an appropriate way.
a) For example, if pupil photographs are taken for the School’s Newsletter then they cannot then be used on
social media without this granulated consent from a parent or guardian.

7. Personal Data held must be adequate and relevant for the purpose
a) This means not making decisions based on incomplete data. For example, when writing reports you must make
sure that you are using all of the relevant and correct information about the pupil.

8. You must not hold excessive or unnecessary Personal Data
a) Personal Data must not be processed in a way that is excessive or unnecessary. For example, you should only
collect information about a pupil’s siblings if that Personal Data has some relevance, such as where the sibling
is also a pupil, allowing the School to determine if a sibling fee discount is applicable or the parent has
indicated the sibling may join the school in the future.

9. The Personal Data that you hold must be accurate
a) You must ensure that Personal Data is complete and kept up to date. For example, if a parent notifies you that
their contact details have changed, you must ensure that the data is passed directly to Lisa Wilson to update all
central records.

10. You must not keep Personal Data longer than necessary
a) The School has a Retention and Deletion Schedule which gives details of how long different types of data
should be kept and when data should be destroyed. This applies to both paper and electronic documents. You
must be particularly careful when you are deleting data.
b) Please speak to the Privacy Officer or, in their absence her deputy, for guidance on the retention periods and
secure deletion.

11. You must keep Personal Data secure
a) You must comply with the following School policies and guidance relating to the handling of Personal Data:
✓ Data Security Policy (within E Safety Policy)
✓ ICT Acceptable Use Policy for Staff
✓ E-Safety policy
✓ Recruitment Policy;
✓ Social Media Policy (within E Safety Policy)
✓ Code of Conduct;
✓ Retention and Deletion Schedule.

12. Sharing Personal Data outside the School – dos and don’ts
a) DO share Personal Data on a need to know basis but consider why it is necessary to share this data outside of
the School. If in doubt always ask the School’s Privacy Officer or in matters relating to a pupil’s well-being, the
Designated Safeguarding Lead.
b) DO NOT send emails which contain special categories of personal data described above without taking steps to
ensure that the data cannot be accessed by anyone other than the intended recipient.
c) DO make sure that you have permission from the Privacy Officer to share Personal Data on the school website.
d) DO be aware of “blagging”. This is the use of deceit to obtain Personal Data from people or organisations. You
should seek advice from the Privacy Officer where you are suspicious as to why the information is being
requested or if you are unsure of the identity of the requester (e.g. if a request has come from a parent but
using a different email address).
e) DO be aware of “phishing”. Phishing is a way of making something (such as an email or a letter) appear as if it
has come from a trusted source. This is a method used by fraudsters to access valuable personal details, such
as usernames and passwords.
f) Don’t reply to email or pop-up messages that ask for personal or financial information or click on any links in
an email from someone that you don’t recognise.
g) Report all concerns about phishing to the Head Teacher.
h) DO NOT disclose Personal Data to the Police without permission from the Privacy Officer or, in their absence,
her Deputy Officer.
i) DO NOT disclose Personal Data to contractors without permission from the Privacy Officer.

13. Sharing Personal Data within
a) Personal Data must only be shared within the School on a “need to know” basis.
b) Examples of sharing which are likely to be compliant with data protection legislation include:
✓ a teacher discussing a pupil’s academic progress with other members of staff (for example, to ask for advice on
how best to support the pupil)
✓ disclosing details of a teaching assistant’s allergy to bee stings to colleagues so that you/they will know how to
respond (but more private health matters must be kept confidential).
Examples of sharing which are unlikely to be compliant with data protection legislation include:
✓ disclosing personal contact details for a member of staff (e.g. their home address and telephone number) to
other members of staff (unless the member of staff has given permission or it is an emergency).
You may share Personal Data to avoid harm, for example in child protection and safeguarding matters.

14. Individuals’ rights in their Personal Data
a) Individuals have various rights regarding the information we hold on them.
b) Staff must be able to recognise when someone is exercising their rights so that you can refer the matter to the
Privacy Officer. Please let the Privacy Officer as soon as possible as there is a need to have a clear log if
personal data is requested, either for themselves or on behalf of another person, such as their child.
The types of request that may be made by an individual:
✓ wants to know what information the School holds about them or their child;
✓ asks to withdraw any consent that they have given to use their information or information about their child;
✓ wants the School to delete any information;
✓ asks the School to correct or change information (unless this is a routine updating of information such as
contact details);
✓ asks for electronic information which they provided to the School to be transferred back to them or to another
organisation;
✓ wants the School to stop using their information for direct marketing purposes. Direct marketing has a broad
meaning for data protection purposes and might include communications such as the School newsletter or
events inviting past pupils; or
✓ objects to how the School is using their information or wants the School to stop using their information in a
particular way: for example, if they are not happy that information has been shared with a third party.

15. Requests for Personal Data (Subject Access Requests)
a) Individuals are entitled to request a copy of the Personal Data which the School holds about them or in some
cases, their child. This is termed a “subject access request”.
b) Subject access requests do not have to be labelled as such and do not even have to mention data protection.
For example, an email which simply states “Please send me copies of all emails you hold about me” is a valid
subject access request. You must always immediately let the Privacy Officer know. The Privacy Officer will then
log this request.
c) Receiving a subject access request is a serious matter for the School and involves complex legal rights. Staff
must never respond to a subject access request themselves unless authorised to do so.
d) When a subject access request is made, the School must disclose all of that person’s Personal Data to them
which falls within the scope of his/her request. There are only very limited exceptions.

16. Data breaches
a) The School understands the importance of keeping Personal Data secure and of effectively dealing with data
breaches. This is essential for maintaining the trust of staff, pupils and their parents when the School uses their
information.
b) This policy and procedure is to be used in the event of a data breach at the School (or a suspected data
breach).
c) All staff receive training on how to recognise a data breach.
d) The School is required to report certain breaches to the Information Commissioner’s Office and to data
subjects under the General Data Protection Regulation. There are strict timescales for reporting breaches. The
School also has responsibilities to report certain incidents to other regulators on occasions. This policy gives
more information about how the School will ensure that timely and compliant reports are made.

17. What is a data breach?
a) A data breach is a breach of security which leads to any of the following:
✓ the loss of Personal Data;
✓ the accidental or unlawful destruction of Personal Data;
✓ the disclosure of Personal Data to an unauthorised third party;
✓ the unlawful or accidental alteration of Personal Data; or
✓ unauthorised access to Personal Data.
If staff are in any doubt as to whether an incident constitutes a data breach they must speak to the Privacy
Officer or, in their absence, the Deputy Privacy Officer.
In the event of a data breach:
✓ Inform the School’s privacy Officer/ Deputy.
✓ Identify what Personal Data is at risk.
✓ Take measures to prevent the breach from worsening e.g. changing password/access codes.
✓ Recover any of the compromised Personal Data e.g. use back-ups to restore data.
✓ Consider whether outside agencies need to be informed as a matter of urgency e.g. the police in the event of a
burglary or Children’s Services where the breach may lead to serious harm being caused to a pupil.
✓ Consider whether any affected individuals should be told about the breach straight away e.g. so that they may
take action to protect themselves or because they would find out about the breach from another source.

18. Roles and responsibilities
a) The following staff form the School’s Data Privacy Committee and have certain responsibilities:

19. Role Responsibility
a) The Privacy Officer – Jane O’Halloran
The Privacy Officer will chair the Committee and is responsible for co-ordinating the School’s response to any
breach. In addition, the Privacy Officer will lead on any physical security measures which are required at the School
site to contain the breach.
b) The Deputy Privacy Officer – Annalisa Webb
Deputises and assists the Privacy Officer
c) The Head Teacher who is also the Privacy Officer:
 will be responsible for any communications with pupils and parents and for any pupil welfare or
disciplinary considerations.
d) The Privacy Officer and Deputy Privacy Officer:
 will be responsible for ensuring the security of the School’s IT infrastructure. In addition, will take
responsibility for any possible technical measures to recover Personal Data or to contain a data breach.

20. Containment and recovery
a) As soon as a data breach has been identified or is suspected, the School will take steps to recover any Personal
Data and to contain the breach, which may include:
✓ change any passwords and access codes which may have been compromised;
✓ if appropriate in all the circumstances, tell employees to notify their bank if financial information has been lost
(or other information which could lead to financial fraud);
✓ limit staff and/or pupil access to certain areas of the School’s IT network;
✓ use back-up tapes to restore lost or damaged data;
✓ take any measures to recover physical assets e.g. notifying the police or contacting third parties who may have
found the property;
✓ notify insurers; and
✓ take action to mitigate any loss.
a) The Data Privacy Committee’s will decide what action is necessary and which member(s) of the Committee will
be responsible for the different aspects of the containment and recovery. Where appropriate the Data Privacy
Committee may delegate tasks to other members of staff with the relevant expertise.
b) The Data Privacy Committee may seek assistance from outside experts if appropriate to effectively contain the
breach and recover any Personal Data e.g. legal advice, reputation management advice or specialist technical
advice.

21. Establishing and assessing the risks
a) The next stage in the process of dealing with a data breach is to establish and assess the risks presented by the
breach. The Data Privacy Committee’s approach will be shaped by the questions set out in the Data Breach
Assessment document.

22. Notification
a) The School is required to report a data breach to the ICO unless the breach is unlikely to result in a risk to the
rights and freedoms of individuals. The Data Privacy Committee’s risk assessment will be used to determine if a
notification to the ICO is required, and the reasons for a decision not to notify the ICO will be documented by
the Data Privacy Committee. A notification to the ICO will be made without undue delay and where feasible
within 72 hours of having become aware of the breach.
b) The School will observe ICO procedures for data breach notifications
https://ico.org.uk/fororganisations/report-a-breach/.
c) The School may also prepare a letter to the ICO in addition to following the ICO’s procedures in order to set the
context for the breach.
d) The School’s notification will contain as a minimum:
✓ a description of the nature of the data breach including where possible:
✓ the categories and approximate number of data subjects concerned; and
✓ the categories and approximate number of Personal Data records concerned;
✓ the name and contact details of the Privacy Officer or in their absence, the staff member who can provide more
information to the ICO if required;
✓ a description of the likely consequences of the data breach;
✓ a description of the measures taken or proposed to be taken by the School to address the data breach,
including where appropriate measures to mitigate its possible adverse effects.
✓ If it is not possible to submit the notification to the ICO within 72 hours of becoming aware of the breach, the
School will explain the reason for this delay.
✓ If it is not possible to provide all of the information at the same time, the School will provide the information to
the ICO in phases without further undue delay. For example, the School may make an initial notification within
the 72 hour period with a more detailed response the following week once the School has more information on
what happened.
✓ The School may also consider reporting the data breach to the other relevant bodies and the Police, where it is
possible that a criminal offence has been committed.

23. Contacting affected individuals
a) The School is required by the GDPR to report a data breach to the individuals whose data has been
compromised (known as data subjects) where the breach is likely to result in a high risk to the rights and
freedoms of individuals. It may not always be clear which individuals should be notified, for example, parents
may need to be notified rather than their children.
b) A notification does not need to be made where:
✓ the School had taken measures so that the data compromised was unintelligible to any person not authorised
to access it (e.g. it was encrypted); or
✓ the School has managed to contain the breach or taken mitigating action so that any high risk to individuals is
no longer likely to materialise (e.g. an unencrypted memory stick has been recovered before anyone was able
to access the data held on it).
a) If the School decides not to notify individuals this decision will be documented.
c) If a notification is sent this will be done without undue delay. The Privacy Officer along with members of the
Data Privacy Committee will decide what is the most appropriate method of communication for the
notification, and factors to consider include the urgency of the notification. For example, it may be appropriate
to telephone individuals followed up with an email.
d) The School may work with external agencies, including the ICO and the Police to determine when is the most
appropriate time to notify the individuals. The ICO may advise or require the School to notify individuals. In
addition, the ICO has the authority to require a more detailed notification to be given to individuals.
e) Notifications to individuals will include the following as a minimum:
✓ the name and contact details of a person at the School who can provide more information. The Data Privacy
Committee should choose the appropriate staff member at the School, which will depend upon which
individuals are affected;
✓ a description of the likely consequences of the data breach; and
✓ a description of the measures taken or proposed to be taken by the School to address the data breach,
including, where appropriate, measures to mitigate its possible adverse effects.
✓ In addition, the School will consider if any additional information would be helpful to data subjects. For
example, instructions on measures which they can take to protect their data now or in the future.

24. Internal Breach Register
a) The School is required to keep a register of all data breaches including those which do not meet the threshold
to be reported. Staff must be regularly trained to report all data breaches to enable the School to meet this
requirement. This training will be pasrt of the Induction process for new staff and then ongoing.
b) The Privacy Officer is responsible for keeping this register up to date.

25. Evaluation
a) The School regularly evaluates the effectiveness of both its organisational and technical measures to protect
Personal Data. See the Information Security Policy for more details.
Organisational measures include:
✓ policies for staff on their data protection obligations, including when working away from the School site;
✓ guidance for staff on how to use specific computer applications and software securely;
✓ data protection training for staff.
Technical measures include:
✓ limiting access to certain areas of the School’s IT network;
✓ firewalls and virus protection; and
✓ the use of backups.
The Data Privacy Committee will establish how existing measures could be strengthened and what additional
measures should be put in place to guard against future data breaches. The Data Privacy Committee will
consider if breaches of a similar type have previously occurred and the risk of security breaches more broadly.
The Data Privacy Committee may delegate this task to one or more appropriate members of staff and will
consider whether legal and/or technical advice is required.
Evaluation
 Key points for the evaluation include:
✓ Was the breach reported to the Privacy Officer immediately? If not, why not and, what action can be taken to
speed up the process in future.
✓ Were all possible measures taken to recover the data promptly?
✓ Could more have been done to contain the breach as quickly as possible?
✓ If one of the School’s processors (e.g. a payroll supplier) was either responsible for the breach, or discovered
the breach, was this notified to the School without undue delay? If not, what measures can be put in place to
improve this communication in the future?
✓ Would improvements in the training given to staff have prevented the breach or lessened the severity of the
breach?
✓ Can measures be taken to speed up the process of staff reporting breaches?
✓ Does the School’s Information Security Policy need to be revised?
✓ Are changes required to the School’s IT system?
✓ Should the School’s document management system be made more robust? For example, should staff’s ability to
access certain documents be limited to a greater extent.
✓ Does the physical security of the School, particularly in areas where Personal Data is kept, need to be
improved?
✓ Do the School’s remote working practices need to change?
✓ Does the School need more robust procedures around staff using their own devices for School work?
✓ Do the School’s contracts with processors/ICT providers need to be revised?
✓ Does the School need to do more robust due diligence on its processors?
a) The Committee will report the outcome of the evaluation to all staff before implementing any necessary
changes where this is deemed necessary.

26. Breach of this policy
a) Any breach of this policy will be taken seriously and may result in disciplinary action.
b) A member of staff who deliberately or recklessly discloses Personal Data held by the School without proper
authority is guilty of a criminal offence and gross misconduct. This could result in summary dismissal.

Updated: 28/08/18
Reviewed August 2019

Review due August 2020

Policy adopted by Jane O’Halloran Head Teacher