bosworth community college
BOSWORTH ACADEMY Data Protection Policy
Documentation Information Reviewed By
Full Governing Body
Responsibility
Last Reviewed Review Cycle
April 2015 If new legislation is released
Next Review Ratified by FGB
People & Stakeholders Committee March 2018 18th June 2015
Introduction The processing of personal data by Bosworth Academy is essential to many of the functions carried by its staff to support students. Compliance with the Data Protection Act 1998 will ensure that this processing is carried out fairly and lawfully. This Act seeks to strike a balance between, the needs of the organisation and the respect for the rights and freedoms of individuals. Bosworth Academy is committed to a policy of processing personal data within the law and ensure that information about individuals is collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully. Bosworth Academy’s Policy Statement can be found as appendix 1, the Data Protection Principles can be found as appendix 2, a list of Key Definitions can be found as appendix 3 and related information can be found as appendix 4.
Aims Bosworth Academy ensures that ‘No student will underachieve’. Students are encouraged to do this by ‘Be better than you thought you could be’. These aims are achieved through effective working partnerships between staff, students, parents, governors, other schools, the Local Authority and the wider community. They are reflected through all academy policies and schemes of work. The academy will comply with: • The terms of the 1998 Data Protection Act, and any subsequent relevant legislation, to ensure personal data is treated in a manner that is fair and lawful. • Information and guidance displayed on the Information Commissioner’s website www.ico.org.uk For advice, the academy can refer to the document DATA PROTECTION ACT (1998); or to the Department of Education (DfE). This policy is used in conjunction with the academy’s ICT, E-safety policies as well as other Acceptable Use Policies. Data Gathering • All personal data relating to staff, students or other people with whom we have contact, whether held on computer or in paper files, are covered by the Act. Only relevant personal data may be collected and the person from whom it is collected should be informed of the data’s intended use and any possible disclosures of the information that may be made. Data Storage Personal data will be stored in a secure and safe manner. Electronic data will be protected by standard password and firewall systems operated by the academy.
BOSWORTH ACADEMY Data Protection Policy
Computer workstations in administrative areas will be positioned so that they are not visible to casual observers waiting either in the office or at the reception. Manual data will be stored where it not accessible to anyone who does not have a legitimate reason to view or process that data. Particular attention will be paid to the need for security of sensitive personal data.
Data Checking The academy will issue reminders to staff and parents to ensure that personal data held is up-todate and accurate. Any errors discovered would be rectified and, if the incorrect information has been disclosed to a third party, any recipients informed of the corrected data. Data Disclosures Personal data will only be disclosed to organisations or individuals for whom consent has been given to receive the data, or organizations that have a legal right to receive the data without consent being given. When requests to disclose personal data are received by telephone it is the responsibility of the academy to ensure the caller is entitled to receive the data and that they are who they say they are. It is advisable to call them back, preferably via a switchboard, to ensure the possibility of fraud is minimised. If a personal request is made for personal data to be disclosed it is again the responsibility of the academy to ensure the caller is entitled to receive the data and that they are who they say they are. If the person is not known personally, proof of identity should be requested. Requests from parents or children for printed lists of the names of students in particular classes, which may be sought at Christmas, should politely refused as permission would be needed from all the data subjects contained in the list. (Note: A suggestion that the student makes a list of names when all
the students are present in class will resolve the problem.)
Personal data will not be used in newsletters, websites or other media without the consent of the data subject. Routine consent issues will be incorporated into the academy’s student data gathering sheets and home school agreement, to avoid the need for frequent, similar requests for consent being made by the academy. Personal data will only be disclosed to Police Officers, as per the local agreement and consent given by the Principal, should they need to have access to specific personal data. A record should be kept of any personal data disclosed so that the recipient can be informed if the data is later found to be inaccurate.
Subject Access Requests If the academy receives a written request from a data subject to see any or all personal data that the academy holds about them this should be treated as a Subject Access Request and the academy will respond within the recommended time limit. Informal requests to view or have copies or personal data will be dealt with wherever possible at a mutually convenient time but, in the event of any disagreement over this, the person requesting the data will be instructed to make their application in writing and the academy will comply with its duty to respond within the recommended time limit. Retention and Disposal of Data • The academy discourages the retention of personal data for longer than they are required. • Departments should regularly review files in accordance with legislation.
BOSWORTH ACADEMY Data Protection Policy
•
Personal data should be disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion).
Appendix 1: Policy Statement We will comply with all requirements of the Data Protection Act 1998. We will keep individuals informed of the purposes for which we are processing personal data, and will seek their consent where possible and appropriate. Where data is used for another purpose, individuals will be informed of this. We will also provide general information to the public on their rights under data protection legislation. We will hold the minimum personal data necessary to carry out the academy’s functions and every effort will be made to ensure its accuracy. Data which is no longer required will be securely destroyed. Processing will comply with the academy’s policies and will follow the Code of Practice given by the ICO, where appropriate. We aim to respond to all requests from individuals to access their personal data within the timescales set down in the Data Protection Act 1998. Requests must be in writing, provide proof of ID, provide adequate information to be able to locate the data requested and be accompanied by the statutory maximum fee of £10. The Data Protection Act allows exemptions from subject access, providing information to Individuals and non-disclosure of information, in specific and limited circumstances. We will normally only invoke an exemption where it is deemed necessary to the effective operation of the academy, for the prevention and detection of crime, to protect the individual, or is required by law. Elected members and staff will be trained to an appropriate level in the use and control of personal data. Appendix 2: Data protection principals:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
BOSWORTH ACADEMY Data Protection Policy
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Appendix 3: Key Definitions: Personal Data: Personal data includes any information relating to a living individual who can be identified from the data either alone or in combination with other information relating to that person. This can include not only personal details, details of family and social circumstances, education, employment, business and financial details, but also goods or services received, expressions of opinions or intentions, and images such as those recorded on CCTV. Sensitive Personal Data: The Act gives this category of personal data additional safeguards in relation to its processing. Sensitive personal data consist of information relation to:• race or ethnic origin; • political opinions; • religious or similar beliefs; • membership of trade unions; • physical or mental health; • sexual life; • commission or alleged commission of any offence; or • any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. Processing of personal data: Processing is defined very widely in the Data Protection Act. The term processing includes obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data. It includes any of the following: organisation, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, blocking, erasure or destruction. As such, most if not all operations involving personal data will be covered by the definition. Data subject: A Data subject is any individual who is the subject of personal data. The definition excludes corporate entities, but will include individual employees and representatives of corporations. Data Controller: A data controller is any person who determines the purposes for and the manner in which any personal data are or will be processed. Bosworth Academy is a data controller holding data on its employees and members of the public. Appendix 4: Related information: Main Legislation Freedom of information Act (providing overarching right of access to all information held by a public authority). Human Rights Act (brings much of European Convention on Human Rights into UK law). Professional Standards
BOSWORTH ACADEMY Data Protection Policy
BS4783 Storage, transportation and maintenance of media for use in data processing and information storage. ISO 17799 Standard on Information Security Management. ISO 15489 Standard on Best Practice in Records Management. BSI DISC PD 0008:1999 Code of practice for legal admissibility and evidential weight of information stored electronically. BSI DISC PD 0010:1997 the principles of good practice for information management. BSI DISC PD 0012: Guide to the practical implications of the Data Protection Act.
Internal Policy Financial and value for money statements. ICT, E-Safety and Acceptable use policies.
Documentation Information Reviewed By
Full Governing Body
Responsibility
Last Reviewed Review Cycle
April 2015 If new legislation is released
Next Review Ratified by FGB
People & Stakeholders Committee March 2018 18th June 2015
Introduction The processing of personal data by Bosworth Academy is essential to many of the functions carried by its staff to support students. Compliance with the Data Protection Act 1998 will ensure that this processing is carried out fairly and lawfully. This Act seeks to strike a balance between, the needs of the organisation and the respect for the rights and freedoms of individuals. Bosworth Academy is committed to a policy of processing personal data within the law and ensure that information about individuals is collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully. Bosworth Academy’s Policy Statement can be found as appendix 1, the Data Protection Principles can be found as appendix 2, a list of Key Definitions can be found as appendix 3 and related information can be found as appendix 4.
Aims Bosworth Academy ensures that ‘No student will underachieve’. Students are encouraged to do this by ‘Be better than you thought you could be’. These aims are achieved through effective working partnerships between staff, students, parents, governors, other schools, the Local Authority and the wider community. They are reflected through all academy policies and schemes of work. The academy will comply with: • The terms of the 1998 Data Protection Act, and any subsequent relevant legislation, to ensure personal data is treated in a manner that is fair and lawful. • Information and guidance displayed on the Information Commissioner’s website www.ico.org.uk For advice, the academy can refer to the document DATA PROTECTION ACT (1998); or to the Department of Education (DfE). This policy is used in conjunction with the academy’s ICT, E-safety policies as well as other Acceptable Use Policies. Data Gathering • All personal data relating to staff, students or other people with whom we have contact, whether held on computer or in paper files, are covered by the Act. Only relevant personal data may be collected and the person from whom it is collected should be informed of the data’s intended use and any possible disclosures of the information that may be made. Data Storage Personal data will be stored in a secure and safe manner. Electronic data will be protected by standard password and firewall systems operated by the academy.
BOSWORTH ACADEMY Data Protection Policy
Computer workstations in administrative areas will be positioned so that they are not visible to casual observers waiting either in the office or at the reception. Manual data will be stored where it not accessible to anyone who does not have a legitimate reason to view or process that data. Particular attention will be paid to the need for security of sensitive personal data.
Data Checking The academy will issue reminders to staff and parents to ensure that personal data held is up-todate and accurate. Any errors discovered would be rectified and, if the incorrect information has been disclosed to a third party, any recipients informed of the corrected data. Data Disclosures Personal data will only be disclosed to organisations or individuals for whom consent has been given to receive the data, or organizations that have a legal right to receive the data without consent being given. When requests to disclose personal data are received by telephone it is the responsibility of the academy to ensure the caller is entitled to receive the data and that they are who they say they are. It is advisable to call them back, preferably via a switchboard, to ensure the possibility of fraud is minimised. If a personal request is made for personal data to be disclosed it is again the responsibility of the academy to ensure the caller is entitled to receive the data and that they are who they say they are. If the person is not known personally, proof of identity should be requested. Requests from parents or children for printed lists of the names of students in particular classes, which may be sought at Christmas, should politely refused as permission would be needed from all the data subjects contained in the list. (Note: A suggestion that the student makes a list of names when all
the students are present in class will resolve the problem.)
Personal data will not be used in newsletters, websites or other media without the consent of the data subject. Routine consent issues will be incorporated into the academy’s student data gathering sheets and home school agreement, to avoid the need for frequent, similar requests for consent being made by the academy. Personal data will only be disclosed to Police Officers, as per the local agreement and consent given by the Principal, should they need to have access to specific personal data. A record should be kept of any personal data disclosed so that the recipient can be informed if the data is later found to be inaccurate.
Subject Access Requests If the academy receives a written request from a data subject to see any or all personal data that the academy holds about them this should be treated as a Subject Access Request and the academy will respond within the recommended time limit. Informal requests to view or have copies or personal data will be dealt with wherever possible at a mutually convenient time but, in the event of any disagreement over this, the person requesting the data will be instructed to make their application in writing and the academy will comply with its duty to respond within the recommended time limit. Retention and Disposal of Data • The academy discourages the retention of personal data for longer than they are required. • Departments should regularly review files in accordance with legislation.
BOSWORTH ACADEMY Data Protection Policy
•
Personal data should be disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion).
Appendix 1: Policy Statement We will comply with all requirements of the Data Protection Act 1998. We will keep individuals informed of the purposes for which we are processing personal data, and will seek their consent where possible and appropriate. Where data is used for another purpose, individuals will be informed of this. We will also provide general information to the public on their rights under data protection legislation. We will hold the minimum personal data necessary to carry out the academy’s functions and every effort will be made to ensure its accuracy. Data which is no longer required will be securely destroyed. Processing will comply with the academy’s policies and will follow the Code of Practice given by the ICO, where appropriate. We aim to respond to all requests from individuals to access their personal data within the timescales set down in the Data Protection Act 1998. Requests must be in writing, provide proof of ID, provide adequate information to be able to locate the data requested and be accompanied by the statutory maximum fee of £10. The Data Protection Act allows exemptions from subject access, providing information to Individuals and non-disclosure of information, in specific and limited circumstances. We will normally only invoke an exemption where it is deemed necessary to the effective operation of the academy, for the prevention and detection of crime, to protect the individual, or is required by law. Elected members and staff will be trained to an appropriate level in the use and control of personal data. Appendix 2: Data protection principals:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
BOSWORTH ACADEMY Data Protection Policy
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Appendix 3: Key Definitions: Personal Data: Personal data includes any information relating to a living individual who can be identified from the data either alone or in combination with other information relating to that person. This can include not only personal details, details of family and social circumstances, education, employment, business and financial details, but also goods or services received, expressions of opinions or intentions, and images such as those recorded on CCTV. Sensitive Personal Data: The Act gives this category of personal data additional safeguards in relation to its processing. Sensitive personal data consist of information relation to:• race or ethnic origin; • political opinions; • religious or similar beliefs; • membership of trade unions; • physical or mental health; • sexual life; • commission or alleged commission of any offence; or • any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. Processing of personal data: Processing is defined very widely in the Data Protection Act. The term processing includes obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data. It includes any of the following: organisation, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, blocking, erasure or destruction. As such, most if not all operations involving personal data will be covered by the definition. Data subject: A Data subject is any individual who is the subject of personal data. The definition excludes corporate entities, but will include individual employees and representatives of corporations. Data Controller: A data controller is any person who determines the purposes for and the manner in which any personal data are or will be processed. Bosworth Academy is a data controller holding data on its employees and members of the public. Appendix 4: Related information: Main Legislation Freedom of information Act (providing overarching right of access to all information held by a public authority). Human Rights Act (brings much of European Convention on Human Rights into UK law). Professional Standards
BOSWORTH ACADEMY Data Protection Policy
BS4783 Storage, transportation and maintenance of media for use in data processing and information storage. ISO 17799 Standard on Information Security Management. ISO 15489 Standard on Best Practice in Records Management. BSI DISC PD 0008:1999 Code of practice for legal admissibility and evidential weight of information stored electronically. BSI DISC PD 0010:1997 the principles of good practice for information management. BSI DISC PD 0012: Guide to the practical implications of the Data Protection Act.
Internal Policy Financial and value for money statements. ICT, E-Safety and Acceptable use policies.
