GDPR (General Data Protection Regulation)
From 25th May 2018 Data protection regulations have changed. This page will show how The Windmills Junior School use and store your data. It will also give you information about how to access and change the data we hold on you or your child and what consent you will be asked to give.
As part of the regulation the school has appointed a Data Protection Officer. Any enquiries about data should go to the Data Protection Officer via e-mail: firstname.lastname@example.org or by calling 01273 842421.
Windmills Junior School is registered with the ICO. Registration reference Z6719739
POLICIES / PRIVACY NOTICES
The Windmills Data Protection Policy
The Windmills Privacy Notice Pupils
The Windmills Privacy Notice for Recruitment and Volunteers
The Windmills Freedom of Information Policy
The Windmills Publication Scheme
IDENTIFYING OUR LAWFUL BASIS FOR PROCESSING DATA
We use public task as your lawful basis for most of your processing. This means that we need to process personal data to carry out your official functions in the public interest.
We also use consent for processing data where it's not necessary for you to fulfill your function. This is used when none of the other bases apply, as the standard for getting consent is very high and consent can be withdrawn at any time.
SIX PRINCIPLES OF DATA PROTECTION
There were 8 principles under the DPA and now there are 6. Essentially the same but condensed. Article 5 of the GDPR states that personal data must be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject.
- Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Individuals have the following rights:
- be informed of data processing (which is covered by the School’s Privacy Notice)
- access information (also known as a Subject Access Request)
- have inaccuracies corrected
- have information erased
- restrict processing
- data portability (this is unlikely to ever be relevant to schools)
- intervention in respect of automated decision making (automated decision making is rarely operated within schools)
- Withdraw consent
- Complain to the Information Commissioner’s Office
The Windmills Parental Rights Procedure
The Windmills Rectification and Erasure Procedure
HOW WE DEAL WITH RECORDS
Please refer to our policy:
The Windmills Records Management Policy
The school have a procedure to deal with any breach in data security. Any breach will be reported to and dealt with by the DPO. The breach will be recorded, investigated and steps taken to lessen any impact. The DPO will decide if the breach is significant enough to report to the ICO. This must be done within 72 hours of the data breach. The DPO will evaluate the breach, risk assess and put in any changes to data security or process as required.
Any queries relating to Data should be address to the Data Protection Officer.
The lawful basis for processing personal data of students and staff is that it is necessary in order for the School to discharge its legal obligations and statutory duties. In respect of this processing the Privacy Notices are sufficient to ensure lawful processing. It is not usual for Schools to process personal data solely based on written consent. Where the School takes a photograph or film of someone on school premises, events or trips and wants to use this image for educational purposes, consent is not required. However, the pupil if over 16 years old, or if younger their guardian must still be informed that photography or filming is taking place and the context in which the image will be used.
Consent will be required where there is additional processing of personal data which is not within the reasonable expectation of those involved.
Where the child is below the age of 16 years, consent must be given by the holder of parental responsibility over the child.
How we obtain consent.
When a pupil starts at The Windmills parents will be asked to register for the SIMS Parent App and to update Parent Consents for their child. This will cover their time at the school until they leave. If additional consent is required a separate request will be sent out to cover the consent for a particular event.
Guidance on consent and withdrawal.
Anything requiring consent requires a positive opt-in. If another organisation/third party is relying on the consent we will name them in the consent form.
Consent can be withdrawn at any time. We will require this in writing and given to the office. You will receive a receipt of a withdrawal of consent and it will be acted upon within a reasonable period of time and no longer than one month from the date of receipt.
UPDATING AND REVIEWING
All policies and procedures will be regularly reviewed and updated by the DPO and any changes agreed with the Headteacher and Governors.
Policies and procedures will also be reviewed if there are any changes to how data is managed at the school, Government guidelines or following a breach of data security.