Data Protection - The law is changing!
The Cathedral School of St Peter and St John currently processes data in line with the Data Protection Act 1998, and is registered with the Information Commissioner's Office (ICO) on their register of data controllers.
What does ICO do?
ICO is the UK’s independent body set up to uphold information rights
It enforces and regulates freedom of information and data protection laws
Provides information and advice
Promotes good practice
The Data Controller for this school is the Head Teacher Mrs Diane Hanley. The data controller must ensure the school abides by the following 8 principles currently in place:
1. Personal information must be fairly and lawfully processed
2. Personal information must be processed for limited purposes
3. Personal information must be adequate, relevant and not excessive
4. Personal information must be accurate and up to date
5. Personal information must not be kept for longer than is necessary
6. Personal information must be processed in line with the data subjects' rights
7. Personal information must be secure
8. Personal information must not be transferred to other countries without adequate protection
The Data Controller for the school must say the reasons/purposes for processing information, the types/classes of information processed, who the information is about, who the information can be shared with, who the information can be transferred to overseas. This is a public duty.
On 25th May 2018, the new General Data Protection Regulations (GPDR) come into force and these will apply to all schools adding extra responsibilities to those of the Data Protection Act 1998. Schools will have to ensure that the strategies they currently have in place for data protection are compliant and failure to do so could result in very heavy fines for breaches. Accountability is central to GPDR.
The 6 Principles of GPDR – will replace the existing 8 as listed above.
Data will be:
1. Processed fairly lawfully and in a transparent manner
2. Used for specified, explicit and legitimate purposes
3. Used in a way that is adequate, relevant and limited
4. Accurate and kept up to date
5. Kept no longer than is necessary
6. Processed in a manner that ensures appropriate security of the data
We will be working to ensure school is compliant with the new regulations. Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act. However, there are new elements and significant enhancements so we will have to do some new things for the first time and change the way do some existing things. In order to identify fully what needs to be done school will be undertaking a full review/audit of existing data held in school. Training will be taking place to raise awareness of staff to the new regulations regarding data protection.
The GDPR explicitly states that children’s personal data merits specific protection and also introduces new requirements for the online processing of a child’s personal data.
It will be good practice to consult with children themselves when we design our processes going forwards so they can provide feedback. This will help us to identify risks, design safeguards and assess understanding. It is also consistent with the UN Convention on the rights of a child, which (Article 12) says that every child has the right to express their views, feelings and wishes in all matters affecting them, and to have their views considered and taken seriously. Our children will be involved in the creation of a new privacy notice that is child friendly and age appropriate.
Policy for Data Protection for The Cathedral School of St Peter and St John RC Primary
The school will ensure that personal data is protected and kept safely and securely. It will ensure that its policy for data protection is used as the basis for collecting, storing, accessing, sharing and deleting personal data. The school will use the General Data Protection Regulations (GDPR) as the benchmark for its standard for protecting personal data.
The requirements of the GDPR will be met by this school as the basis for collecting, storing, accessing, sharing and deleting personal data. Data will be processed fairly lawfully and in a transparent manner. It will be used for specified, explicit and legitimate purposes in a way that is adequate, relevant and limited. It will be accurate and kept up to date and kept no longer than is necessary. Data will be processed in a manner that ensures appropriate security of the data.
Our work on being compliant with the new regulations is a “work in progress” and this page will be updated as further information is available. Meanwhile, if you have any issues regarding current data protection in our school please do not hesitate to speak to the Head Teacher and Data Controller Mrs Hanley.