General Data Protection Regulation (GDPR)
The Data Protection Act 1998 has been added to by the Data Protection Act 2018 reflecting new European legislation called the General Data Protection Regulation (GDPR). The new law will extend the rights of individuals and require organisations holding personal data to comply with a new stricter set of rules.
The new regulations were introduced on 25th May 2018.
Changes included the following new rights for Data Subjects
The new rights are:
- the right to be forgotten – in some cases an individual can ask for their personal data to be deleted
- changes to consent required from individuals
- where consent for the use of personal data is required it must in future be explicit, non-ambiguous and given freely
can be withdrawn
Mandatory Breach Notification
In certain circumstances schools will have to tell the Information Commissioner Office about unauthorised disclosures of personal data as soon as they are discovered. If the disclosure has serious implications for any individuals, they will have to be informed as well.
Privacy by Design
Tibshelf Community School will design data protection into development of business processes, new systems and undertake Data Protection Impact Assessments (DPIAs).
Read more about these by clicking on the link below called “Data Protection Impact Assessments”.
In accordance with the requirements outlined in the GDPR, personal data will be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.
The Data Protection Policy demonstrates the school’s commitment to the GDPR and outlines how we will become compliant.
Data Breach Procedure
Tibshelf Community School holds large amounts of personal and sensitive data. Every care is taken to protect personal data and to avoid a data protection breach. In the event of data being lost or shared inappropriately, it is vital that appropriate action is taken to minimise any associated risk as soon as possible. This procedure applies to all personal and sensitive data held by Tibshelf Community School and all school staff, governors, volunteers and contractors.
The breach procedure sets out the course of action to be followed by all staff at Tibshelf Community School if a data protection breach takes place.
Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a process which helps assess privacy risks to individuals in the collection, use and disclosure of personal information.
Building into Project Plans
Completion of a DPIA should be built into the organisational business approval and procurement processes. Any systems which do not identify individuals in any way do not require a DPIA to be completed. However, it is important to understand that what may appear to be “anonymised” data, could in fact be identifiable when used with other information, so anonymised data should be considered very carefully before any decision is made that it will not identify individuals. Advice may be sought from Derbyshire County Council’s Data Protection Officer as to whether a DPIA needs to be completed.
Responsibility for Conducting a DPIA
Where a school is introducing a new or revised service or changes to a new system, process or information asset, the school is responsible for ensuring the completion of a DPIA.
At the start of the design phase of any new service, process, purchase of implementation of an information asset for example, consideration should be given to the need and procedures for completing the DPIA.
FOI & Subject Access – Data Protection Act 2018
There are two distinct rights to information held by schools about pupils.
- The subject access right – under the Act a pupil has the right to a copy of their own information. In certain circumstances requests may be made by a parent on behalf of their child.
- Rights to the educational record – under the Education (Pupil Information) (England) Regulations 2005, referred to here as the Regulations, a parent has the right to access their child’s educational record.
Under the subject access right parents will only be able to see all the information about their child, when the child is unable to act on their own behalf or gives their consent.
Staff also have a right under the Act to a copy of their own information.
Further information can be found in our policy.
Use of Images and Videos
This section explains the reasons why and how Tibshelf Community School may use images and videos of your child.
Why do we need your consent?
Tibshelf Community School requests the consent of parents to use images and videos of their child for a variety of different purposes. Tibshelf Community School will take and hold images (including photo and video) for purposes of safeguarding, identification and assessment.
Without your consent, the school will not publish images and videos of your child. Similarly, if there are only certain conditions under which you would like images and videos of your child to be used, the school will abide by the conditions you outline in this form.
Why do we use images and videos of your child?
Tibshelf Community School uses images and videos of pupils as part of school displays to celebrate school life and pupils’ achievements; to promote the school on social media and on the school’s website; and for other publicity purposes in printed publications, such as newspapers.
Where the school uses images of individual pupils, the name of the pupil will not be disclosed. Where an individual pupil is named in a written publication, a photograph of the pupil will not be used to accompany the text.
If, for example, a pupil has won an award and their parent would like their name to be published alongside their image, separate consent will be obtained prior to this.
Who else uses images and videos of your child?
It is common that the school is visited by local media and press, who take images or videos of school events, such as sports days. Pupils will appear in these images and videos, and these may be published in local or national newspapers, or on approved websites.
Where any organisations other than those above intend to use images or videos of your child, additional consent will be sought before any image or video is used.
What are the conditions of use?
- It is the responsibility of parents to inform the school, in writing, if consent needs to be withdrawn or amended.
- The school will not use the personal details or full names of any pupil in an image or video, on our website, in our school prospectuses or any other printed publications.
- The school will not include personal emails or postal addresses, telephone or fax numbers on images or videos on our website, in our school prospectuses or any other printed publications.
- The school may use pictures of pupils and teachers that have been drawn by pupils.
- The school may use work created by pupils.
- The school may use group or class images or videos with general labels, e.g. ‘sports day’.
- The school will only use images and videos of pupils who are suitably dressed, i.e. it would not be suitable to display an image of a pupil in swimwear.
- The school will only publish images and videos of your child for the conditions that you provide consent for.
|Examples of consent that may be requested:|
Sharing data with a school-appointed external photography company for official school images. This includes the following:
Refreshing your consent
Consent will need to be refreshed where any changes to circumstances occur – this can include, but is not limited to, the following:
- New requirements for consent, e.g. an additional social media account will be used to share pupil images and videos
- Changes to a pupil’s circumstances, e.g. safeguarding requirements mean a pupil’s image cannot be used
- Changes to parental consent, e.g. amending the provisions for which consent has been provided for if you would like to amend the provisions for which consent has been provided, you must submit your request in writing to the headteacher. A new form will be supplied to you to amend your consent accordingly and provide a signature.
Withdrawing your consent
- Parents have the right to withdraw their consent at any time. Withdrawing your consent will not affect any images or videos that have been shared prior to withdrawal.
If you would like to withdraw your consent, you must submit your request in writing to the headteacher.