Data Protection Policy

The Data Protection Act 1998 is the law that protects personal privacy and upholds individual’s rights.  It applies to anyone who handles or has access to people’s personal data. This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the Data Protection Act. It will apply to information regardless of the way it is used, recorded and stored and whether it is held in paper files or electronically.

1.   Scope of the Policy

Personal information is any information that relates to a living individual who can be identified from the information.  This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings.

Chingford House School collects and uses personal information about staff, pupils, parents and other individuals who come into contact with the school. This information is gathered in order to enable it to provide education and other associated functions. In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of Local Authorities (LAs), government agencies and other bodies.

2.  The Eight Principles

The Act is based on eight data protection principles, or rules for ‘good information handling’.   

1. Data must be processed fairly and lawfully.

2. Personal data shall be obtained only for one or more specific and lawful purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.

4. Personal data shall be accurate and where necessary kept up to date.

5. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose.

6. Personal data shall be processed in accordance with the rights of data subjects under the 1998 Data Protection Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

3.  Responsibilities

3.1 The school must:

  •  Manage and process personal data properly
  •  Protect the individual’s right to privacy
  •  Provide an individual with access to all personal data held on them.

3.2 The school has a legal responsibility to comply with the Act.  The school, as a corporate body, is named as the Data Controller under the Act. Chingford House School’s Data Controller is the Manager who is responsible for ensuring all personal data is controlled in compliance with the Data Protection Act 1998.

3.3 The school is required to notify the Information Commissioner of the processing of personal data.  This information is included in a public register which is available on the Information Commissioner’s website at the following link: http://www.ico.gov.uk.

3.4 Every member of staff that holds personal information has to comply with the Act when managing that information. 

3.5 The school is committed to maintaining the eight principles at all times. This means that the school will:

• inform Data Subjects why they need their personal information, how they will use it and with whom it may be shared.

• check the quality and accuracy of the information held

• ensure that information is not held longer than is necessary

• ensure that when information is authorised for disposal it is done appropriately

• ensure appropriate security measures are in place to safeguard personal information whether that is held in paper files or on a computer system

• only share personal information with others when it is necessary and legally appropriate to do so

• set out clear procedures for responding to requests for access to personal information known as subject access in the Data Protection Act (see appendix A)

• train all staff so that they are aware of their responsibilities and of the school’s relevant policies and procedures

This policy will be updated as necessary to reflect best practice or amendments made to the Data Protection Act 1998.

4.  Reasons/purposes for processing information for children

We process personal information to enable us to provide childcare, encourage and supervise educational play, to advertise our services, to maintain our own accounts and records and to support and manage our staff.

Type/classes of information processed

We process information relevant to the above reasons/purposes. This may include:

  • personal details
  • family details
  • GP contact details
  • digital images of the child’s progress
  • education and employment details
  • attendance and disciplinary records
  • vetting checks

 

We also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin

 

Who the information is processed about

We process personal information about:

  • our employees
  • the children in our care
  • suppliers

Who the information may be shared with

We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons. Where necessary or required we share information with:

  • family, associates and representatives of the person whose personal data we are processing
  • healthcare, social and welfare advisers or practitioners
  • current, past or prospective employers
  • employment and recruitment agencies
  • schools
  • local and central government
  • persons making an enquiry or complaint
  • suppliers
  • service providers

Transferring information overseas

We do not transfer any personal information outside the European Economic Area (EEA)

 

5.   Data about Children, Families and Carers

Chingford House School considers that the following personal data falls within the categories set out above:

  • personal details including name, address, age, and status. Where specific monitoring systems are in place, ethnic origin and nationality will also be deemed as relevant;
  • emergency contact details;
  • notes on discussions between management and the family/ carers;
  • records or reports about progress or education needs;
  • absence and sickness information;
  • behaviour management plans and incidents;
  • care plans;
  • data passed to Chingford House School regarding safeguarding issues.

6.  Collection of personal data for staff

Personal data relating to employees may be collected primarily for the purposes of:

  • recruitment, promotion, training, redeployment, and/or career development;
  • administration and payment of wages and sick pay;
  • calculation of certain benefits including pensions;
  • disciplinary or performance management purposes;
  • performance review;
  • recording of communication with employees and their representatives;
  • compliance with legislation;
  • provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future potential employers; and
  • staffing levels and career planning.

Chingford House School considers that the following personal data falls within the categories set out above:

  • personal details including name, address, age, status and qualifications. Where specific monitoring systems are in place, ethnic origin and nationality will also be deemed  as relevant;
  • references and CVs;
  • emergency contact details;
  • notes on discussions between management and the employee;
  • appraisals and documents relating to grievance, discipline, promotion, demotion or termination of employment;
  • training records;
  • salary, benefits and bank/building society details; and
  • absence and sickness information.

Employees or potential employees will be advised of the personal data which has been obtained or retained, its source, and the purposes for which the personal data may be used or to whom it will be disclosed.

Chingford House School will review the nature of the information being collected and held on an annual basis to ensure there is a sound business reason for requiring the information to be retained.

7.   Retention of records.

Chingford House School follows the retention periods recommended by the Information Commissioner in its Employment Practices Data Protection Code.

8.   Access to Personal Data (“Subject Access Requests”)

Employees and those using the services have the right to access personal data held about them. Chingford House School will arrange for the person requesting information to see or hear all personal data held about them within 21 days of receipt of a written request (see Appendix A).

Appendix A

Procedures for responding to subject access requests made under the Data Protection Act 1998

Rights of access to information

There are two distinct rights of access to information held by schools about pupils.

1. Under the Data Protection Act 1998 any individual has the right to make a request to access the personal information held about them.

2. The right of those entitled to have access to curricular and educational records as defined within the Education Pupil Information (Wales) Regulations 2004.

These procedures relate to subject access requests made under the Data Protection Act 1998.

Actioning a subject access request

1. Requests for information must be made in writing; which includes email, and be addressed to Zarkar Akhtar. If the initial request does not clearly identify the information required, then further enquiries will be made.

2. The identity of the requestor must be established before the disclosure of any information, and checks should also be carried out regarding proof of relationship to the child. Evidence of identity can be established by requesting production of:

  • passport
  • driving licence
  • utility bills with the current address
  • Credit Card or Mortgage statement

This list is not exhaustive.

3. The response time for subject access requests, once officially received, is 21 days (not working or school days but calendar days, irrespective of school holiday periods). However the 21 days will not commence until after receipt of fees or clarification of information sought

4. The Data Protection Act 1998 allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure.

5. Third party information is that which has been provided by another, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party information consent should normally be obtained. There is still a need to adhere to the 21 day statutory timescale.

6. Any information which may cause serious harm to the physical or mental health or emotional condition of the pupil or another should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court proceedings.

7. If there are concerns over the disclosure of information then additional advice should be sought.

8. Information disclosed should be clear, thus any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped.

9. Information can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at face to face handover.

 

 

Access to Personal Data Request (Data Protection Act 1998, Section 7)

Enquirer's Surname…………………………......................................

Enquirer's Forenames……………………………………………………..

Enquirer's Address

………………………………………………………………………………

………………………………………………………………………………

Enquirer's Postcode ……………………………...............................

Telephone Number ……………………….......................................

Do you have parental responsibility for a child who is the "Data Subject" of the records you are enquiring about?  YES / NO

If YES,

Name of child or children about whose personal data records you are enquiring

…………………………………………………………………….............

 

Description of Concern / Area of Concern

……………………………………………………………………………....

 

Description of Information or Topic(s) Requested

……………………………………………………………………………...

 

Additional information

………………………………………………………………………………

 

I request that the School search its records based on the information supplied above under Section 7 (1) of the Data Protection Act 1998 and provide a description of the personal data found from the information described in the details outlined above relating to my child/children being processed by the School.

I agree that the reply period will commence when I have supplied sufficient information to enable the School to perform the search.

I consent to the reply being disclosed and sent to me at my stated address.

Signature of Subject's Parents/carers

………………………………………………………………………………

Name of Subject's Parents/carers

 

(PRINTED)…………………………………………………………………

 

Date …………………………………………………………………………

 

 

 

Owner: Ms Zarkar Akhtar

Policy adopted on April 1st 2016

Policy reviewed on April 9th 2018