Date Created | Date 1st Review Due | Date Reviewed | Version | Next Review Due |
February 2023 | February 2024 | 1 | ||
February 2024 | 2 | February 2025 |
Policy Statement
Egham Park School is committed to safeguarding and promoting the welfare of children and young people and expects all staff and volunteers to share this commitment.
The public good is in nothing more essentially interested, than in the protection of every individual’s private rights – Blackstone.
The UK General Data Protection Regulation (UK GDPR) / Data Protection Act 2018 has been considered in the drafting of this policy. Being an alternative educational provision, Egham Park School needs to collect data and information and also use that data and information. Personal data is typically gathered from pupils, parents/carers and staff but can include others associated with Egham Park School. The purpose of data collection is always to aid the betterment of the school and subsequently the pupils themselves. Data will never be gathered unnecessarily. Data collection is a legal issue and Egham Park School will be required to comply with said legal guidelines.
The following policy outlines Egham Park School’s approach to Data Protection
1. Purpose
This policy establishes an effective, acceptable and transparent framework for ensuring compliance with the requirements of the UK GDPR.
Personal information needs to be handled securely and correctly; it is the purpose of this policy to ensure that. This policy applies to any and all data collected by Egham Park School and ultimately will aid the learning of pupils and allow staff to monitor and report on pupil progress.
2. Scope
This policy applies to all Egham Park School employees and all third parties responsible for the processing of personal data on behalf of Egham Park School.
3. The Rights of Data Subjects
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure (some of these rights are not going to apply due to other conditions set out in the Lawful Basis Section).
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision-making and profiling.
3. The Data Protection Principles
Under the UK GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the UK GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
4. Lawful, Fair and Transparent Data Processing
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means Egham Park School must tell the data subject what processing will occur, (transparency) the processing must match the description given to the data subject (fairness) and must be for one of the purposes specified in the applicable data protection regulation (lawfulness).
Egham Park School obtains consent from pupils who are over 18, and parents to process their data for the specific purposes of: providing education to the pupil and safeguarding. Please see appendix A for consent letter and privacy policy.
5. Specified, Explicit and Legitimate Purposes
Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. This means Egham Park School must specify exactly what the personal data collected is for and limit the processing of that personal data to only what is necessary to meet the specific need.
6. Adequate, Relevant and Limited Data Processing
Personal data shall be adequate, relevant and limited only in relation to the purposes for which they are processed. This means Egham Park School will not store any personal data beyond strictly required (see Data Retention Schedule)
7. Accuracy of Data and Keeping Data Up-to-Date
Personal data must be accurate and kept up to date. This means Egham Park School will identify and address out of date, incorrect and redundant personal data. Personal data shall be kept in a form which enables identity of the data subject for no longer than necessary for the purpose for which the data was originally needed. This means Egham Park School must wherever possible store personal data which limits or prevents identification of the data subject. Please see Data Retention Schedule.
8. Data Retention
Please see Data Retention Policy.
9. Secure Processing
Personal data shall be processed in a manner that ensures appropriate security of data, including protection against unauthorised or unlawful processing and against accidental loss or damage. Egham Park School uses appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times.
10. Accountability and Record-Keeping
The Administration Officer shall be responsible for and be able to demonstrate compliance. This means Egham Park School must demonstrate how the data protection principles outlined above apply to the personal data for which it is responsible.
11. Data Protection Impact Assessments
Please see Data Protection Impact Assessment Policy.
12. Keeping Data Subjects Informed
Please see Privacy Policy.
13. Data Subject Access
Please see Subject Access Request Policy
14. Recitification of Personal Data
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing.
Egham Park School will respond within one calendar month to the request.
In certain circumstances we have the right to refuse a request for rectification. This right is closely linked to the Admin Officer’s obligations under the accuracy principle of the UK GDPR (Article (5)(1)(d)).
15. Erasure of Personal Data
Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
- The personal data is no longer necessary for the purpose which Egham Park School originally collected or processed it for;
- Egham Park School is relying on consent as our lawful basis for holding the data, and the individual withdraws their consent;
- Egham Park School is relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- Egham Park School is processing the personal data for direct marketing purposes and the individual objects to that processing;
- Egham Park School has processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- Egham Park School has to do it to comply with a legal obligation;
- Egham Park School has processed the personal data to offer information society services to a child.
An individual can make a request for the right to erasure verbally or in writing
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;
- for the establishment, exercise or defence of legal claims.
16. Data Portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that Egham Park School transmits this data directly to another school / college.
When does the right apply?
The right to data portability only applies when:
- the lawful basis for processing this information is consent or for the performance of a contract;
- we are carrying out the processing by automated means (ie excluding paper files).
What does the right apply to?
Information is only within the scope of the right to data portability if it is personal data of the individual that they have provided to Egham Park School.
The right to data portability entitles an individual to:
- receive a copy of their personal data;
- have their personal data transmitted from one controller to another controller
An individual should make the request in writing, Egham Park School will respond within one month.
17. Objections to Data Processing
Article 21 of the UK GDPR gives individuals the right to object to the processing of their personal data. This effectively allows individuals to ask Egham Park School to stop processing their personal data.
The right to object only applies in certain circumstances. Whether it applies depends on Egham Park School’s purposes for processing and our lawful basis for processing. An individual can ask Egham Park School to stop processing their personal data for direct marketing purposes at any time. This is an absolute right and there are no exemptions or grounds for refusal.
Egham Park School obtains consent from individuals to process their data for the specific purposes of either providing an education or a place of employment and for safeguarding purposes and to object to the processing of personal data would hamper our ability to perform our public task.
18. Personal Data Collected, Held and Processed
Please see Privacy Policy
Data Security
Article 5(1)(f) of the UK GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be:
‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.
Storage
Pupil, parent/carer and staff data is held in our system. Each user is issued with a unique and secure password, with permission-based access ensuring that they can only view the data relevant to them. No data is stored on any device. Pupil data is NEVER shared with third parties without Egham Park School’s consent.
All staff are responsible for ensuring that:
- Any personal data which they hold is kept securely. Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
- Staff should note that unauthorised disclosure and/or failure to adhere to the requirements set out below will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
- Personal information should be kept in a locked cupboard or in a locked drawer; or if it is computerised, be password protected; or when kept or in transit on portable media the files themselves must be password protected.
- Personal data should never be stored at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites. Ordinarily, personal data should not be processed at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites. In cases where such off-site processing is felt to be necessary or appropriate, the agreement of the Principal must be obtained, and all the security guidelines given in this document must still be followed.
- Data stored on portable electronic devices or removable media is the responsibility of the individual member of staff who operates the equipment. It is the responsibility of this individual to ensure that: Suitable backups of the data exist; Sensitive data is appropriately encrypted. Electronic devices such as laptops, mobile devices and computer media (USB devices, CD’s etc) that contain sensitive data are NOT left unattended when offsite.
For some information, the risks of failure to provide adequate security may be so high that it should never be taken home. This might include payroll information, addresses of pupils and staff, disciplinary or appraisal records or bank account details. Exceptions to this may only be with the explicit agreement of the Principal.
Disposal
All records containing personal information, or sensitive policy information should be made either unreadable or un-reconstructable.
- Paper records should be shredded.
- CDs / DVDs should be cut into pieces.
- Hard Disks should be dismantled and sanded.
- Electronic files should be deleted.
19. Data Breach Notification
Please see Data Breach Policy
20. Implementation of Policy
The Principal and the Administration Officer will ensure that all Egham Park School employees responsible for the processing of personal data are aware of and comply with the contents of this policy. In addition, they will ensure all third parties engaged to process personal data on behalf of Egham Park School are aware of and comply with the contents of this policy. Assurance of which must be obtained from all third parties prior to granting access to the personal data controlled by Egham Park School.