General Data Protection Regulations - Guidance for Parents and Carers
Chandos Primary understands the importance of protecting the personal data of staff, pupils and visitors, and works hard to ensure that only essential personal data is requested, processed and stored by the school. Any information that can identify a natural person (such as name, DOB, address etc) is classed as ‘personal data’. All personal data is stored securely with limited access. Data is then destroyed securely in line with guidance from the Information Commissioner's Office (ICO).
Processing of data can only be lawful if it is:
with consent from the parent/carer to do so (or have consent from the pupil aged 13+)
in order to fulfil a contract (such as an employment contract)
in order to fulfil our legal obligations
in order to protect the vital interests of the pupil (e.g. in life-or-death situations)
in cases where there is an identified safeguarding concern, pupil information may be shared/processed in the public interest or in the exercise of official authority (ensuring high standards of education, research or statistical purposes);
in order to fulfil legitimate interests (such as marketing)
The processing of personal data is in line with GDPR Article 6 and Article 9. All data sources are identified within a regularly reviewed Data Audit alongside Trust wide Privacy Impact Assessments (PIA) to ensure that data collection is lawful and protected effectively. Further information can be found in the Chandos Primary Privacy Notice (available on our website).
Data is accessed by authorised personnel only. Teachers can access the online data storage system (ScholarPack) outside of school for assessment purposes, but will let SLT know beforehand. All staff have a school email account, which is used for school purposes. Information within emails is anonymised as much as possible in order to prevent data being unlawfully processed or breached. Personal email accounts are not used for any school purposes. Mobile phones and other personally owned electronic devices will not be used for school duties by staff or children - without the specific permission from the head teacher. Teachers also take home pupil’s books on occasion. This data is permitted to be accessed outside of school in order to fulfil their contractual role. Computer stations within the school are locked when not attended and personnel log-in details are not shared with other staff for any reason. See Acceptable Use policy.
Chandos Primary stores data on secure servers, securely online with agreed providers and in secured (locked) paper files. External memory drives or devices are not used in the school. Personal data taken out of the academy (such as pupil books/academy laptops) are stored securely while off site.
While appropriate data safeguards are in place (such as secure storage, limited access to data, up-to-date software to prevent system hacking, agreements with on-line providers), data breaches may still occur. All data is closely monitored. All data breaches are reported immediately to the school based Local Compliance Officer (LCO). Where a breach is likely to cause harm to a ‘natural person’ it is also reported to the Data Protection Officer (DPO) for the Trust. All data breaches are investigated fully and additional measures put into place as needed.
The Data Rights are:
The right to be informed (see Privacy Notice)
The right of access (to your/your child’s personal data)
The right to rectification (of any incorrect data within 1 month of the request)
The right to erasure (in certain circumstances such as: where data collected is no longer needed, withdrawal of consent, there is no legitimate reason to process the data, data has been unlawfully processed, to comply with a legal obligation)
The right to restrict processing (e.g. incomplete/inaccurate data is verified, an objection to the data processing has been received, unlawful processing, legal claims)
The right to data portability (individuals can obtain and reuse their personal data for their own purposes across different services)
The right to object (to data being used for purposes such as research)
Rights in relation to automated decision making and profiling
Subject Access Requests
Any ‘natural person’ can request access to their data (or their child’s data if they are below the age of 13). Requests must be made in writing to the LCO (see Privacy Notice and Subject Access Request Procedure).
The Local Compliance Officer (LCO) oversees and monitors all data collection and processing at a local level.
The Data Protection Officer (DPO) oversees all data management within the Academy Trust and liaises with school level LCOs and the ICO.
School staff are responsible for following and implementing all GDPR related policies and procedures at all times.