This has been going on for years, but no-one ever asked the question before now! Each year, we provide the head of our alumni group with names and addresses for the people who left our school 10 years ago, so they can write and invite them to a reunion. Anyone know where we stand in terms of the Data Protection Act? Since the alumni group is outside of the school, should we really be giving the information out?
ditto, should you be keeping it for ten years, especially if you're not doing anything to ensure it's uptodate.
Data retention is a separate issue, although one I will start a thread on it a moment. Following a conversation with a few other people here, we have decided that we will handle all the mailings ourselves, thus not sharing the information with anyone outside the school. A bit more work for our admin team to do, but it does sound the better option.
in this case, inextricably linked. On the little info you've posted, you're possibly on dodgy grounds on principles 4, 5 and 6 and possibly schedule 3 of principle 1 re explicit consent, regardless of doing the processing internally or externally. Possible issues re principle 2 in that you are using the data for a purpose other than that which it was collected.
Most schools are fairly lax re their DP obligations.
You are in breach of the DPA unless you have in your Schedule with the ICO that you will share your data with Alumni groups and that you have notified those whose data you will be sharing that this is the case (i.e. the Fair Processing notice which goes out each year to existing students) which will cover you with those going through the system at the moment when they hit the 10 year period ... but this cannot be done retrospectively as it is hard to say that you can honestly inform all those involved.
Contact each ex-student yourself and request permission to pass on the details. It is opt-in, not opt-out.
Good job we've moved the mailings in-house then! Thanks for the input.
Even the ICO are vague on this. Taken from Retaining personal data (Principle 5), you get:
But then just a few lines further down it says:You may not need to delete all personal data when the relationship ends. You may need to keep some information so that you can confirm that the relationship existed – and that it has ended – as well as some of its details.
It also says:However, personal data that is unlikely to be needed again should be removed from the organisation’s records – such as the individual’s emergency contact details, previous addresses, or death-in-service beneficiary details.
On the basis of that, I think we're okay to keep names and addresses (accepting that many of them will be out of date, of course) along with dates of entry/leaving, but should delete most other things after the person has turned 21 (based on the limitations of liability). Or am I misreading this?There may often be good grounds for keeping personal data for historical, statistical or research purposes. The Data Protection Act provides that personal data held for these purposes may be kept indefinitely as long as it is not used in connection with decisions affecting particular individuals, or in a way that is likely to cause damage or distress. This does not mean that the information may be kept forever – it should be deleted when it is no longer needed for historical, statistical or research purposes.
ACT Now are running an online session Data Protection and FoI for Schools on the 5th December
https://student.gototraining.com/4pb...55727962711552
enjay (29th November 2011), GrumbleDook (29th November 2011)
45 mins and 15mins for Q&A ... even with only a small group (24) that will cover the minimum of what you need to look at, not anything specific ... but will be a good eye-opener for many schools.Originally Posted by jdoyle
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks