Appendix II - Data Protection Guidelines
[School name] has clearly set out the statutory requirements for all staff, students and associated agencies and suppliers will follow and operate the Data Protection Principles.
In summary these state that personal data will:
- be processed fairly and lawfully
- be obtained for a specified and lawful purpose and will not be processed in any manner incompatible with the purpose
- be adequate, relevant and not excessive for the purpose
- be accurate and up-to-date
- not to be kept for longer than necessary for the purpose
- be processed in accordance with the data subject's rights
- be kept safe from unauthorised processing and accidental loss, damage or destruction
- not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances
Below are examples of how these principles may be applied within the College and are by no way the only ways that the principles apply.
- Personal data will be processed fairly and lawfully. By this, we mean that any information that is collected and stored electronic will be gathered will be used within the confines of the various laws that apply and will not be altered or distorted in any way. Assessment grades, for example, those recorded as Teacher Assessments for KS3 National Tests, will be kept in their original forma and not be changed or adapted at a later date.
- Personal data will be obtained for a specific and lawful purpose and will not be processed in any manner incompatible with the purpose. The College collects a wide variety of information over an academic year. Each section of information is collected for a specific reason, for example, ethnicity as part of regular returns to local and central government. This generic information may be used for multiple purposes, but when information is collected for a specific purpose, for example, family information as part of a subject project, it can not then be used for other reasons, such as contacting other members of that student’s family if the student is not in school.
- Personal data will be adequate, relevant and not excessive for the purpose. Although this may seem common sense we have to remember only to ask for information we really need. Students completing a project about how other students travel to school (walk, cycle, bus, etc) do not need to get telephone numbers even if they think they ‘may’ need them for their next project.
- Personal data will be accurate and up-to-date. Again, this might seem common sense but it is important that when you use personal data you take every opportunity to make sure it is the most recent information. Information changes at an ever increasing rate and this needs to be reflected in how we use it.
- Personal data will not be kept for longer than is necessary. Once you have finished using personal information, it needs to be removed and destroyed where possible. Information can only be kept for as long as it is needed, and not retained ‘just in case.’
- Personal data will be processed in accordance with the data subject’s rights. All of us have rights to allow us to ensure that information about us is not being used for purposes that we are not happy with or if we have to legally allow information to be used we have a rigt to know how it is being used. As part of this we need to keep people informed about how and why we are using their information. This may simply be informing the class that information is being collected to allow a unit of work to be completed (eg looking at methods of travelling to school) but we also have to realise that some people may refuse to give us that information, or ask us to stop using it.
- Personal data will be kept safe from unauthorised processing and accidental loss, damage or destruction. This is one of the most important principles. This covers everything from ensuring that you do not share information with those who have no right to it, eg those professing to be ‘family members’, through to allowing unauthorised people access to a computer where you have personal, confidential or sensitive information, eg a student logging on to a staff laptop that has the SEN register on it, or sharing your password with another person, therefore allowing them complete access to all the information that you have.
- Personal information will not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances. Whilst this may seem to be an unimportant principle in the scheme of things, we have to accept that many companies are now global and by giving information to a company we have to be clear about where and how the information is used. We need to make every effort to ensure that information is only shared with those who are going to follow the same legal principles, and this can be done by restricting to those working and operating within the European Economic Area. Where in doubt, it is recommended that you ask the College’s nominated Data Control Officer.