GDPR & Secure Data Handling Policy



11315776200COLLINGBOURNE C OF E PRIMARY SCHOOLGDPR & Secure Data Handling PolicyINTRODUCTIONSchools have access to a wide range of sensitive information. There are generally two types of sensitive information; personal data concerning the staff and pupils and commercially sensitive financial data. We work to ensure that both types of information are managed in a secure way at all times.Collingbourne C of E Primary School is registered with the Information Commissioner’s Office. The school is required to process relevant personal data and shall take all reasonable steps to do so in accordance with this Policy. The school has adopted an open approach to the reporting of possible breaches to the Data Controller.Personal DataPersonal data is the most likely form of sensitive data that a school will hold. The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. Sensitive personal dataThe GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.PrinciplesThe data protection principles set out the main responsibilities for everyone to adhere to. The Data Controller in our school is responsible for, and able to demonstrate, compliance with GDPR, ensuring that data is:processed fairly and lawfullycollected for a specified purpose and not used for anything incompatible with that purposeadequate, relevant and not excessiveaccurate and up-to-datenot be kept longer than necessaryprocessed in accordance with the rights of the data subjectkept securelynot be transferred outside the EEA (European Economic Area) unless the country offers adequate protection.The Data Protection Act states that some types of personal information demand an even higher level of protection, this includes information relating to:racial or ethnic originpolitical opinionsreligious beliefs or other beliefs of a similar nature trade union membershipphysical or mental health or conditionsexual life (orientation)the commission or alleged commission by them of any offence, or any proceedings for such or the sentence of any court in such proceedings.The three questions below can be used to quickly assess whether information needs to treated securely, i.e. Would disclosure/loss place anyone at risk?Would disclosure/loss cause embarrassment to an individual or the school?Would disclosure/loss have legal or financial implications?If the answer to any of the above is “yes” then it will contain personal or commercially sensitive information and needs a level of protection. (A more detailed assessment guide is contained with Appendix A).In the most simplest sense, 2 identifying factors makes data sensitive i.e. a first and last name, a first name and date of birth, a photo and a name etc. Any data containing 2 identify factors must be handled and stored securely.Procedures and practiceThe following practices will be applied within the school:The amount of data held by the school should be reduced to a minimum.Data held by the school must be routinely assessed to consider whether it still needs to be kept or not.Personal data held by the school will be securely stored and sent by secure means.All staff are aware what constitutes secure data and their duties to ensure it is handled securely.Transparency of why we collect data and what we use if for.AuditingThe school must be aware of all the sensitive data it holds, be it electronic or paper. A register (Appendix B) will be kept detailing the types of sensitive data held, where and by whom, and will be added to as and when new data is generated. How long these documents need to be kept will be assessed using the Records Management Toolkit. Audits will take place in line with the timetable (Appendix C).This register will be sent to all staff each year to allow colleagues to revise the list of types of data that they hold and manage. Any auditing will be completed by the Data Controller.Risk assessmentThe school will carry out a risk assessment to establish what security measures are already in place and whether or not they are the most appropriate and cost effective available.Carrying out a risk assessment will generally involve:How sensitive is the data?What is the likelihood of it falling into the wrong hands?What would be the impact of the above?Does anything further need to be done to reduce the likelihood?Once the risk assessment has been completed, the school can decide how to reduce any risks or whether they are at an acceptable level.Risk assessment will be an on-going process and the school will have to carry out assessments at regular intervals as risks change over time.Securing and handling data held by the schoolThe school will take appropriate technical and organisational steps to ensure the security of personal data. All staff will be made aware of this policy and their duties under the Act. The school and therefore all staff and pupils are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data. An appropriate level of data security must be deployed for the type of data and the data processing being performed. The school will encrypt any data that is determined to be personal or commercially sensitive in nature. This includes fixed computers, laptops and memory sticks. Staff should not remove or copy sensitive data from the organisation or authorised premises unless the media is: encrypted, is transported securelywill be stored in a secure location. This type of data should not be transmitted in unsecured emails (e.g. pupil names and addresses, performance reviews etc). Data transfer should be through secure websites e.g. S2S, Perspective, common transfer files and school census data. If this is not available then the file must be minimally password protected or preferably encrypted before sending via email, the password must be sent by other means and on no account included in the same email. A record of the email should be kept, to identify when and to whom the email was sent, (e.g. by copying and pasting the email into a Word document).Data (pupil records, SEN data, contact details, assessment information) will be backed up, encrypted and stored in a secure place – e.g. safe/fire safe/remote backup. All staff computers will be used in accordance with the Teacher Laptop Policy (Appendix C).When laptops are passed on or re-issued, data will be securely wiped from any hard drive before the next person uses it (not simply deleted). This will be done by a technician using a recognised tool, e.g. McAfee Shredder.The school’s wireless network (WiFi) will be secure at all times. The school will identify which members of staff are responsible for data protection. The school will ensure that staff who are responsible for sets of information, such as SEN, medical, vulnerable learners, management data etc know what data is held, who has access to it, how it is retained and disposed of. Appendix B details which members of staff are responsible for which data. This is shared with all staff concerned within the school. Where a member of the school has access to data remotely (e.g. SIMS from home), remote access off the school site to any personal data should be over an encrypted connection (e.g. VPN) protected by a username/ID and password. This information must not be stored on a personal (home) computer.Members of staff (e.g. senior administrators) who are given full, unrestricted access to an organisation’s management information system should do so over an encrypted connection and use two-factor authentication, which is available to SIMS users from Capita. This information must not be stored on a personal (home) computer.The school will keep necessary pupil and staff information in accordance with the Records Management Toolkit guidance (see references at the end of this document).The school will securely delete commercially sensitive or personal data when it is no longer required as per the Records Management Toolkit guidance.All staff will be trained to understand the need to handle data securely and the responsibilities incumbent on them this will be the responsibility of the Headteacher.When sensitive data is to be sent out of the school it must be done in a secure way. Rights of Access to Information Data subjects have the right of access to information held by the school, subject to the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the Data Controller. The school will endeavour to respond to any such written requests as soon as is reasonably practicable, but within 20 working days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible, within the required timeline after it has come to the school's attention and in compliance with the relevant Acts. Exemptions Certain data is exempted from the provisions of the Data Protection Act which includes the following:National security and the prevention or detection of crimeThe assessment of any tax or duty Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the school, including safeguarding and prevention of terrorism and radicalisation The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the ICO. AccuracyThe school will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the school of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply. The school will issue Privacy Notices to staff and parents of children informing what information we collect and why. These will be issued to new admissions and a yearly update will be sent out to existing data subjects to ensure accuracy. See Appendix F.Enforcement If an individual believes that the school has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member of staff should notify the Data Protection Officer, who will investigate the breach and inform the ICO as appropriate. External Processors & 3rd partyiesThe school will ensure that data processed by external processors and 3rd parties, for example, service providers, photographers, Classroom Dojo, etc are compliant with GDPR, the relevant legislation and retention procedures.Secure Destruction When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction. Certificates of secure destruction must be obtained from service providers if used i.e. photocopying company, professional shredding services etc. Retention of Data The school will retain data in line with the records management policy outlined in Appendix E – see particularly the Retention Table.This policy was produced in line with guidance from Wiltshire Council and 001 Inspiration Ltd by the Headteacher.This policy should be read and understood in conjunction with the following policies and guidance:The Data Protection Act 1998ICO General Data Protection RegulationThis policy will be reviewed every 2 years or as necessary.Written and Adopted:September 2009Last Review:February 2018Next Review:February 2020References:The Data Protection Act 1998: Information Commissioner’s Office 113157762004381500-283845Appendix A020000Appendix ACOLLINGBOURNE C OF E PRIMARY SCHOOLSecure Data Handling PolicyHelp sheet for assessing risk of sharing informationIn deciding the most appropriate way to share information and the level of security required, you must always take into consideration the nature of the information and the urgency of the situation, i.e. take a risk based approach to determining appropriate measures.The simplified process described below will help the school to choose the appropriate level of security to consider when emailing information.Step 1Imagine a potential security breach (e.g. a confidential letter is left in a public area, a memory stick is lost or someone reads information on a computer screen while waiting to meet a member of staff), and consider:Will it affect or identify any member of the school or community?Will someone lose / be out of pocket by / more than ?100?Will it cause any kind of criminal case to fail?Is there a risk of discomfort / slur upon professional character of someone?Is anyone’s personal safety at risk?Will it embarrass anyone?If you answered NO to all the questions, the document does not contain sensitive information. If you answered yes to any of the questions, the document with include some sensitive information and therefore requires a level of protection.Step 2Imagine the same potential security breach as above, and consider:Will it affect many members of the school or local community and need extra resources locally to manage it?Will an individual or someone who does business with the school lose/be out of pocket by ?1,000 to ?10,000?Will a serious criminal case or prosecution fail?Is someone’s personal safety at a moderate risk?Will someone lose his or her professional reputation?Will a company or organisation that works with the school lose ?100,000 to ?1,000,000?If you have answered yes to any of the above questions the document contains sensitive information and additional security should be considered, such as, password protecting the document before you email it to a colleague outside of your organisation. However, if you think that the potential impact exceeds that stated in the question (for example, someone’s personal safety is at high risk) think very carefully before you release this information.Step 3All documents that do not fit into steps 1 or 2 might require a higher level of protection / security; organisations should err on the side of caution.113157762007426325-273685Appendix B020000Appendix BCOLLINGBOURNE C OF E PRIMARY SCHOOLSecure Data Handling PolicyRegister of sensitive data held by the schoolType of dataHeld wherePeriod to be retainedType of protectionWho can access the dataPupil SEN dataTeacher/SENCO Cabinet Teacher/SENCO LaptopLocked CabinetData is encrypted on laptopSENCOHeadteacherPupil Data:PersonalAssessmentClassroomsServerSchool OfficeHeadteacher OfficeLocked CabinetsPassword Protected Computer AccessEncrypted Memory SticksHeadteacherTeachersOffice StaffPupil Data:Accident Forms School OfficeLocked CabinetHeadteacherOffice StaffPupil Data:Medical Information School OfficeMedical needs poster (who’s who with need)Locked CabinetMedical needs poster up in staff room with parents consentHeadteahcerOffice StaffMedical needs poster - allStaff DataPersonalSickness AbsenceHeadteachers OfficeSchool OfficeLocked CabinetsAdmin Drive on ServerHeadteacherAdmin & Finance OfficerStaff DataPerformance ReviewHeadteachers OfficeLocked CabinetsHeadteacher Drive on ServerSafeguarding RecordsHeadteachers OfficeLocked CabinetHeadteacher (DSL)Deputy DSLAdmin & Finance OfficerExclusion RecordsSchool OfficeLocked CabinetHeadteacherAdmin & Finance OfficerBehaviour RecordsSchool OfficeLocked CabinetHeadteacherAdmin & Finance Officer113157762007435850-273685Appendix C020000Appendix CCOLLINGBOURNE C OF E PRIMARY SCHOOLSecure Data Handling PolicyTimetable for Information Security ManagementActivityFrequencyLeadAudit of data heldAnnuallyHeadteacher Admin & Finance OfficerEncrypting sensitive dataOn-goingAll staffReviewing data backup proceduresAnnualAdmin & Finance OfficerIdentifying staff responsible for data security and keep log of names and roles.AnnualAdmin & Finance OfficerWiping of laptop data when re-issuedAnnual and then when necessary.ICT TechnicianWiping of laptop data when discardedAs necessaryICT TechnicianSecure Data Wiping of Photocopier hard driveAs necessaryAdmin & Finance Officer3rd Party position on GDPR and retention informationUpon commencing working with 3rd party providerHeadteacherAdmin & Finance Officer113157762004381500-283845Appendix D020000Appendix DCOLLINGBOURNE C OF E PRIMARY SCHOOLSecure Data Handling PolicyStaff Computer Use PolicyPasswords that I use to access school systems will be kept secure and secret – if I have reason to believe that my password is no longer secure I will change it.I acknowledge that the computer provided for me to use remains the property of the school and should only be used for school business.I will not access the files of others or attempt to alter the computer settings.I will not update web content or use pictures or text that can identify the school, without the permission of the headteacher.I will not alter, attempt to repair or interfere with the components, software or peripherals of any computer that is the property of the school. I will seek permission with the school’s technician/ Network Manager should I need to install additional software.I will always adhere to the copyright.I will always log off the system when I have finished working.I understand that the school may monitor the Internet sites I visit. I will not open e-mail attachments unless they come from a recognised and reputable source. I will bring any other attachments to the attention of the school technician/ Headteacher/Admin & Finance Officer.Any e-mail messages I send will not damage the reputation of the school.All joke e-mails and attachments are potentially damaging and undesirable and therefore should not be forwarded.I understand that a criminal offence may be committed by deliberately accessing Internet sites that contain certain illegal material.Use for personal financial gain, gambling, political purposes or advertising is forbidden.Storage of e-mails and attachments should be kept to a minimum to avoid unnecessary drain on memory and capacity.I understand that I am responsible for the safety of school data that I use or access. In order to maintain the security of data I will take the following steps:I will store data files in my user area only for as long as is necessary for me to carry out my professional duties.I will not save data files to a PC or laptop other than that provided by the school.If I need to transfer sensitive data files and no secure electronic option is available I will only do so using the encrypted USB key provided by the school.Sensitive data will only be sent electronically through a secure method, e.g. Perspective. If this is not available then the minimum requirement is to password protect the document before attaching it to email.Sensitive data includes:Pupil reportsSEN recordsLetters to parentsClass based assessmentsExam resultsWhole school dataMedical informationInformation relating to staff, e.g. Performance Management reviews.If I am in any doubt as to the sensitivity of data I am using, I will consider these questions:Would disclosure/loss place anyone at risk?Would disclosure/loss cause embarrassment to an individual or the school?Would disclosure/loss have legal or financial implications?If the answer to any of these questions is yes, then the data should be treated as sensitive.I understand that if I do not adhere to these rules outlined in this policy, my network access will be suspended immediately, my laptop removed and that other disciplinary consequences may follow including notification to professional bodies where a professional is required to register. If an incident is considered to be an offence under the Computer Misuse Act or the Data Protection Act this may be reference for investigation by the Police and could recorded on any future Criminal Record Bureau checks. Name: Date: 11315776200COLLINGBOURNE C OF E PRIMARY SCHOOLRecords Management Policy5688330-1432560Appendix E020000Appendix ECollingbourne C of E Primary School recognises that by efficiently managing its records, it will be able to comply with its legal and regulatory obligations and to contribute to the effective overall management of the school. Records provide evidence for protecting the legal rights and interests of the school, and provide evidence for demonstrating performance and accountability. This document provides the policy framework through which this effective management can be achieved and audited. Scope of the policyThis policy applies to all records created, received or maintained by staff of the school in the course of carrying out its functions.Records are defined as all those documents which facilitate the business carried out by the school and which are thereafter retained (for a set period) to provide evidence of its transactions or activities. These records may be created, received or maintained in hard copy or electronically.A small percentage of the school’s records will be selected for permanent preservation as part of the institution’s archives and for historical research. This should be done in liaison with the County Archives Service.ResponsibilitiesThe school has a corporate responsibility to maintain its records and record keeping systems in accordance with the regulatory environment. The person with overall responsibility for this policy is the Headteacher.The person responsible for records management in the school will give guidance for good records management practice and will promote compliance with this policy so that information will be retrieved easily, appropriately and in a timely way. They will also monitor compliance with this policy by surveying at least annually to check if records are stored securely and can be accessed appropriately.Individual staff and employees must ensure that records for which they are responsible are accurate, and are maintained and disposed of in accordance with the school’s records management guidelines.Relationship with existing policiesThis policy has been drawn up within the context of:Freedom of Information policyData Protection Policy, GDPR & Secure Data Handling Policyand with other legislation or regulations (including audit, equal opportunities and ethics) affecting the school.PUPIL RECORDSThe pupil record starts its life when a file is opened for each new pupil as they begin school. This is the file which will follow the pupil for the rest of his/her school life. Here at Collingbourne C of E Primary School, we endeavour to be as paperless as possible in these modern times. Admissions forms are completed by parents for Reception children and any children starting mid-year and returned to the school office. These admission forms enable us to collate information required for specific purpose and we ensure privacy notices are circulated and the correct permissions to hold the personal data is obtained from parents. The information collected on the admissions form is used to populate the Schools Information Management System (SIMS). The following information is held on the admissions form (filed securely) and the SIMS only (to ensure we don’t duplicate information and hold data in too many areas):SurnameForenameDOBUnique Pupil Number (The Unique Pupil Number is a number that identifies each pupil in England uniquely. It is intended to remain with them throughout their school career regardless of any change in school or Local Authority)GenderPreferred nameThe name of the pupil’s doctorEmergency contact detailsPosition in familyEthnic origin (Although this is “sensitive” data under the Data Protection Act 1998, the Department for Education require statistics about ethnicity)Language of home (if other than English) (This needs to be recorded for the School Census (Mother Tongue)Religion (Although this is “sensitive” data under the Data Protection Act 1998, the school has good reasons for collecting the information)Any allergies or other medical conditions that it is important to be aware of (Although this is “sensitive” data under the Data Protection Act 1998, the school has good reasons for collecting the information)Names of adults who hold parental responsibility with home address and telephone number (and any additional relevant carers and their relationship to the child)Name of the school, admission number and the date of admission and the date of leaving.Any other agency involvement e.g. speech and language therapist, paediatrician. It is essential that these files, which contain personal information, are managed against the information security guidelines.If the pupil has attended an early years setting, then the record of transfer should be included on the pupil fileOther stored items relating to pupils filed in secure separate area related files:Privacy Notice (issued annually with only the most recent on the file)Photography ConsentsAnnual Written Report to ParentsNational Curriculum and Religious Education Locally Agreed Syllabus Record SheetsAny information relating to a major incident involving the child (either an accident or other incident)Any reports written about the childAny information about a statement and support offered in relation to the statement (also on SIMS)Any relevant medical information (also on SIMS)Child protection reports/disclosures (stored in line with the Child Protection Record Keeping & Management Policy)Any information relating to exclusions (fixed or permanent) (also on SIMS)Any correspondence with parents or outside agencies relating to major issuesDetails of any complaints made by the parents or the pupilAbsence notesParental consent forms for trips/outings (in the event of a major incident all the parental consent forms should be retained with the incident report not in the pupil record)Correspondence with parents about minor issuesAccident forms (these should be stored separately and retained on the school premises until their statutory retention period is reached. A copy could be placed on the pupil file in the event of a major incident).Transferring the pupil record to the secondary schoolThe pupil record will not be ‘weeded’ before transfer to secondary school unless any records with a short retention period have been placed in the file. We will not keep copies of any records in the pupil record except if there is an ongoing legal action when the pupil leaves the school. Custody of and responsibility for the records passes to the school the pupil transfers to.Files will not be sent by post unless absolutely necessary. If files are sent by post, they should be sent by registered post with an accompanying list of the files. The secondary school should sign a copy of the list to say that they have received the files and return the list to us. Where appropriate, records can be delivered by hand with signed confirmation for tracking and auditing purposes.Electronic documents that relate to the pupil file also need to be transferred, or, if duplicated in a master paper file, destroyed.As we are paperless with most of our information stored on the SIMS which is securely transferred to the new school via a CTF. Child Protection records are transferred in line with the Child Protection Record Keeping & Management Policy.Responsibility for the pupil record once the pupil leaves the schoolThe school which the pupil attended until statutory school leaving age (18 years old) is responsible for retaining the pupil record until the pupil reaches the age of 25 years. Safe destruction of the pupil recordThe pupil record should be disposed of in accordance with the safe disposal of records guidelines.Transfer of a pupil record outside the EU areaLocal Authority advice will be sought if we are requested to transfer a pupil file outside the EU area because a pupil has moved into that area.Storage of pupil recordsAll pupil records are kept securely at all times. Paper records, for example, are kept in lockable storage areas with restricted access, and the contents should be secure within the file. Equally, electronic records have appropriate security. Access arrangements for pupil records should ensure that confidentiality is maintained whilst equally enabling information to be shared lawfully and appropriately, and to be accessible for those authorised to see it.E-mailAs communicating by e-mail is quick and easy, many people have replaced telephone conversations and memos with e-mail discussions. However, the language in which e-mail is written is often less formal and more open to misinterpretation than a written memo or a formal letter. E-mails should be laid out and formulated to the school’s standards for written communications.E-mail is not always a secure medium to send confidential information. The consequences of an e-mail containing sensitive information being sent to an unauthorised person could be a civil penalty of up to ?500,000 from the Information Commissioner. Confidential or sensitive information should only be sent by a secure encrypted e-mail system. Personal information (such as a pupil’s name) must never be in the subject line of an e-mail.All school e-mail is disclosable under Freedom of Information and Data Protection legislation, anything written in an email could potentially be made public. E-mails can remain in a system for a period of time after deletion. It’s worth noting that although you may have deleted your copy of the e-mail, the recipients may not and therefore there will still be copies in existence. These copies could be disclosable under the Freedom of Information Act 2000 or under the Data Protection Act 1998.All attachments in e-mail should be saved into any appropriate electronic filing system or printed out and placed on paper files.Diaries and written notesAnything written down regarding a data subject is disclosable under Freedom of Information and Data Protection legislation, meaning anything written in a diary or in workplace notebooks etc could potentially be made public. Names and secure data should not be put in diaries and notes should be filed in the appropriate file or destroyed when no longer needed.Retention GuidelinesUnder the Freedom of Information Act 2000, schools are required to maintain a retention schedule listing the record series which the school creates in the course of its business. The retention schedule lays down the length of time which the record needs to be retained and the action which should be taken when it is of no further administrative use. The retention schedule lays down the basis for normal processing under both the Data Protection Act 1998 and the Freedom of Information Act 2000.Members of staff are expected to manage their current record keeping systems using the retention schedule and to take account of the different kinds of retention periods when they are creating new record keeping systems.The retention schedule refers to record series regardless of the media in which they are stored.There are a number of benefits which arise from the use of a complete retention schedule:Managing records against the retention schedule is deemed to be “normal processing” under the Data Protection Act 1998 and the Freedom of Information Act 2000. Members of staff should be aware that once a Freedom of Information request is received or a legal hold imposed then records disposal relating to the request or legal hold must be stopped.Members of staff can be confident about safe disposal information at the appropriate rmation which is subject to Freedom of Information and Data Protection legislation will be available when required. The school is not maintaining and storing information unnecessarily.Where appropriate the retention schedule will be reviewed and amended to include any new record series created and remove any obsolete record series.The retention schedule contains recommended retention periods for the different record series created and maintained by the school in the course of it’ business. The schedule refers to all information regardless of the media in which it is stored.Some of the retention periods are governed by statute. Others are guidelines following best practice. Every effort has been made to ensure that these retention periods are compliant with the requirements of the Data Protection Act 1998 and the Freedom of Information Act 2000.Managing record series using these retention guidelines will be deemed to be “normal processing” under the legislation mentioned above. If record series are to be kept for longer or shorter periods than laid out in this document the reasons for this need to be documented.The Retention Schedule is divided into five sections:1. Management of the School2. Human Resources3. Financial Management of the School4. Property Management5. Pupil Management6. Curriculum Management7. Extra-Curricular Activities8. Central Government and Local Authority1.Management of the School1.1Governing BodyFile DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record1.1.1Agendas for Governing Body meetingsThere may be data protection issues if the meeting is dealing with confidential issues relating to staffOne copy should be retained with the master set of minutes. All other copies can be disposed of.Secure Disposal1.1.2Minutes of Governing Body meetingsThere may be data protection issues if the meeting is dealing with confidential issues relating to staff1 x Permanent1 x inspection copies from date of meeting for 3 years.Secure disposal is containing sensitive, personal information1.1.3Reports presented to the Governing bodyThere may be data protection issues if the report deals with confidential issues relating to staffReports should be kept for a minimum of 6 years. However, if the minutes refer directly to individual reports then the reports should be kept permanently Secure disposal or retain with the signed set of minutes1.1.4Meeting papers relating to the annual parents’ meeting held under section 33 of the Education Act 2002NoEducation Act 2002, Section 33Date of the meeting + a minimum of 6 yearsSecure Disposal1.1.5Instruments of Government including Articles of AssociationNoPermanentThese should be retained in the school whilst the school is open and then offered to County Archives Service when the school closes1.1.7Action plans created and administered by the Governing BodyNoLife of the action plan + 3 yearsSecure Disposal1.1.8Policy documents created and administered by the Governing BodyNoLife of the Policy + 3 yearsSecure Disposal1.1.9Records of complaints dealt with by the Governing BodyYesDate of the resolution of the complaint + a minimum of 6 years then review doe further retention in case of contentious disputesSecure Disposal1.1.10Annual Reports created under the requirements of the Education (Governor’s Annual Reports) (England) (Amendment) Regulations 2002NoEducation (Governor’s Annual Reports) (England) (Amendment) Regulations 2002 SI 2002 No 1171Date of report + 10 yearsSecure Disposal1.1.11Proposals concerning the change of status of a maintained school including AcademiesNoDate proposal accepted or declined + 3 yearsSecure Disposal1.2Headteacher and Senior Management TeamFile DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record1.2.1Log books of activity in the school maintained by the HeadteacherThere may be data protection issues if the log book refers to individual pupils or members of staffDate of last entry in the book + a minimum of 6 years then reviewThese could be of permanent historic value and should be offered to County Archives Service if appropriate.1.2.2Minutes of Senior Management Team meetings and the meetings of other internal administrative bodiesThere may be data protection issues if the minutes refer to individual pupils or members of staffDate of the meeting + 3 years then reviewSecure Disposal1.2.3Reports created by the Headteacher or Senior Management TeamThere may be data protection issues if the report refers to individual pupils or members of staffDate of the report + a minimum of 3 years then reviewSecure Disposal1.2.4Records created by Headteacher, Senior Management Team and other members of staff with administrative responsibilitiesThere may be data protection issues if the records refer to individual pupils or members of staffCurrent academic year + 6 years then reviewSecure Disposal1.2.5Correspondence created by Headteacher, Senior Management Team and other members of staff with administrative responsibilitiesThere may be data protection issues if the correspondence refers to individual pupils or members of staffDate of correspondence + 3 years then reviewSecure Disposal1.2.6Professional Development PlansYesLife of the plan + 6 yearsSecure Disposal1.2.7School Development PlansNoLife of the plan + 3 yearsSecure Disposal1.3Admissions ProcessFile DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record1.3.1All records relating to the creation and implementation of the School’s Admissions PolicyNoSchool Admissions Code Statutory guidance for admission authorities, governing bodies, local authorities, schools adjudicators and admission appeals panels December 2014Life of the Policy + 3 years then reviewSecure Disposal1.3.2Admissions – if the admission is successfulYesSchool Admissions Code Statutory guidance for admission authorities, governing bodies, local authorities, schools adjudicators and admission appeals panels December 2014Date of admission + 1 yearSecure Disposal1.3.3Admissions – if the appeal is unsuccessfulYesSchool Admissions Code Statutory guidance for admission authorities, governing bodies, local authorities, schools adjudicators and admission appeals panels December 2014Resolution of case + 1 yearSecure Disposal1.3.4Register of AdmissionsYesSchool attendance: Departmental advice for maintained schools, academies, independent schools and local authorities October 2014Every entry in the admission register must be preserved for a period of 3 years after the date on which the entry was madeReview – schools may wish to consider keeping the admission register permanently as often schools receive enquiries from past pupils to conform the dates they attended the school1.3.6Proofs of address supplied by parents as part of the admissions processYesSchool Admissions Code Statutory guidance for admission authorities, governing bodies, local authorities, schools adjudicators and admission appeals panels December 2014Current year + 1 yearSecure Disposal1.3.7Supplementary Information form including additional information such as religion, medical conditions etcYesFor successful admissionsFor unsuccessful admissionsInformation added to the pupil fileUntil appeals process completedSecure disposal1.4Operational AdministrationFile DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record1.4.1General file seriesNoCurrent year + 5 years then reviewSecure disposal1.4.2Records relating to the creation and publication of the school brochure or prospectusNoCurrent year + 3 yearsStandard Disposal1.4.3Records relating to the creation and distribution of circulars to staff, parents or pupilsNoCurrent year + 1 yearStandard Disposal1.4.4Newsletters and other items with short operational useNoCurrent year + 1 yearStandard Disposal1.4.5Visitors books and signing in sheetsYesCurrent year + 6 years then reviewSecure Disposal1.4.6Records relating to the creation and management of parent teacher associations and/or old pupils associationsNoCurrent year + 6 years then reviewSecure Disposal2.Human Resources2.1RecruitmentFile DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record2.1.1All records leading up to the appointment of a new HeadteacherYesDate of appointment + 6 yearsSecure Disposal2.1.2All records leading up to the appointment of a new member of staff – unsuccessful candidatesYesDate of appointment of successful candidate + 6 monthsSecure Disposal2.1.3All records leading up to the appointment of a new member of staff – successful candidateYesAll the relevant information should be added to the staff personal file (see below) and all other information retained for 6 monthsSecure Disposal2.1.4Pre-employment vetting information – DBS checksNoDBS Update Service Employer Guide June 2014: Keeping children safe in education. July 2015 (Statutory Guidance from Dept. of Education) Sections 73, 74The school does not have to keep copies of DBS certificates. If the school does so the copy must NOT be retained for more than 6 months2.1.5Proofs of identity collected as part of the process of checking ‘portable’ enhanced DBS disclosureYesWhere possible these should be checked and a note kept of what was seen and what has been checked. If it is felt necessary to keep copy documentation then this should be placed on the member of staff’s personal file2.1.6Pre-employment vetting information – evidence providing the right to work in the United KingdomYesAn employer’s guide to right to work checks (Home Office May 2015)Where possible these documents should be added to the staff personal file (see below), but if they are kept separately then the Home Office requires that the documents are kept for termination of employment plus not less than 2 years2.2Operational Staff ManagementFile DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record2.2.1Staff Personal FileYesLimitation Act 1980 (Section 2)Termination of Employment + 6 yearsSECURE DISPOSAL2.2.2TimesheetsYesCurrent year + 6 yearsSECURE DISPOSAL2.2.3Annual appraisal/Assessment recordsYesCurrent year + 5 yearsSECURE DISPOSAL2.3Management of Disciplinary and Grievance ProcessesFile DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record2.3.1Allegation of a child protection nature against a member of staff including where the allegation is unfounded*Yes“Keeping children safe in education Statutory guidance for schools and colleges March 2015”, “Working together to safeguard children. A guide to inter-agency working to safeguard and promote the welfare of children March 2015”.Until the person’s normal retirement age or 10 years from the date of the allegation whichever is the longer then REVIEW. Note allegations that are found to be malicious should be removed from personnel files. If found they are to be kept on the file and a copy provided to the person concerned.SECURE DISPOSALThese records must be shredded2.3.2Disciplinary ProceedingsYesOral warningDate of warning + 6 monthsSECURE DISPOSAL If warnings are placed on personal files then they must be weeded from the fileWritten warning – level 1Date of warning + 6 monthsWritten warning – level 2Date of warning + 12 monthsFinal WarningDate of warning + 18 monthsCase not foundIf the incident is child protection related then see above, otherwise dispose of at the conclusion of the caseSECURE DISPOSAL2.4Health and SafetyBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record2.4.1Health and Safety Policy StatementsNoLife of policy + 3 yearsSECURE DISPOAL2.4.2Health and Safety Risk AssessmentsNoLife of risk assessment + 3 yearsSECURE DISPOAL2.4.3Records relating to accident/injury at workYesDate of incident + 12 yearsIn the case of serious accidents a further retention period will need to be appliedSECURE DISPOAL2.4.4Accident reportingYesSocial Security (Claims and Payments) Regulations 1979 Regulation 25. Social Security Administration Act 1992 Section 8. Limitation Act 1980.AdultsDate of incident + 6 yearsSECURE DISPOSALChildrenDOB of the child + 25 yearsSECURE DISPOSAL2.4.5Control of Substances Hazardous to Health (COSHH)NoControl of Substances Hazardous to Health Regulations 2002. SI 2002 No 2677 Regulation 11; Records kept under the 1994 and 1999 Regulations to be kept as if the 2002 Regulations had not been made. Regulation 18 (2)Current Year + 40 yearsSECURE DISPOSAL2.4.6Process of monitoring of areas where employees and persons are likely to have become in contact with asbestosNoControl of Asbestos at Work Regulations 2012 SI 1012 No 632 Regulation 19Last action + 40 yearsSECURE DISPOSAL2.4.7Process of monitoring of areas where employees and persons are likely to have become in contact with radiationNoLast action + 50 yearsSECURE DISPOSAL2.4.8Fire Precautions log booksNoCurrent year + 6 yearsSECURE DISPOSAL2.5Payroll and PensionsBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record2.5.1Maternity pay recordsYesStatutory Maternity Pay (General) Regulations 1986 (SI1986/1960), revised 1999 (SI1999/567)Current year + 3 yearsSECURE DISPOAL2.5.2Records held under Retirement Benefits Schemes (Information Powers) Regulations 1995YesCurrent year + 6 yearsSECURE DISPOSAL3.Financial Management of the School3.1Risk Management and InsuranceBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record3.1.1Employer’s Liability Insurance CertificateNoClosure of the school + 40 yearsSECURE DISPOSAL3.2Asset ManagementBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record3.2.1Inventories of furniture and equipmentNoCurrent year + 6 yearsSECURE DISPOSAL3.2.2Burglary, theft and vandalism reporting formsNoCurrent year + 6 yearsSECURE DISPOSAL3.3Accounts and Statements including budget managementBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record3.3.1Annual AccountsNoCurrent year + 6 yearsSTANDARD DISPOSAL3.3.2Loans and grants managed by the schoolNoDate of last payment on the loan + 12 years then REVIEWSECURE DISPOSAL3.3.3Student Grant applicationsYesCurrent year + 3 yearsSECURE DISPOSAL3.3.4All records relating to the creation and management of budgets including the Annual Budget Statement and background papersNoLife of the budget + 3 yearsSECURE DISPOSAL3.3.5Invoices, receipts, order books and requisitions, delivery noticesNoCurrent financial year + 6 yearsSECURE DISPOSAL3.3.6Records relating to the collection and banking of moniesNoCurrent financial year + 6 yearsSECURE DISPOSAL3.3.7Records relating to the identification and collection of debtNoCurrent Financial year + 6 yearsSECURE DISPOSAL3.4Contract ManagementBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record3.4.1All records relating to the management of contracts under sealNoLimitation Act 1980Last payment on the contract + 12 yearsSECURE DISPOSAL3.4.2All records relating to the management of contracts under signatureNoLimitation Act 1980Last payment on the contract + 6 yearsSECURE DISPOSAL3.4.3Records relating to the monitoring of contractsNoCurrent year + 2 yearsSECURE DISPOSAL3.5School FundBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record3.5.1School Fund Cheque BooksNoCurrent year + 6 yearsSECURE DISPOSAL3.5.2School fund Paying in booksNoCurrent year + 6 yearsSECURE DISPOSAL3.5.3School fund LedgerNoCurrent year + 6 yearsSECURE DISPOSAL3.5.4School fund InvoicesNoCurrent year + 6 yearsSECURE DISPOSAL3.5.5School fund ReceiptsNoCurrent year + 6 yearsSECURE DISPOSAL3.5.6School fund Bank StatementsNoCurrent year + 6 yearsSECURE DISPOSAL3.5.7School fund Journey BooksNoCurrent year + 6 yearsSECURE DISPOSAL3.6School Meals ManagementBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record3.6.1Free School Meals RegistersYesCurrent year + 6 yearsSECURE DISPOSAL3.6.2School Meals RegistersNoCurrent year + 3 yearsSECURE DISPOSAL3.6.3School Meals Summary SheetsNoCurrent year + 3 yearsSECURE DISPOSAL4.Property Management4.1Property ManagementBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record4.1.1Title deeds of properties belonging to the schoolNoPERMANENTThese should follow the property unless the property has been registered with the Land Registry4.1.2Plans f property belonging to the schoolNoThese should be retained whilst the building belongs to the school and should be passed onto any new owners if the building is leased or sold.4.1.3Leases of property leased by or to the schoolNoExpiry of lease + 6 yearsSECURE DISPOSAL4.1.4Records relating to the letting of school premisesNoCurrent financial year + 6 yearsSECURE DISPOSAL4.2MaintenanceBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record4.2.1All records relating to the maintenance of the school carried out by contractorsNoCurrent year + 6 yearsSECURE DISPOSAL4.2.2All records relating to the maintenance of the school carried out by school employees including maintenance log booksNoCurrent year + 6 yearsSECURE DISPOSAL5.Pupil Management5.1Pupil’s Educational RecordBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record5.1.1Pupil’s Educational Record required by The Education (Pupil Information) (England) Regulations 2005YesThe Education (Pupil Information) (England) Regulations 2005 SI 2005 No 1437PrimaryRetain whilst the child remains at the primary schoolThe file should follow the pupil when he/she leaves the primary school. This will include:To another primary schoolTo a secondary schoolTo a pupil referral unitIf the pupil dies whilst at primary school the file should be returned to the Local Authority to be retained for the statutory retention period.If the pupil transfers to an independent school, transfers to home schooling or leaves the country the file should be returned to the Local Authority to be retained for the statutory retention period. Primary Schools do not ordinarily have sufficient storage space to store records for pupils who have not transferred in the normal way. It makes more sense to transfer the record to the Local Authority as it is more likely that the pupil will request the record from the Local Authority.SecondaryLimitation Act 1980 (Section 2)Date of Birth of the pupil + 25 yearsSECURE DISPOSAL5.1.2Examination Results – Pupil CopiesYesPublicThis information should be added to the pupil fileAll uncollected certificates should be returned to the examination boards.InternalThis information should be added to the pupil file5.1.3Child Protection information held on pupil fileYes“Keeping children safe in education Statutory guidance for schools and colleges March 2015”, “Working together to safeguard children. A guide to inter-agency working to safeguard and promote the welfare of children March 2015”.If any records relating to child protection issues are places on the pupil file, it should be in a sealed envelope and then retained for the same period of time as the pupil file.SECURE DISPOSAL – these records MUST be shredded5.1.4Child Protection information held in separate filesYes“Keeping children safe in education Statutory guidance for schools and colleges March 2015”, “Working together to safeguard children. A guide to inter-agency working to safeguard and promote the welfare of children March 2015”.DOB of the child + 25 years then review.This retention period was agreed in consultation with the Safeguarding Children Group on the understanding that the principal copy of this information will be found on the Local Authority Social Services record.SECURE DISPOSAL – these records MUST be shredded5.2AttendanceBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record5.2.1Attendance RegistersYesSchool attendance: Departmental advice for maintained schools, academies, independent schools and local authorities October 2014.Every entry in the attendance register must be preserved for a period of 3 years after the date on which the entry was made.SECURE DISPOSAL5.2.2Correspondence relating to authorised absenceEducation Act 1996 Section 7Current academic year + 2 yearsSECURE DISPOSAL5.3Special Educational Needs5.3.1Special Educational Needs files, reviews and Individual Education PlansYesLimitation Act 1980 (Section 2)Date of Birth of the pupil + 25 yearsREVIEWNOTE: This retention period is the minimum retention period that any pupil file should be kept. Some authorities choose to keep SEN files for a longer period of time to defend themselves in a “failure to provide a sufficient education” case. There is an element of business risk analysis involved in any decision to keep the records longer than the minimum retention period and this should be documented.5.3.2Statement maintained under Section 234 of the Education Act 1990 and any amendments made to the statementYesEducation Act 1996 Special Educational Needs and Disability Act 2001 Section 1Date of birth of the pupil + 25 years (this would normal be retained on the pupil file)SECURE DISPOSAL unless the document is subject to a legal hold5.3.3Advice and information provided to parents regarding educational needsEducation Act 1996 Special Educational Needs and Disability Act 2001 Section 2Date of birth of the pupil + 25 years (this would normal be retained on the pupil file)SECURE DISPOSAL unless the document is subject to a legal hold5.3.4Accessibility StrategyEducation Act 1996 Special Educational Needs and Disability Act 2001 Section 14Date of birth of the pupil + 25 years (this would normal be retained on the pupil file)SECURE DISPOSAL unless the document is subject to a legal hold6.Curriculum Management6.1Statistics and Management InformationBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record6.1.1Curriculum returnsNoCurrent year + 3 yearsSECURE DISPOSAL6.1.2Examination Results (Schools Copy)YesCurrent year + 6 yearsSECURE DISPOSALSATs records:YesResultsThe SATs results should be recorded on the pupil’s educational file and will therefore be retained until the pupil reaches the age of 25 years. The school may wish to keep a composite record of all the whole year SATs results.These could be kept for current + 6 years to allow suitable comparison.SECURE DISPOSALExamination papersThe examination papers should be kept until any appeals/validation process is complete.SECURE DISPOSAL6.1.3Published Admission Number (PAN) ReportsYesCurrent year + 6 yearsSECURE DISPOSAL6.1.4Value Added and Contextual DataYesCurrent year + 6 yearsSECURE DISPOSAL6.1.5Self Evaluation FormsYesCurrent year + 6 yearsSECURE DISPOSAL6.2Implementation of CurriculumBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record6.2.1Schemes of WorkNoCurrent year + 1 yearIt may be appropriate to review these records at the end of each year and allocate a further retention period or SECURE DISPOSAL6.2.2TimetableNoCurrent year + 1 year6.2.3Class Record BookNoCurrent year + 1 year6.2.4Mark BooksNoCurrent year + 1 year6.2.5Record of homework setNoCurrent year + 1 year6.2.6Pupil’s workNoWhere possible pupils’ work should be returned to the pupil at the end of the academic years. If this this is not the school’s policy then current year + 1SECURE DISPOSAL7.Extra Curricular Activities7.1Educational Visits outside the ClassroomBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record7.1.1Records created by schools to obtain approval to run an Educational Visit outside the ClassroomNoOutdoor Education Advisers’ Panel National Guidance website specifically Section 3 – “Legal Framework and Employer Systems” and Section 4 – “Good Practice”.Date of visit + 14 yearsSECURE DISPOSAL7.1.2Parental consent forms for school trips where there has been no major incidentYesConclusion of the tripAlthough the consent forms could be retained for DOB + 22 years, the requirement for them being needed is low and most schools do not have the storage capacity to retain every single consent form issued by the school for this period of time.7.1.3Parental permission slips for school trips – where there has been a major incidentYesLimitation Act 1980 (Section 2)DOB of the pupil involved in the incident + 25 yearsThe permission slips for all the pupils o the trip need to be retained to show that the rules had been followed for all pupils.7.2Walking BusBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record7.2.1Walking Bus RegistersYesDate of register + 3 yearsThis takes into account the fact that if there is an incident requiring an accident report the register will be submitted with the accident report and kept for the period of time required for accident reporting.SECURE DISPOSAL(If these records are retained electronically any backup copies should be destroyed at the same time)7.3Family Liaison Officers and Home School Liaison AssistantsBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record7.3.1Day BooksYesCurrent year + 2 years then review7.3.2Reports for outside agencies – where the report has been included on the case file created by the outside agencyYesWhilst child is attending school then destroy7.3.3Referral formsYesWhile the referral is current7.3.4Contact data sheetsYesCurrent year then review, if contact is no longer active the destroy7.3.5Contact Database entriesYesCurrent year then review, if contact is no longer active the destroy7.3.6Group RegistersYesCurrent year + 2 years8. Central Government and Local Authority8.1Local AuthorityBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record8.1.1Secondary Transfer Sheets (Primary)YesCurrent year + 2 yearsSECURE DISPOSAL8.1.2Attendance ReturnsYesCurrent year + 1 yearSECURE DISPOSAL8.1.3School Census ReturnsNoCurrent year + 5 yearsSECURE DISPOSAL8.1.4Circulars and other information sent from the Local AuthorityNoOperational useSECURE DISPOSAL8.2Central GovernmentBasic File DescriptionData Protection IssuesStatutory ProvisionsRetention Period (Operational)Action at the end of the administrative life of the record8.2.1OFSTED reports and papersNoLife of the report then REVIEWSECURE DISPOSAL8.2.2Returns made to central governmentNoCurrent year + 6 yearsSECURE DISPOSAL8.2.3Circulars and other information sent from central governmentNoOperational useSECURE DISPOSAL5641340-238125Appendix F020000Appendix FPrivacy Notice (How we use pupil information) We Collingbourne C of E Primary School are a data controller for the purposes of the Data Protection Act.The categories of pupil information that we collect, hold and share include:Personal information (such as name, unique pupil number and address)Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)Attendance information (such as sessions attended, number of absences and absence reasons)Assessment informationRelevant medical informationSpecial educational needs informationExclusion records and informationBehaviour records and informationWhy we collect and use this informationWe use the pupil data:to support pupil learningto monitor and report on pupil progressto provide appropriate pastoral careto assess the quality of our servicesto comply with the law regarding data sharingThe lawful basis on which we use this informationWe collect and use pupil information under the following lawful bases:Article 6:Consent: the individual has given clear consent for you to process their personal data for a specific purpose.Article 9:The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.Collecting pupil informationWhilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this. Storing pupil dataWe hold pupil data in line with timescales deatiled in our Retention Schdule, which can be found in our GDPR & Secure Data Handling Policy.Who we share pupil information withWe routinely share pupil information with:schools that the pupil’s attend after leaving usour local authoritythe Department for Education (DfE)The school nurse Why we share pupil informationWe do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.Data collection requirements:To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to National Pupil Database (NPD)The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies. We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.To find out more about the NPD, go to department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:conducting research or analysisproducing statisticsproviding information, advice or guidanceThe Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:who is requesting the datathe purpose for which it is requiredthe level and sensitivity of data requested: and the arrangements in place to store and handle the data To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.For more information about the department’s data sharing process, please visit: For information about which organisations the department has provided pupil information, (and for which project), please visit the following website: contact DfE: access to your personal dataUnder data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact Kerry Heath, Admin & Finance Officer and Data Controller for the school. You also have the right to:object to processing of personal data that is likely to cause, or is causing, damage or distressprevent processing for the purpose of direct marketingobject to decisions being taken by automated meansin certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; andclaim compensation for damages caused by a breach of the Data Protection regulations If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at you would like to discuss anything in this privacy notice, please contact: Kerry Heath, Admin & Finance Officer and Data Controller for the school.If you require more information about how the Local Authority (LA) and/or DfE store and use your information, then please go to the following websites: you are unable to access these websites we can send you a copy of this information. Please contact the LA or DfE as follows:Pip RabbittsData and Information Sharing Manager Wiltshire CouncilBythesea RoadTrowbridgeBA14 8JNemail: pip.rabbitts@.ukTelephone: 01225 713091Public Communications UnitDepartment for EducationSanctuary BuildingsGreat Smith StreetLondonSW1P 3BT 000 2288Signed: __________________________________________________ (Headteacher)This policy was produced in line with guidance from irms.Link policies:GDPR & Secure HandlingE-SafetyBusiness Continuity PlanWritten and Adopted:February 2018Last Review:February 2020Next Review:February 2020 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download