general data protection regulation (GDPR)
The General Data Protection Regulation is a piece of EU-wide legislation which determines how personal data is processed and kept safe and the legal rights that individuals have in relation to their own data. It came into effect on 25th May 2018 and applies to all organisations that process or handle personal data, including schools. This legislation is similar to the Data Protection Act (DPA) 1998 - either building on or strengthening its principles. The legislation also gives guidance as to how long information can be held and our Retention Policy outlines how this works within our school for the different types of information that we hold. A copy of our Retention Policy is available here.
We issue Privacy notices annually to all children, parents, staff and volunteers that we process personal information about. These explain why we process information, what we do with it, our legal basis for processing and your right to make a complaint and other rights in relation to access and correcting inaccurate information.
subject access requests (SAR)
If you wish to have access to the data we hold on you/your child you will need to complete an SAR (Subject Access Request) form. Please read the Privacy notice as this includes details about what you can request. The SAR should be returned to the Data Protection Officer. All requests should be responded to within a month however if the request is made when the school is closed there will be some delay. The request will be dealt with as soon as possible when the school reopens.
The majority of pupil information which we hold is provided to us on a mandatory basis there are some aspects of information that are provided on a voluntary basis. We will always inform parents whether the information we are requesting is required or voluntary - if it is voluntary we will ask if you are happy for us to hold that information and also how we can use it. For example, publicity - we already ask for permission to use personal information for publicity purposes, including photographs, names and childrens' work.
We are required under GDPR to notify the Information Commisioners' Office within 72 hours of any data breaches where an individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.
Further information is available here.
data protection officer
Lisa Robinson, School Business Manager: firstname.lastname@example.org or 01235 819143