Data Protection Policy Approved D McIntosh Date 9th June 2014 Review Date: June 2016 Honywood Community Science School (the “School”) collects and uses personal information about staff, learners, parents and other individuals who come into contact with the School. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the School complies with its statutory obligations. Schools have a duty to be registered, as Data Controllers, with the Information Commissioner’s Office (ICO) detailing the information held and its use. These details are then available on the ICO’s website. Schools also have a duty to issue a Fair Processing Notice to all learners/parents, this summarises the information held on learners, why it is held and the other parties to whom it may be passed on. Purpose This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 1998 and other related legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically. The obligations outlined in this policy apply to all those who have access to personal data, whether they are employees, governors, employees of associated organisations or temporary staff. All individuals permitted to access personal data must agree to comply with this policy. All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines. Any breach of this policy will be taken seriously and may result in disciplinary action. What is Personal Information? Personal information or data is defined as data which relates to a living individual who can be identified from that data or other information held. It includes but is not limited to paper records; electronic data held on a computer and associated equipment wherever located and used by the School. Data Protection Definitions
    • “Data” is information which is stored electronically, on a computer, or in certain paper-based filing systems.
    • “Data subjects” for the purpose of this policy include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
    •  “Personal data” means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal).
    • “Data controllers” are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. We are the data controller of all personal data used in our business.
    •  “Data users” include employees whose work involves using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies at all times.
    •  “Data processors” include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on our behalf.
    • “Processing” is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
    •  “Sensitive personal data” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions and will usually require the express consent of the person concerned.
Data Protection Principles The Data Protection Act 1998 establishes eight principles of good practice that must be adhered to at all times:
    1.  Personal data shall be processed fairly and lawfully.
    2. Personal data shall be obtained only for one or more specified and lawful purposes.
    3.  Personal data shall be adequate, relevant and not excessive.
    4. Personal data shall be accurate and where necessary, kept up to date.
    5.  Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
    6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
    7. Personal data shall be kept secure i.e. protected by an appropriate degree of security.
    8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
General Statement The School is committed to maintaining the above principles at all times. Therefore the School will:
    • ensure compliance with the terms of the Data Protection Act 1998 and any subsequent relevant legislation, to ensure personal data is treated in a manner that is fair and lawful;
    •  inform individuals why the information is being collected when it is collected;
    •  inform individuals when their information is shared, and why and with whom it was shared;
    •  check the quality and the accuracy of the information it holds;
    •  ensure that information is not retained for longer than is necessary;
    • ensure that when obsolete information is destroyed that it is done so appropriately and securely;
    • ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded;
    • share information with others only when it is legally appropriate to do so;
    •  set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as Subject Access Requests;
    •  ensure our members of staff are aware of and understand our policies and procedures.
Subject Access Requests A data subject has the right to make a formal request for information that we hold about them. This request must be made in writing. A data subject (including an employee of the School) has a right, on making a request to the data controller, to be informed whether personal data of which he is the data subject is being processed by or on behalf of that data controller. If so, the data subject also has a right to:
    • a description of the personal data held, the purposes for which it is being processed and the recipients or classes of recipients to whom the data may be disclosed;
    • any information available to the data controller as to the source of the data (subject to certain stated confidentiality and related protections for individual sources).
Complaints Complaints will be dealt with in accordance with the School’s Complaints Policy. A copy of this Policy will be made available at the School’s main reception and is on the School’s website. Complaints relating to information handling may be referred to the Information Commissioner (the statutory regulator). Review This policy will be reviewed as it is deemed appropriate but no less frequently than every two years. The policy review will be undertaken by the nominated representative. Contacts If you have any enquiries in relation to this policy, please contact Mr S. Mason, Headteacher, who will also act as the contact point for any subject access requests. Further advice and information is available from the Information Commissioner’s Office, www.ico.gov.uk or telephone 01625 545745.