Data Protection

Please find our Data Protection Policy here.  Please find links to privacy notices at the bottom of the page.

 

 

DATA PROTECTION POLICY
 

TRUST PRAYER

 

We thank you God of Love, for the gift of children,

bless the work of our Trust, that in all we do

young people may grow in wisdom and stature,

and so come to know you,

to love you and

to serve you as Jesus did,

We make our prayer in his name who is God

with you and the Holy Spirit now and forever.

Amen


 

Contents

1       Policy statement                                                                                       4

2       About this policy                                                                                       4

3       Definition of data protection terms                                                               4

4       Data protection officer                                                                                4

5       Data protection principles                                                                           5

6       Fair and lawful processing                                                                           5

7       Processing for limited purposes                                                                    7

8       Notitying data subjects                                                                               8

9       Adequate relevant and non-excessive                                                           8

10      Accurate data                                                                                           8

11      Timely processing                                                                                      9

12      Processing in line with data subject's rights                                                    9

13      Data security                                                                                          11

14      Data protection impact assessments                                                           13

15      Disclosure and sharing of personal information                                             13

16      Data processors                                                                                      14

17      Images and videos                                                                                 14

18      CCTV                                                                                                    15     

19      Changes to this policy                                                                             15

ANNEX Definition of terms                                                                                     

 


 

  1. Policy statement
    1. Everyone has rights with regard to the way in which their personal data is handled. During the course of our activities as a Trust we will collect, store and process personal data about our pupils, workforce, parents and others.  This makes us a data controller in relation to that personal data.
    2. We are committed to the protection of all personal data and special category personal data for which we are the data controller.
    3. The law imposes significant fines for failing to lawfully process and safeguard personal data and failure to comply with this policy may result in those fines being applied.
    4. All members of our workforce must comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary or other action.
  2. About this policy
    1. The types of personal data that we may be required to handle include information about pupils, parents, our workforce, and others that we deal with. The personal data which we hold is subject to certain legal safeguards specified in the General Data Protection Regulation (‘GDPR’), the [Data Protection Act 2018], and other regulations (together ‘Data Protection Legislation’).
    2. This policy and any other documents referred to in it set out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
    3. This policy does not form part of any employee's contract of employment and may be amended at any time.
    4. This policy sets out rules on data protection and the legal conditions that must be satisfied when we process personal data.
  3. Definition of data protection terms
    1. All defined terms in this policy are indicated in bold text, and a list of definitions is included in the Annex to this policy.
  4. Data Protection Officer
    1. As a Trust we are required to appoint a Data Protection Officer (“DPO”).  Our DPO is Alison Tennant, and they can be contacted at Liverpool Diocesan Schools Trust, St James’ House, 20 St James Road, Liverpool L1 7BY, T: 0151 705 2147 E: alison.tennant@liverpool.anglican.org
    2. The DPO is responsible for ensuring compliance with the Data Protection Legislation and with this policy.  Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.
    3. The DPO is also the central point of contact for all data subjects and others in relation to matters of data protection.
  5. Data protection principles
    1. Anyone processing personal data must comply with the data protection principles. These provide that personal data must be:
      1. Processed fairly and lawfully and transparently in relation to the data subject;
      2. Processed for specified, lawful purposes and in a way which is not incompatible with those purposes;
      3. Adequate, relevant and not excessive for the purpose;
      4. Accurate and up to date;
      5. Not kept for any longer than is necessary for the purpose; and
      6. Processed securely using appropriate technical and organisational measures.
    2. Personal Data must also:
      1. be processed in line with data subjects' rights;
      2. not be transferred to people or organisations situated in other countries without adequate protection.
    3. We will comply with these principles in relation to any processing of personal data by the Trust.
  6. Fair and lawful processing
    1. Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
    2. For personal data to be processed fairly, data subjects must be made aware:
      1. that the personal data is being processed;
      2. why the personal data is being processed;
      3. what the lawful basis is for that processing (see below);
      4. whether the personal data will be shared, and if so with whom;
      5. the period for which the personal data will be held;
      6. the existence of the data subject’s rights in relation to the processing of that personal data; and
      7. the right of the data subject to raise a complaint with the Information Commissioner’s Office in relation to any processing.
    3. We will only obtain such personal data as is necessary and relevant to the purpose for which it was gathered, and will ensure that we have a lawful basis for any processing.
    4. For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation.  We will normally process personal data under the following legal grounds:
      1. where the processing is necessary for the performance of a contract between us and the data subject, such as an employment contract;
      2. where the processing is necessary to comply with a legal obligation that we are subject to, (e.g the Education Act 2011);
      3. where the law otherwise allows us to process the personal data or we are carrying out a task in the public interest; and
      4. where none of the above apply then we will seek the consent of the data subject to the processing of their personal data.
  7. When special category personal data is being processed then an additional legal ground must apply to that processing.  We will normally only process special category personal data under following legal grounds:
    1. where the processing is necessary for employment law purposes, for example in relation to sickness absence;
    2. where the processing is necessary for reasons of substantial public interest, for example for the purposes of equality of opportunity and treatment;
    3. where the processing is necessary for health or social care purposes, for example in relation to pupils with medical conditions or disabilities; and
    4. where none of the above apply then we will seek the consent of the data subject to the processing of their special category personal data.
    5. We will inform data subjects of the above matters by way of appropriate privacy notices which shall be provided to them when we collect the data or as soon as possible thereafter, unless we have already provided this information such as at the time when a pupil joins us.
    6. If any data user is in doubt as to whether they can use any personal data for any purpose then they must contact the DPO before doing so.
  8. Vital Interests
  9. There may be circumstances where it is considered necessary to process personal data or special category personal data in order to protect the vital interests of a data subject. This might include medical emergencies where the data subject is not in a position to give consent to the processing.  We believe that this will only occur in very specific and limited circumstances.  In such circumstances we would usually seek to consult with the DPO in advance, although there may be emergency situations where this does not occur.
  10. Consent
  11. Where none of the other bases for processing set out above apply then the school must seek the consent of the data subject before processing any personal data for any purpose.
  12. There are strict legal requirements in relation to the form of consent that must be obtained from data subjects.
  13. When pupils and or our Workforce join the Trust a consent form will be required to be completed in relation to them.  This consent form deals with the taking and use of photographs and videos of them, amongst other things.  Where appropriate third parties may also be required to complete a consent form.
  14. In relation to all pupils under the age of 12 years old we will seek consent from an individual with parental responsibility for that pupil.
  15. We will generally seek consent directly from a pupil who has reached the age of 12, however we recognise that this may not be appropriate in certain circumstances and therefore may be required to seek consent from and individual with parental responsibility.
  16. If consent is required for any other processing of personal data of any data subject then the form of this consent must:
    1. Inform the data subject of exactly what we intend to do with their personal data;
    2. Require them to positively confirm that they consent – we cannot ask them to opt-out rather than opt-in; and
    3. Inform the data subject of how they can withdraw their consent.
    4. Any consent must be freely given, which means that we cannot make the provision of any goods or services or other matter conditional on a data subject giving their consent.
    5. The DPO must always be consulted in relation to any consent form before consent is obtained.
    6. A record must always be kept of any consent, including how it was obtained and when.
  17. Processing for limited purposes
    1. In the course of our activities as a Trust, we may collect and process the personal data set out in our Schedule of Processing Activities. This may include personal data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and personal data we receive from other sources (including, for example, local authorities, other schools, parents, other pupils or members of our workforce).
    2. We will only process personal data for the specific purposes set out in our Schedule of Processing Activities or for any other purposes specifically permitted by Data Protection Legislation or for which specific consent has been provided by the data subject.
  18. Notifying data subjects
    1. If we collect personal data directly from data subjects, we will inform them about:
      1. our identity and contact details as Data Controller and those of the DPO;
      2. the purpose or purposes and legal basis for which we intend to process that personal data;
      3. the types of third parties, if any, with which we will share or to which we will disclose that personal data;
      4. whether the personal data will be transferred outside the European Economic Area (‘EEA’) and if so the safeguards in place;
      5. the period for which their personal data will be stored, by reference to our Records Management Policy;
      6. the existence of any automated decision making in the processing of the personal data along with the significance and envisaged consequences of the processing and the right to object to such decision making; and
      7. the rights of the data subject to object to or limit processing, request information, request deletion of information or lodge a complaint with the ICO.
    2. Unless we have already informed data subjects that we will be obtaining information about them from third parties (for example in our privacy notices), then if we receive personal data about a data subject from other sources, we will provide the data subject with the above information as soon as possible thereafter, informing them of where the personal data was obtained from.
  19. Adequate, relevant and non-excessive processing
    1. We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject, unless otherwise permitted by Data Protection Legislation.
  20. Accurate data
    1. We will ensure that personal data we hold is accurate and kept up to date.
    2. We will take reasonable steps to destroy or amend inaccurate or out-of-date data.
    3. Data subjects have a right to have any inaccurate personal data rectified.  See further below in relation to the exercise of this right.
  21. Timely processing
    1. We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all personal data which is no longer required.
  22. Processing in line with data subject's rights
    1. We will process all personal data in line with data subjects' rights, in particular their right to:
      1. request access to any personal data we hold about them;
      2. object to the processing of their personal data, including the right to object to direct marketing;
      3. have inaccurate or incomplete personal data about them rectified;
      4. restrict processing of their personal data;
      5. have personal data we hold about them erased;
      6. have their personal data transferred.
  23. The Right of Access to Personal Data
  24. Data subjects may request access to all personal data we hold about them.  Such requests will be considered in line with the schools Subject Access Request Procedure.
  25. The Right to Object
  26. In certain circumstances data subjects may object to us processing their personal data.   This right may be exercised in relation to processing that we are undertaking on the basis of a legitimate interest or in pursuit of a statutory function or task carried out in the public interest.
  27. An objection to processing does not have to be complied with where the school can demonstrate compelling legitimate grounds which override the rights of the data subject.
  28. Such considerations are complex and must always be referred to the DPO upon receipt of the request to exercise this right.
  29. In respect of direct marketing any objection to processing must be complied with.
  30. The Trust is not however obliged to comply with a request where the personal data is required in relation to any claim or legal proceedings.
  31. The Right to Rectification
  32. If a data subject informs the Trust that personal data held about them by the Trust is inaccurate or incomplete then we will consider that request and provide a response within one month.
  33. If we consider the issue to be too complex to resolve within that period then we may extend the response period by a further two months. If this is necessary then we will inform the data subject within one month of their request that this is the case.
  34. We may determine that any changes proposed by the data subject should not be made.  If this is the case then we will explain to the data subject why this is the case.  In those circumstances we will inform the data subject of their right to complain to the Information Commissioner’s Office at the time that we inform them of our decision in relation to their request.
  35. The Right to Restrict Processing
  36. Data subjects have a right to “block” or suppress the processing of personal data.  This means that the Trust can continue to hold the personal data but not do anything else with it.
  37. The Trust must restrict the processing of personal data:
    1. Where it is in the process of considering a request for personal data to be rectified (see above);
    2. Where the Trust is in the process of considering an objection to processing by a data subject;
    3. Where the processing is unlawful but the data subject has asked the Trust not to delete the personal data; and
    4. Where the Trust no longer needs the personal data but the data subject has asked the Trust not to delete the personal data because they need it in relation to a legal claim, including any potential claim against the Trust.
    5. If the Trust has shared the relevant personal data with any other organisation then we will contact those organisations to inform them of any restriction, unless this proves impossible or involves a disproportionate effort.
    6. The DPO must be consulted in relation to requests under this right.
  38. The Right to Be Forgotten
  39. Data subjects have a right to have personal data about them held by the Trust erased only in the following circumstances:
    1. Where the personal data is no longer necessary for the purpose for which it was originally collected;
    2. When a data subject withdraws consent – which will apply only where the Trust is relying on the individuals consent to the processing in the first place;
    3. When a data subject objects to the processing and there is no overriding legitimate interest to continue that processing – see above in relation to the right to object;
    4. Where the processing of the personal data is otherwise unlawful;
    5. When it is necessary to erase the personal data to comply with a legal obligation; and
    6. The Trust is not required to comply with a request by a data subject to erase their personal data if the processing is taking place:
      1. To exercise the right of freedom of expression or information;
      2. To comply with a legal obligation for the performance of a task in the public interest or in accordance with the law;
      3. For public health purposes in the public interest;
      4. For archiving purposes in the public interest, research or statistical purposes; or
      5. In relation to a legal claim.
    7. If the Trust has shared the relevant personal data with any other organisation then we will contact those organisations to inform them of any erasure, unless this proves impossible or involves a disproportionate effort.
    8. The DPO must be consulted in relation to requests under this right.
  40. Right to Data Portability
  41. In limited circumstances a data subject has a right to receive their personal data in a machine readable format, and to have this transferred to other organisation.
  42. If such a request is made then the DPO must be consulted.
  43. Data security
    1. We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
    2. We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
    3. Security procedures include:
      1. Entry controls
  • Any stranger seen in restricted areas within the Trust’s premises should be reported to the Designated Data Protection Lead.
  1. Secure lockable desks and cupboards
  • Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  1. Methods of disposal
  • Paper documents should be shredded.
  • Digital storage devices should be physically destroyed when they are no longer required.
  • IT assets must be disposed of in accordance with the Information Commissioner’s Office guidance on the disposal of IT assets.
  1. Equipment
  • Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
  1. Working away from the school premises – paper documents
  • Hard copy documents containing personal data must only be removed from Trust premises when absolutely necessary.
  • Documents and files should always be transported in bags and MUST NOT be left unattended in public areas.
  • If it is necessary to leave documents in vehicles they must be left in non-visible compartments i.e. car boots or motorcycle cases and vehicles must be locked.
  • Documents should be stored securely whilst away from Trust premises, ideally in lockable desks or cabinets where possible.
  • Data users MUST ensure that documents are not viewed by any individual who do not have the appropriate permissions.
  • Documents should be returned to Trust premises as soon as possible.
  1. Working away from the school premises – electronic working
  • Data users MUST ensure that they do not allow individuals who are not directly employed by the Trust access to the Trust’s electronic devices.
  • Devices MUST be locked or logged off when left unattended.
  • USB devices and portable hard drives MUST be encrypted if they are to be used for any Trust related purposes.
  • The Trust will not allow files to be saved on non-encrypted devices. Trust documents MUST NOT be downloaded onto personal devices as security cannot be guaranteed.
  • Devices should always be transported securely and MUST not be left unattended in public areas. If it is necessary to leave devices in vehicles they must be left in non-visible compartments i.e. car boots or motorcycle cases and vehicles must be locked.  
  1. Document printing 
  2. Documents containing personal data must be collected immediately from printers and not left on photocopiers.
    1. Any member of staff found to be in breach of the above security measures may be subject to disciplinary action.
  3. Data Protection Impact Assessments
    1. The Trust takes data protection very seriously, and will consider and comply with the requirements of Data Protection Legislation in relation to all of its activities whenever these involve the use of personal data, in accordance with the principles of data protection by design and default.
    2. In certain circumstances the law requires us to carry out detailed assessments of proposed processing.  This includes where we intend to use new technologies which might pose a high risk to the rights of data subjects because of the types of data we will be processing or the way that we intend to do so.
    3. The Trust will complete an assessment of any such proposed processing and has a template document which ensures that all relevant matters are considered.
    4. The DPO should always be consulted as to whether a data protection impact assessment is required, and if so how to undertake that assessment.
  4. Disclosure and sharing of personal information
    1. We may share personal data that we hold about data subjects, and without their consent, with other organisations.  Such organisations include the Department for Education and Education and Skills Funding Agency “ESFA”, Ofsted, health authorities and professionals, the Local Authority, examination bodies, other schools, and other organisations where we have a lawful basis for doing so.
    2. The Trust will inform data subjects of any sharing of their personal data unless we are not legally required to do so, for example where personal data is shared with the police in the investigation of a criminal offence.
    3. In some circumstances we will not share safeguarding information. Please refer to our Child Protection Policy.
    4. Further detail is provided in our Schedule of Processing Activities.
  5. Data Processors
    1. We contract with various organisations who provide services to the Trust, including:
  6. 16.1.1 Payroll Providers – to enable us to pay our employees
  7. 16.1.2 Parent payment systems – to enable parents to pay for school meals, trips and/or uniforms
  8. 16.1.3 Pupil Assessment systems – to support us with the tracking and monitoring of pupil achievement
  9. 16.1.4 Communication systems – to enable us to effectively communicate with parent and pupils
  10. 16.1.5 School meal providers – to support with the provision and payment for school meals
  11. 16.1.6 Photographers – to enable us to store pupil photographs for safeguarding purposes
  12. 16.1.7 HR Systems – for the effective management of all aspects of staff management
  13. In order that these services can be provided effectively we are required to transfer personal data of data subjects to these data processors.
  14. Personal data will only be transferred to a data processor if they agree to comply with our procedures and policies in relation to data security, or if they put in place adequate measures themselves to the satisfaction of the Trust. The Trust will always undertake due diligence of any data processor before transferring the personal data of data subjects to them.
  15. Contracts with data processors will comply with Data Protection Legislation and contain explicit obligations on the data processor to ensure compliance with the Data Protection Legislation, and compliance with the rights of Data Subjects.
  16. Images and Videos
    1. Parents and others attending Trust events are allowed to take photographs and videos of those events for domestic purposes.  For example, parents can take video recordings of a school performance involving their child.  The Trust does not prohibit this as a matter of policy.
    2. The Trust does not however agree to any such photographs or videos being used for any other purpose, but acknowledges that such matters are, for the most part, outside of the ability of the Trust to prevent.
    3. The Trust asks that parents and others do not post any images or videos which include any child other than their own child on any social media or otherwise publish those images or videos.
    4. As a Trust we want to celebrate the achievements of our pupils and therefore may want to use images and videos of our pupils within promotional materials, or for publication in the media such as local, or even national, newspapers covering school events or achievements.  We will seek the consent of pupils, and their parents where appropriate, before allowing the use of images or videos of pupils for such purposes.
    5. Whenever a pupil begins their attendance at the Trust they, or their parent where appropriate, will be asked to complete a consent form in relation to the use of images and videos of that pupil.  We will not use images or videos of pupils for any purpose where we do not have consent.
  17. CCTV
    1. The Trust operates a CCTV system.  Please refer to the Trust CCTV Policy.
  18. Changes to this policy

We may change this policy at any time. Where appropriate, we will notify data subjects of those changes.

 

 

This Policy was approved by LDST Directors on 9th May 2018.

The Policy was reviewed by LDST Directors on 21st May 2019 with no amendments

The Policy will be reviewed in two years.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ANNEX

DEFINITIONS

Term

Definition

Datais information which is stored electronically, on a computer, or in certain paper-based filing systems
Data Subjectsfor the purpose of this policy include all living individuals about whom we hold personal data. This includes pupils, our workforce, staff, and other individuals.  A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information
Personal Datameans any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data Controllersare the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with Data Protection Legislation. We are the data controller of all personal data used in our business for our own commercial purposes
Data Usersare those of our workforce (including Governors and volunteers) whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times
Data Processorsinclude any person or organisation that is not a data user that processes personal data on our behalf and on our instructions
Processingis any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring personal data to third parties
Special Category Personal Dataincludes information about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or genetic or biometric data
Workforce

Includes, any individual employed by the Trust such as staff and those who volunteer in any capacity including Governors, Trustees,  Members and parent/carer helpers 

 

Files to Download