From 25th May 2018, Data protection regulations have changed. On this page, you will find how Birchwood Grove School use and store your data. It will also give you information about how to access and change the date we hold on you or your child and what consent you will be asked for.
As part of the regulation, the school has appointed a Data Protection Officer. At Birchwood Grove, this is Mrs Laura Argles. Any enquiries about data should be send to her via email: firstname.lastname@example.org or by calling 01444 242 209.
Birchwood Grove Primary School is registered with the ICO (Information Commissioner’s Office). The Registration is renewed annually and the Certificate number for the school is Z1204999.
SIX PRINCIPLES OF DATA PROTECTION
At Birchwood Grove, we adhere to the six principles as defined by the GDPR, which states that personal data must be:
Processed fairly, lawfully and in a transparent manner.
2. Collected for specified, explicit and legitimate purposes and not further processed
for other purposes incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for
which data is processed.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form that permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data is processed.
6. Processed in a way that ensures appropriate security of the personal data including
protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures.
Individuals have the following rights:
- Be informed of data processing (which is covered by the School’s Privacy Notices)
- Access information (Also know as Subject Access Request)
- Have inaccuracies corrected
- Have information erased
- Restrict processing
- Data portability (this is unlikely to ever be relevant to schools)
- Intervention in respect of automated decision making (this process is rarely operated within schools)
- Withdraw consent
- Complain to the Information Commissioner’s office
The school have a procedure to deal with any breach in data security. Any breach will be reported to and dealt with by the Data Protection Officer (DPO). The breach will be recorded, investigated and steps taken to lessen any impact. The DPO will decide if the breach is significant enough to report to the ICO. If this is the case, the report will be made within 72 hours of the data breach. The DPO will evaluate the breach, risk assess and put in any changes to data security or process as required.
POLICIES, PRIVACY NOTICES AND PROCEDURES
The following documents will provide you with more detailed information on GDPR. A printed copy of these documents can be obtained from the school office.
Birchwood Grove Data Protection Policy
Birchwood Grove Privacy Notice for Pupils
Birchwood Grove Privacy Notice for Recruitment and Volunteers
Birchwood Grove Freedom of Information Policy
Birchwood Grove Publication Scheme
Birchwood Grove Data Breach Procedure
The lawful basis for processing personal data of students and staff is that it is necessary in order for the school to discharge its legal obligations and statutory duties. In respect of this processing the Privacy Notices are sufficient to ensure lawful processing. It is not usual for Schools to process personal data solely based on written consent. Where the school takes a photograph of film of someone on school premises, events or trips and wants to use this image for educational purposes, it is unlikely that consent is required. However, the pupil’s guardian must still be informed that photography or filming is taking place and the context in which the image will be used.
Consent will be required where there is additional processing of personal data which is not within the reasonable expectation of those involved.
At Birchwood Grove, parents are asked to give parental consent for the use of images for their child when they start school. Consent can be changed or withdrawn at any time.
If additional consent is required, a separate request will be sent out to cover the consent for a particular event.
Consent can be withdrawn at any time. The request must be made to the school office in writing. The DPO will then act upon the request within a reasonable period of time and no longer than one month from the date of receipt.
UPDATING AND REVIEWING
All policies, notices and procedures are regularly reviewed and updated by the DPO and any changes agreed with the Headteacher and Governors.
Policies, notices and procedures will also be reviewed if there are any changes to how data is managed at the school, Government guidelines or following a breach of data security.