Data Protection (UK GDPR)
Data Protection governs how information about living people (such as pupils, parents, staff and volunteers) is collected and used. The UK data protection regime is set out in the Data Protection Act (DPA) 2018, along with the UK General Data Protection Regulation (UK GDPR).
Data protection law applies to the processing of personal data. This means data which relates to an individual who can be identified from that information. It does not affect all the records the school or academy trust holds because much of it will not contain personal data.
The Information Commissioner’s Office (ICO) is the national regulator of data protection legislation. If there is something that we, as an academy trust, are doing that is not quite as it should be, a complaint can be made to the ICO. The ICO website is a key place to find further information on data protection: https://ico.org.uk/
Our school is part of Peterborough Diocese Education Trust (PDET) and therefore PDET is the Data Controller and responsible for compliance under UK GDPR.
PDET has audited its schools / academies and is responsible for creating and maintaining a Record of Processing Activities (RPA).
The RPA is a list of the main types of personal data that the Trust has (and this, therefore, includes all the data schools in the Trust have), stating key details about the data, such as:
- Why we have it;
- What it is used for;
- Where it is stored;
- Who it is shared with (if it is); and
- How long we keep it for.
Privacy Notices are what we use to explain what personal data we collect and what we do with it, such as if we share it with anyone else. The Trust has a privacy notice for the following:
- Privacy Notice for pupils
- Privacy Notice for parents
- Privacy Notice for staff
- Privacy Notice for volunteers
Data Protection Officer (DPO)
UK GDPR makes it a requirement for all public authorities (including schools) and large organisations to have a designated DPO. PDET’s DPO can be contacted at firstname.lastname@example.org
Rights of individuals
The UK GDPR provides the following rights for individuals:
- Right to be informed;
- Right of access (to receive copies of their personal data known as Subject Access Request);
- Right to rectification (correcting data if inaccurate);
- Right to erasure (to request that data is deleted);
- Right to restrict processing (to request you do not use their data in a certain way);
- Right to data portability;
- Right to object;
- Right to have explained if there will be any automated decision-making, including profiling, based on the data and that they have the right to meaningful information about the logic behind this.
To exercise any of these rights, please contact the school.
PDET has prepared the following policies which have been adopted by the school:
- Combined Data Protection and Freedom of Information Policy
- Records Retention Policy