Privacy policy
Our Commitment:
Llanfaes Community Primary School is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the GDPR.
https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/
Changes to data protection legislation shall be monitored and implemented in order to remain compliant with all requirements.
The member(s) of staff responsible for data protection are: Mrs K Lawrence/Mrs H Jones.
The school is also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided to them.
The requirements of this policy are mandatory for all staff employed by the school and any third party contracted to provide services within the school.
Notification:
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:
https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
Breaches of personal or sensitive data shall be notified immediately to the Data Protection Officer(Powys) who will assess whether the breach is reported to the ICO and will give further advice. The school will keep a log of breaches to inform further actions or training if necessary.
Personal and Sensitive Data:
All data within the school’s control shall be identified as either personal or sensitive to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The definitions of personal and sensitive data shall be as those published by the ICO: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
The principles of the GDPR shall be applied to all data processed:
- a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Privacy Notice:
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, parents and pupils prior to the processing of individual’s data.
Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation.
The intention to share data relating to individuals to an organisation outside of our school shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.
Any proposed change to the processing of individual’s data shall first be notified to them.
Data Security:
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.
Risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.
The security arrangements of any organisation with which data is shared shall also be considered and these organisations shall provide evidence of the competence in the security of shared data.
Data Access Requests (Subject Access Requests):
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing to: Mrs Lawrence/Mrs Williams/Mrs Hellard. This will be referred to the Data Protection Officer(Powys) for advice.
Photographs and Video:
Images of staff and pupils may be captured at appropriate times and as part of educational activities for use in school only.
Unless prior consent from parents/pupils/staff has been given, the school shall not utilise such images for publication or communication to external sources.
It is the school’s policy that external parties (including parents) may capture images of staff or pupils during such activities but will only use them for personal use and not share with other parties or social media.
Data Disposal:
The school recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services.
All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.
Disposal of IT assets holding data shall be in compliance with ICO guidance:
https://ico.org.uk/media/for-organisations/documents/1570/it_asset_disposal_for_organisations.pdf
How to raise a Complaint: Individuals area able to complain about: breach of personal data, rectification/amendments to personal data, erasure of personal data and to cease processing personal data. Any such request should be referred TO Data Protection officer (Powys)