Learning today, Leading tomorrow

Data Protection Policy:

AUTHOR: D CORNALL Ratified by: The Governing Body of Stretford High School June 2012 Review Date: May 10, 2013

DATA PROTECTION POLICY:

1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 Roles and Responsibilities Suggested Audience Related Policies School Mission Statement Introduction Enquiries Fair Obtaining and Processing Registered purposes Data Integrity Page 2 Page 2 Page 2 Page 3 Page 3 Page 3 Page 3 Page 4 Page 4 Page 5 Page 6 Page 7 Page 8 Page 10 Page 10

10.0 Subject Access 11.0 Processing Subject Access Requests

Data Protection Policy: | 5/10/2013

12.0 Authorised Disclosures 13.0 Data and Computer Security 14.0 Monitoring and Review 15.0 Approval by Governing Body and Review Date

1.0

Roles and Responsibilities The responsibility for the implementation of this policy and provision rests with the Headteacher. On an operational basis, the management, responsibility and evaluation of this policy will be undertaken by the Director of Finance.

2.0

Suggested Audience The Governing body, all staff, parents and young people.

3.0

Related Policies This policy is part of a suite of policies which should also be referred to; Data Protection Curriculum, Teaching and Learning Admission Arrangements Freedom of Information publication scheme IT Usage Policy Public Sector Equality Duty Teaching and Learning SENd Child Protection
Data Protection Policy: | 5/10/2013

4.0

School Mission Statement Learning Today, Leading Tomorrow

5.0

Introduction The Governing Body of the school has overall responsibility for ensuring that records are maintained, including security and access arrangements, in accordance with Education Regulations and all other statutory provisions. The Headteacher and Governors of this School will fully comply with the requirements and principles of the Data Protection Act 1984 and the Data Protection Act 1988. All staff involved with the collection, processing and disclosure of personal data will be made aware of their duties and responsibilities within these guidelines annually and receive the training required to ensure complance.

6.0

Enquiries Information about the schools Data Protection Policy is available from the Director of Finance.

7.0

Fair Obtaining and Processing Stretford High School undertakes to obtain and process data fairly and lawfully by informing all data subjects of the reasons for data collection, the purposes for which the data are held, the likely recipients of the data and the data subjects right of access. Information about the use of personal data is printed on the appropriate collection form. If details are given verbally, the person collecting will explain the issues before obtaining the information. processing means obtaining, recording or holding the information or data or carrying out any or set of operations on the information or data.

Data Protection Policy: | 5/10/2013

data subject means an individual who is the subject of personal data or the person to whom the information relates. personal data means data, which relates to a living individual who can be identified. Addresses and telephone numbers are particularly vulnerable to abuse, but so can names and photographs be, if published in the press, Internet or media. parent has the meaning given in the Education act 1996, and includes any person having parental responsibility or care of a child.

8.0

Registered Purposes The Data Protection Registration entries for the School are available for inspection, by appointment, at the school Finance Office. Explanation of any codes and categories entered is available from the Director of Finance, who is the person nominated to deal with Data Protection issues in the School. Registered purposes covering the data held at the school are listed on the schools registration and data collection documents. Information held for these stated purposes will not be used for any other purpose without the data subjects consent.

9.0

Data Integrity The school undertakes to ensure data integrity by the following methods: Data Accuracy Data held will be as accurate and up to date as is reasonably possible. If a data subject informs the School of a change of circumstances their computer record will be updated as soon as is practicable. A printout of their data record will be
Data Protection Policy: | 5/10/2013

provided to data subjects every twelve months so they can check its accuracy and make any amendments. Where a data subject challenges the accuracy of their data, the School will immediately mark the record as potentially inaccurate, or challenged. In the case of any dispute, we shall try to resolve the issue informally, but if this proves impossible, disputes will be referred to the Governing Body for their judgment. If the problem cannot be resolved at this stage, either side may seek independent arbitration. Until resolved the challenged marker will remain and all disclosures of the affected information will contain both versions of the information. Data Adequacy and Relevance Data held about people will be adequate, relevant and not excessive in relation to the purpose for which the data is being held. In order to ensure compliance with this principle, the School will check records regularly for missing, irrelevant or seemingly excessive information and may contact data subjects to verify certain items of data.

Length of Time Data held about individuals will not be kept for longer than necessary for the purposes registered. It is the duty of the person compiling the records to ensure that obsolete data are properly erased.

Data Protection Policy: | 5/10/2013

10.0 Subject Access The Data Protection Acts extend to all data subjects a right of access to their own personal data. In order to ensure that people receive only information about themselves it is essential that a formal system of requests is in place. Where a

request for subject access is received from a young person, the schools policy is that:

Requests from young people will be processed as any subject access request as outlined below and the copy will be given directly to the pupil, unless it is clear that the young person does not understand the nature of the request. Requests from young people who do not appear to understand the nature of the request will be referred to their parents. Requests from parents in respect of their own child will be processed as requests made on behalf of the data subject (the child) and the copy will be sent in a sealed envelope to the requesting parent. 11.0 Processing Subject Access Requests Requests for access must be made in writing. Young people, parents or staff may ask for a Data Subject Access form, available from the School Office. Completed forms should be submitted to the Director of Finance. Provided that there is sufficient information to process the request, an entry will be made in the Subject Access log book, showing the date of receipt, the data subjects name, the name and address of requester (if different), the type of data required (eg Student Record, Personnel Record), and the planned date of supplying the information (normally not more than 40 days from the request date). Should more information be required to establish either the identity of the data subject (or agent) or the type of data requested, the date of entry in the log will be date on which sufficient information has been provided. Note: In the case of any written request from a parent regarding their own childs record, access to the record will be provided within 15 school days in accordance with the current Education (Pupil Information) Regulations.

Data Protection Policy: | 5/10/2013

12.0 Authorised Disclosures The School will, in general, only disclose data about individuals with their consent. However there are circumstances under which an authorised officer of Stretford High School may need to disclose data without explicit consent for that occasion.

These circumstances are strictly limited to:

Data relating to a young person, disclosed to authorised recipients related to education and administration necessary for the school to perform its statutory duties and obligations. Data disclosed to authorised recipients in respect of a young persons health, safety and welfare. Data disclosed to parents in respect of their childs progress, achievements, attendance, attitude or general demeanor within or in the vicinity of the school. Staff data disclosed to relevant authorities eg in respect of payroll and administrative matters.
Data Protection Policy: | 5/10/2013

Unavoidable disclosures, for example to an engineer during maintenance of the computer system. In such circumstances the engineer would be required to sign a form promising not to disclose the data outside the school. Officers working on behalf of the school for Trafford LA are contractually bound not to disclose personal data. Only authorised and trained staff are allowed to make external disclosures of personal data. Data used within the school by administrative staff, teachers and welfare officers will only be made

available where the person requesting the information is a professional legitimately working within the school who need to know the information in order to do their work. The school will not disclose anything on records of young people which would be likely to cause serious harm to their physical or mental health or that of anyone else including anything where suggests that they are, or have been, either the subject of or at risk of child abuse. A legal disclosure is the release of personal information from the computer to someone who requires the information to do his or her job within or for the school, provided that the purpose of that information has been registered.

An illegal disclosure is the release of information to someone who does not need it, or has no right to it, or one which falls outside the Schools registered purposes.

13.0 Data and Computer Security Stretford High School will undertake the security of personal data by the following general methods (precise details cannot, of course, be revealed): Physical Security Appropriate building security measures will be in place, such as alarms, window bars, deadlocks and computer hardware cable locks. Only authorised persons are allowed in the computer server rooms. Disks, tapes and printouts will be locked away securely when not in use. Visitors to the school are accepted on an appointment only basis and all appointments are subject to the approval of the Headteacher or his designated officer. Visitors are required to sign in and out, to wear identification badges whilst in the school and are always accompanied by the host member of staff. Where appropriate, visitors will be unaccompanied. Unannounced visitors will not be permitted access to

Data Protection Policy: | 5/10/2013

the school site and will be met, if appropriate, in reception. School data information must not be given without express authority of the Headteacher.

Logical Security Security software is installed on all computers containing personal data. Only authorised users are allowed access to the computer files and password changes are regularly undertaken. Computer files will be backed up (ie security copies are taken) regularly.

Procedural Security In order to be given authorised access to the computer, staff must confirm they have read the school IT use policy and sign a confidentiality agreement. All staff will be trained in their Data Protection obligations and their knowledge updated as necessary. Computer printouts as well as source documents are shredded before disposal. Any queries or concerns about security of data in the school should in the first instance be referred to the Director of Finance. Individual members of staff can be personally liable in law under the terms of the Data Protection Acts. They may also be subject to claims for damages from persons who believe that they have been harmed as a result of inaccuracy, unauthorised use or disclosure of their data. A deliberate breach of this Data Protection Policy will be treated as disciplinary matter, and serious breaches could lead to dismissal.

Data Protection Policy: | 5/10/2013

14.0 Monitoring and Review The Director of Finance will work closely with the Finance and Personnel Committee and Assistant Headteacher to ensure that this policy is fully implemented and subsequent provision developed. This person will regularly monitor and review this policy and make an annual written report to the full Governing Body. 15.0 Approval by Governing Body and Review Date
This policy has been formally approved and ratified by the Governing Body at a formally convened meeting. Policy Approved: Date: __________________________ (Chair of Governing Body) June 2012

Date of Policy Review: 10th May 2013

16.0 Appendices Access to personal data request forms

10

Data Protection Policy: | 5/10/2013

ACCESS TO PERSONAL DATA REQUEST DATA PROTECTION ACT 1998 Section 7.

Enquirers SurnameEnquirers .Fore Names.. Enquirers Address Enquirers Postcode

Telephone Number .

Are you the person who is the subject of the records you are enquiring about (i.e. the Data Subject)?

YES /

NO

If NO,

Do you have parental responsibility for a child who is the Data Subject of the are enquiring about?

YES /

NO

records you

If YES,

Data Protection Policy: | 5/10/2013

Name of child or children about whose personal data records you are enquiring

..

..

11

Description of Concern / Area of Concern

Description of Information or Topic(s) Requested ( In your own words)

Additional information.

Please despatch Reply to: (if different from enquirers details as stated on this form)

Name

Address

Postcode

DATA SUBJECT DECLARATION

I request that the School search its records based on the information supplied above under Section 7 (1) of the Data Protection Act 1998 and provide a description of the personal data found from the information described in the details outlined above relating to me (or my child/children) being processed by the School.

I agree that the reply period will commence when I have supplied sufficient information to enable the School to perform the search.
Data Protection Policy: | 5/10/2013

I consent to the reply being disclosed and sent to me at my stated address (or to the Despatch Name and Address above who I have authorised to receive such information).

Signature of Data Subject (or Subjects Parent)

Name of Data Subject (or Subjects Parent) (PRINTED). Dated .

12