The MFG Academies Trust
Board of Governors
Date: June 2018
1.0 April 2018 - To comply with General Data Protection Regulations
Next review due by:
The MFG Academies Trust (“the Academy”) collects and uses certain types of personal information about staff, students, parents and other individuals who come into contact with the Academy in order provide education and associated functions. The Academy may be required by law to collect and use certain types of information to comply with statutory obligations related to employment, education and safeguarding, and this policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the General Data Protection Regulation (GDPR) and other related legislation.
The GDPR applies to all computerised data and manual files if they come within the definition of a filing system. Broadly speaking, a filing system is one where the data is structured in some way that it is searchable on the basis of specific criteria (so you would be able to use something like the individual’s name to find their information), and if this is the case, it does not matter whether the information is located in a different physical location.
This policy will be updated as necessary to reflect best practice, or amendments made to data protection legislation, and shall be reviewed every  years and complies with our funding agreement and articles of association
‘Personal data’ is information that identifies an individual, and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain. A sub-set of personal data is known as ‘special category personal data’. This special category data is information that relates to:
- Race or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Physical or mental health;
- An individual’s sex life or sexual orientation;
- Genetic or biometric data for the purpose of uniquely identifying a natural person.
Special Category information is given special protection, and additional safeguards apply if this information is to be collected and used.
Information relating to criminal convictions shall only be held and processed where there is legal authority to do so.
The Academy does not intend to seek or hold sensitive personal data about staff or students except where the Academy has been notified of the information, or it comes to the Academy’s attention via legitimate means (e.g. a grievance) or needs to be sought and held in compliance with a legal obligation or as a matter of good practice. Staff or students are under no obligation to disclose to the Academy their race or ethnic origin, political or religious beliefs, whether or not they are a trade union member or details of their sexual life (save to the extent that details of marital status and / or parenthood are needed for other purposes, e.g. pension entitlements).
The six data protection principles as laid down in the GDPR are followed at all times:
- Personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met;
- Personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes;
- Personal data shall be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is being processed;
- Personal data shall be accurate and, where necessary, kept up to date;
- Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose / those purposes;
- Personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
In addition to this, the Academy is committed to ensuring that at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law
The Academy is committed to complying with the Data Protection principles in at all times. This means that the Academy will:
- Inform individuals as to the purpose of collecting any information from them, as and when we ask for it;
- Be responsible for checking the quality and accuracy of the information;
- Regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with the data retention policy;
- Ensure that when information is authorised for disposal it is done appropriately;
- Ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system, and follow the relevant security policy requirements at all times;
- Share personal information with others only when it is necessary and legally appropriate to do so;
- Set out clear procedures for responding to requests for access to personal information known as subject access requests;
- Report any breaches of the GDPR in accordance with the procedure outlined in Section 13.
- The individual has given consent that is specific to the particular type of processing activity, and that consent is informed, unambiguous and freely given.
- The processing is necessary for the performance of a contract, to which the individual is a party, or is necessary for the purpose of taking steps with regards to entering into a contract with the individual, at their request.
- The processing is necessary for the performance of a legal obligation to which we are subject.
- The processing is necessary to protect the vital interests of the individual or another.
- The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
- The processing is necessary for a legitimate interest of the Academy or that of a third party, except where this interest is overridden by the rights and freedoms of the individual concerned
The Academy holds personal data on students, staff and other individuals such as visitors. In each case, the personal data must be treated in accordance with the data protection principles as outlined above.
Students and Parents
The personal data held regarding students includes contact details, assessment / examination results, attendance information, characteristics such as ethnic group, special educational needs, any relevant medical information, photographs and biometric data,
The data is used in order to support the education of the students, to monitor and report on their progress, to provide appropriate pastoral care, and to assess how well the Academy as a whole is doing, together with any other uses normally associated with this provision in a school environment.
The Academy may make use of limited personal data (such as contact details) relating to students, and their parents or guardians for fundraising, marketing or promotional purposes and to maintain relationships with students of the Academy, but only where consent has been provided to this
We may also receive data about students from other organisations including, but not limited to, other schools, local authorities and the Department for Education.
Please refer to Appendix A for the full Student Privacy Notice This will be issued in the following ways:
- As part of the Academy brochure, diary or induction pack
- On the Academy notice board
- On the Academy website
The personal data held about staff will include contact details, employment history, and information relating to career progression, information relating to DBS checks, photographs and videos.
The data is used to comply with legal obligations placed on the Academy in relation to employment, and the education of children in a school environment. The Academy may pass information to other regulatory authorities where appropriate, and may use names and photographs of staff in publicity and promotional material. Personal data will also be used when giving references.
Staff should note that information about disciplinary action may be kept for longer than the duration of the sanction. Although treated as “spent” once the period of the sanction has expired, the details of the incident may need to be kept for a longer period.
Please refer to Appendix B for the full Staff Privacy Notice. This will be issued in the following ways:
- As part of a staff contract or induction pack
- On the staff notice board
The Academy may hold personal information in relation to other individuals who have contact with the school, such as volunteers and guests. Such information shall be held only in accordance with the data protection principles, and shall not be kept longer than necessary
The Academy will take reasonable steps to ensure that members of staff will only have access to personal data where it is necessary for them to carry out their duties. All staff will be made aware of this Policy and their duties under the GDPR. The Academy will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
For further details as regards security of IT systems, please refer to the IT Policy in Appendix F
Our Academy processes personal information relating to students, staff and visitors, and, therefore, is a data controller. Our Academy delegates the responsibility of data controller to the Executive Principal.
The Academy is registered as a data controller with the Information Commissioner’s Office and renews this registration annually.
The Board of Directors has overall responsibility for ensuring that the Academy complies with its obligations under the Data Protection Act 1998.
Day-to-day responsibilities rest with the Data Protection Officer, or the Executive Principal in the Data Protection Officer’s absence. The Data Protection Officer will ensure that all staff are aware of their data protection obligations, and oversee any queries related to the storing or processing of personal data.
Staff are responsible for ensuring that they collect and store any personal data in accordance with this policy. Staff must also inform the Academy of any changes to their personal data, such as a change of address.
Anybody who makes a request to see any personal information held about them by the Academy is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure
All requests should be sent to the Data Protection Officer within 3 working days of receipt, and must be dealt with in full without delay and at the latest within one month of receipt
Where a child or young person does not have sufficient understanding to make his or her own request (usually those under the age of 12, or over 12 but with a special educational need which makes understanding their information rights more difficult), a person with parental responsibility can make a request on their behalf. The Data Protection Officer must, however, be satisfied that:
- The child or young person lacks sufficient understanding; and
- The request made on behalf of the child or young person is in their interests.
Any individual, including a child or young person with ownership of their own information rights, may appoint another person to request access to their records. In such circumstances the Academy must have written evidence that the individual has authorised the person to make the application and the Data Protection Officer must be confident of the identity of the individual making the request and of the authorisation of the individual to whom the request relates.
Access to records will be refused in instances where an exemption applies, for example, information sharing may place the individual at risk of significant harm or jeopardise police investigations into any alleged offence(s).
A subject access request must be made in writing. The Academy may ask for any further information reasonably required to locate the information.
An individual only has the automatic right to access information about themselves, and care needs to be taken not to disclose the personal data of third parties where consent has not been given, or where seeking consent would not be reasonable, and it would not be appropriate to release the information. Particular care must be taken in the case of any complaint or dispute to ensure confidentiality is protected.
All files must be reviewed by the Data Protection Officer before any disclosure takes place. Access will not be granted before this review has taken place.
Where all the data in a document cannot be disclosed a permanent copy should be made and the data obscured or retyped if this is more sensible. A copy of the full document and the altered document should be retained, with the reason why the document was altered.
Exemption to access by data subjects
Where a claim to legal professional privilege could be maintained in legal proceedings, the information is likely to be exempt from disclosure unless the privilege is waived.
There are other exemptions from the right of subject access. If we intend to apply any of them to a request then we will usually explain which exemption is being applied and why.
To make a request for your personal information, or be given access to your child’s educational record, please complete the Subject Access Request Form as shown in Appendix C along with guidance notes for completion.
10. Other Rights of Individuals
The Academy has an obligation to comply with the rights of individuals under the law, and takes these rights seriously. The following section sets out how the Academy will comply with the rights to:
- Object to Processing;
- Erasure; and
- Data Portability.
Right to object to processing
An individual has the right to object to the processing of their personal data on the grounds of pursuit of a public interest or legitimate interest where they do not believe that those grounds are made out.
Where such an objection is made, it must be sent to Data Protection Officer within 2 working days of receipt, and the Data Protection Officer will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings.
The Data Protection Officer shall be responsible for notifying the individual of the outcome of their assessment.
Right to rectification
An individual has the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, it should be sent to Data Protection Officer within 2 working days of receipt, and where adequate proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and the individual notified.
Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data, and communicated to the individual. The individual shall be given the option of [a review under the data protection complaints procedure, or] an appeal direct to the Information Commissioner.
An individual also has a right to have incomplete information completed by providing the missing data, and any information submitted in this way shall be updated without undue delay.
Right to erasure
Individuals have a right, in certain circumstances, to have data permanently erased without undue delay. This right arises in the following circumstances:
- Where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed;
- Where consent is withdrawn and there is no other legal basis for the processing
- Where an objection has been raised under the right to object, and found to be legitimate;
- Where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met);
- Where there is a legal obligation on the Academy to delete.
The Data Protection Officer will make a decision regarding any application for erasure of personal data, and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other data controllers, and / or has been made public, reasonable attempts to inform those controllers of the request shall be made.
Right to restrict processing
In the following circumstances, processing of an individual’s personal data may be restricted:
- Where the accuracy of data has been contested, during the period when the Academy is attempting to verify the accuracy of the data;
- Where processing has been found to be unlawful, and the individual has asked that there be a restriction on processing rather than erasure;
- Where data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise or defence of a legal claim;
- Where there has been an objection made under para 8.2 above, pending the outcome of any decision.
Right to portability
If an individual wants to send their personal data to another organisation they have a right to request that the Academy provides their information in a structured, commonly used, and machine readable format.
As this right is limited to situations where the Academy is processing the information on the basis of consent or performance of a contract, the situations in which this right can be exercised will be quite limited. If a request for this is made, it should be forwarded to Data Protection Officer within 2 working days of receipt, and Data Protection Officer will review and revert as necessary.
- Biometric recognition systems
Where we use students’ biometric data as part of an automated biometric recognition system for example, students use finger prints to receive school dinners instead of paying with cash, we will comply with the requirements of the Protection of Freedoms Act 2012.
Parents/carers will be notified before any biometric recognition system is put in place or before their child first takes part in it. The Academy will obtain written consent from at least one parent or carer before we take any biometric data from their child and first process it.
Parents/carers and students have the right to choose not to use the Academy’s biometric system(s). We will provide alternative means of accessing the relevant services for those students. For example, students can pay using a PIN number.
Parents/carers and students can object to participation in the Academy’s biometric recognition system(s), or withdraw consent, at any time, and we will make sure that any relevant data already captured is deleted.
As required by law, if a student refuses to participate in, or continue to participate in, the processing of their biometric data, we will not process that data irrespective of any consent given by the student’s parent(s)/carer(s).
Where staff members or other adults use the Academy’s biometric system(s), we will also obtain their consent before they first take part in it, and provide alternative means of accessing the relevant service if they object. Staff and other adults can also withdraw consent at any time, and the Academy will delete any relevant data already captured.
- Photographs and videos
As part of our Academy activities, we may take photographs and record images of individuals within our Academy.
We will obtain written consent from parents/carers for photographs and videos to be taken of their child for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video will be used to both the parent/carer and student.
Where we need parental consent, we will clearly explain how the photograph and/or video will be used to both the parent/carer and student. Where we don’t need parental consent, we will clearly explain to the student how the photograph and/or video will be used.
Uses may include:
- Within Academy on notice boards and in Academy magazines, brochures, newsletters, etc.
- Outside of Academy by external agencies such as the Academy photographer, newspapers, campaigns
- Online on our Academy website or social media pages
Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further.
When using photographs and videos in this way we will not accompany them with any other personal information about the child, to ensure they cannot be identified.
See our photo consent form Appendix E for more information on our use of photographs and videos.
- Breach of any Requirement of the GDPR
Any and all breaches of the GDPR, including a breach of any of the data protection principles shall be reported as soon as it is discovered, to the Data Protection Officer
Once notified, the Data Protection Officer shall assess:
- The extent of the breach;
- The risks to the data subjects as a consequence of the breach;
- Any security measures in place that will protect the information;
- Any measures that can be taken immediately to mitigate the risk to the individuals.
Unless the Data Protection Officer concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the Academy, unless a delay can be justified.
The Information Commissioner shall be told:
- Details of the breach, including the volume of data at risk, and the number and categories of data subjects;
- The contact point for any enquiries (which shall usually be Data Protection Officer
- The likely consequences of the breach;
- Measures proposed or already taken to address the breach.
If the breach is likely to result in a high risk to the rights and freedoms of the affected individual’s then the Data Protection Officer shall notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.
- Data subjects shall be told:
- The nature of the breach;
- Who to contact with any questions;
- Measures taken to mitigate any risks.
Data Protection Officer shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed by the [board] and a decision made about implementation of those recommendations.
This ensures staff understand what is acceptable when using IT equipment, software and data in the Academy. Please refer to Appendix F. This document is completed as part of the staff member’s mandatory data protection training.
- Disposal of records
Inaccurate or out of date records will also be disposed of securely, where we cannot or do not need to rectify or update it.
For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files. We may also use a third party to safely dispose of records on the Academy’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.
Full details of how long we are required to retain data ca be found in Appendix D
Personal data that is no longer needed will be disposed of securely.
Our staff and governors are provided with data protection training as part of their induction process.
Data protection will also form part of continuing professional development, where changes to legislation or the Academy’s processes make it necessary.
- Data Impact Assessment
A Data Impact Assessment can be used to identify the risk the Academy potentially faces and what actions are in place to mitigate the risk. This assessment is required where data processing is likely to result in a high risk to individual for example:
- Deployment of new technology
- Profiling that is likely to significantly affect individuals
- Monitoring Arrangements
The DPO is responsible for monitoring and reviewing this policy.
This policy will be reviewed and updated if necessary when the Data Protection Bill receives royal assent and becomes law (as the Data Protection Act 2018) – if any changes are made to the bill that affect our Academy’s practice. Otherwise, or from then on, this policy will be reviewed every 2 years and shared with the full governing board.
- Links with other policies
This Data Protection Policy is linked to the Freedom of Information publication scheme.
 For example, if asked for the number of female employees, and you only have one female employee, this would be personal data if it was possible to obtain a list of employees from the website as there is only one individual who it could relate to.