The General Data Protection Regulation (GDPR)

​

The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data.

​

‘Personal data’ means information that can identify a living individual.

​

Main principles

​

The GDPR sets out the key principles that all personal data must be processed in line with.

​

• Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected

​

There are also stronger rights for individuals regarding their own data.

​

• The individual’s rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all

​

New requirements

​

The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already comply with), but strengthens many of the DPA’s principles. The main changes are:

​

• Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law

• Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data

• Schools will only have a month to comply with subject access requests, and in most cases can’t charge

• Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous

• There are new, special protections for children’s data

• The Information Commissioner’s Office must be notified within 72 hours of a data breach

• Organisations will have to demonstrate how they comply with the new law

• Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils

​

How We Aim To Achieve This

​

At Captain Webb Primary School we take data protection seriously and to ensure we are full compliant with both the Data Protection Act and the new GDPR legislation.  To this extent we have undertaken the following actions:

​

• We are registered as a Data Controller with the Information Commissioners Office - our registration number is Z6446791

• We have employed a Data Protection Officer, through a contract with the Local Authority.

• We have updated our Data Protection Policy, and ensure it is reviewed annually to ensure compliance with legislation (see below).  The policy includes the new guidelines on making a data request and the process that parents/carers will need to follow.

• We have updated our Freedom of Information Policy, and ensure it is reviewed annually to ensure compliance with legislation (see below). 

• We have completed a data audit of all information received, held or shared by the school.  This includes naming an individual who has responsibility for each stream of data, analysing how the data is received, stored, its relevance, whether we have a legal purpose to hold the data and that it is deleted / destroyed at the appropriate time.

• We have confirmed that the organisations, with which we share data, are also compliant with the GDPR and Data Protection regulations.

• We have updated our Privacy Notice (see below)

• We have organised for annual training in Data Protection and the new GDPR for all staff who are data processors (i.e. have access to/use the information we hold).

• We have reviewed our legal purposes for holding and using data.  Whilst most of the data we use is done so under legal obligation (i.e. under the Education Act 1996  or Keeping Children Safe in Education (DfE,2016) and allows us to perform our public task, some data we use is not.  In these cases we will always seek parental consent.  We have updated our parental consent form (see below) to ensure parents can clearly see what is being requested, and can positively opt in.

​

      Consent can be withdrawn by the parent, at any time, by downloading and completing the parental consent form below, or by contacting the school office 

    

Whilst the education of your child is not dependant on your consent being given, we do ask for consent to certain activities. Whilst this does not fall under the scope of the GDPR, the refusal to give consent to certain requests (i.e. trips and visits, watching a video) could have an impact on your child being included in certain educational activities.