View the Data Protection Policy pdf document HERE or see below.
1.1 Policy statement and objectives
1.2 The objectives of this Data Protection Policy are to ensure that the Shaw Education Trust (the “Trust”) and its directors, academy councillors, members and employees are informed about, and comply with, their obligations under the General Data Protection Regulation (“the GDPR”) and other data protection legislation.
1.3 The Trust is a multi-academy trust with numerous academies, a school centred initial teacher training provider (SCITT) and a Teaching School Alliance (TSA). The Trust is the Data Controller for all the Personal Data processed by the academies, SCITT and TSA, and by the central team at the Trust. For the purpose of this policy, the terms ‘academies’ will be used in reference to the SCITT and TSA. For a list of the academies within the Trust, please see our website: http://www.shaw-education.org.uk/
1.4 Everyone has rights with regard to how their personal information is handled. During the course of our activities we will process personal information about a number of different groups of people and we recognise that we need to treat it in an appropriate and lawful manner. This personal information is collected by the academies within the Trust, but also by the central team who work for the Trust.
1.5 The type of information that we may be required to handle include details of job applicants, current, past and prospective employees, pupils, associate teachers, parents / carers and other members of pupils’ families, directors, academy councillors, members suppliers and other individuals that we communicate with. The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR and other legislation. The GDPR imposes restrictions on how we may use that information.
1.6 This policy does not form part of any employee’s contract of employment and it may be amended at any time. Any breach of this policy by members of staff will be taken seriously and may result in disciplinary action and serious breaches may result in dismissal. Breach of the GDPR may expose the Trust to enforcement action by the Information Commissioner’s Office (ICO) or fines. Furthermore, certain breaches of the Act can give rise to personal criminal liability for the Trust’s employees. At the very least, a breach of the GDPR could damage our reputation and have serious consequences for the Trust and for our stakeholders.
1.7 This policy has been approved by the directors of the Trust. It sets out our rules on data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.
2 Data protection principles
2.1 Anyone processing Personal Data must comply with the enforceable principles of good practice. These provide that Personal Data must be:
processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3 Processed lawfully, fairly and in a transparent manner
3.1 The GDPR is intended not to prevent the processing of Personal Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. The Data Subject must be told who the Data Controller is (in this case the Trust), who the Data Controller’s representative is (in this case the DPO), the purpose for which the data is to be Processed by us, and the identities of anyone to whom the Data may be disclosed or transferred.
3.2 For Personal Data to be processed lawfully, certain conditions have to be met. These may include:
where we have the Consent of the Data Subject;
where it is necessary for compliance with a legal obligation;
where processing is necessary to protect the vital interests of the Data Subject or another person;
where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
3.3 Personal data may only be processed for the specific purposes notified to the Data Subject when the data was first collected, or for any other purposes specifically permitted by the Act. This means that Personal Data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the Data Subject must be informed of the new purpose before any processing occurs.
3.4 Sensitive Personal Data
3.4.1 The Trust processes Sensitive Personal Data about our stakeholders. We recognise that the law states that this type of Data needs more protection. Therefore, Data Users must be more careful with the way in which we process Sensitive Personal Data.
3.4.2 When Sensitive Personal Data is being processed, as well as establishing a lawful basis (as outlined in paragraph 6.3 above), a separate condition for processing it must be met. In most cases the relevant conditions are likely to be that:
the Data Subject’s explicit consent to the processing of such data has been obtained
processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, where we respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject;
processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent;
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Data Controller or of the Data Subject in the field of employment law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the Data Subject.
3.4.3 The Trust recognises that in addition to Sensitive Personal Data, we are also likely to Process information about our stakeholders which is confidential in nature, for example, information about family circumstances, child protection or safeguarding issues. Appropriate safeguards must be implemented for such information, even if it does not meet the legal definition of Sensitive Personal Data.
3.5 Biometric Data
3.5.1 Academies in the Trust may process Biometric Data as part of an automated biometric recognition system, for example, for cashless catering or photo ID card systems where a pupil’s photo is scanned automatically to provide him or her with services. Biometric Data is a type of Sensitive Personal Data.
3.5.2 Where Biometric Data relating to pupils is processed, the relevant academy must ensure that each parent of a child is notified of the school’s intention to use the child’s Biometric Data and obtain the written consent of at least one parent before the data is taken from the pupil and used as part of an automated biometric recognition system. An academy must not process the Biometric Data if a pupil under 18 years of age where:
the child (whether verbally or non-verbally) objects or refuses to participate in the Processing of their Biometric Data;
no Parent has Consented in writing to the processing; or
a Parent has objected in writing to such processing, even if another Parent has given written Consent.
3.5.3 Academies must provide reasonable alternative means of accessing services for those pupils who will not be using an automated biometric recognition system. The Trust will comply with any guidance or advice issued by the Department for Education on the use of Biometric Data from time to time.
3.5.4 The Trust and / or the relevant academies must obtain the explicit Consent of staff, trustees, academy councillors, members or other data subjects before processing their Biometric Data.
3.6 Criminal convictions and offences
3.6.1 There are separate safeguards in the GDPR for Personal Data relating to criminal convictions and offences.
3.6.2 It is likely that the Trust and its academies will Process Data about criminal convictions or offences. This may be as a result of pre-vetting checks we are required to undertake on staff, associate teachers, trustees and academy councillors, or due to information which we may acquire during the course of their employment or appointment.
3.6.3 In addition, from time to time we may acquire information about criminal convictions or offences involving pupils or Parents. This information is not routinely collected and is only likely to be processed by the Trust in specific circumstances, for example, if a child protection issue arises or if a parent / carer is involved in a criminal matter.
3.6.4 Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and / or the Police. Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.
3.7 Transparency
3.7.1 One of the key requirements of the GDPR relates to transparency. This means that the Trust must keep Data Subjects informed about how their Personal Data will be processed when it is collected.
3.7.2 One of the ways we provide this information to individuals is through a privacy notice which sets out important information what we do with their Personal Data. The Trust has developed privacy notices for the following categories of people:
Pupils
Parents / carers
Staff
Trustee, Academy Councillors and SCITT Strategic Board
Associate teachers (trainees)
Suppliers, contractors and external sessional providers
3.7.3 The Trust wishes to adopt a layered approach to keeping people informed about how we process their Personal Data. This means that the privacy notice is just one of the tools we will use to communicate this information. Trust employees are expected to use other appropriate and proportionate methods to tell individuals how their Personal Data is being processed if Personal Data is being processed in a way that is not envisaged by our privacy notices and / or at the point when individuals are asked to provide their Personal Data, for example, where Personal Data is collected about visitors to Academy premises or if we ask people to complete forms requiring them to provide their Personal Data.
3.7.4 We will ensure that privacy notices are concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.
3.8 Consent
3.8.1 The Trust must only process Personal Data on the basis of one or more of the lawful bases set out in the GDPR, which include Consent. Consent is not the only lawful basis and there are likely to be many circumstances when we process Personal Data and our justification for doing so is based on a lawful basis other than Consent.
3.8.2 A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.
3.8.3 In the event that we are relying on Consent as a basis for Processing Personal Data about pupils, if a pupil is aged under 13, we will need to obtain Consent from the Parent(s). In the event that we require Consent for Processing Personal Data about pupils aged 13 or over, we will require the Consent of the pupil although, depending on the circumstances, academies should consider whether it is appropriate to inform Parents about this process. Consent is likely to be required if, for example, an academy wishes to use a photo of a pupil on its website or on social media. Consent is also required is also required before any pupils are signed up to online learning platforms. Such Consent must be from the Parent is the pupil is aged under 13. When relying on Consent, we will make sure that the child understands what they are consenting to, and we will not exploit any imbalance in power in the relationship between us.
3.8.4 Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if we intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.
3.8.5 Unless we can rely on another legal basis of Processing, Explicit Consent is usually required for Processing Sensitive Personal Data. Often we will be relying on another legal basis (and not require Explicit Consent) to Process most types of Sensitive Data.
3.8.6 Evidence and records of Consent must be maintained so that the Trust can demonstrate compliance with Consent requirements.
4 Specified, explicit and legitimate purposes
4.1 Personal data should only be collected to the extent that it is required for the specific purpose notified to the Data Subject, for example, in the Privacy Notice or at the point of collecting the Personal Data. Any data which is not necessary for that purpose should not be collected in the first place.
4.2 The Trust will be clear with Data Subjects about why their Personal Data is being collected and how it will be processed. We cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have Consented where necessary.
5 Adequate, relevant and limited to what is necessary
5.1 The Trust will ensure that the Personal Data collected is adequate to enable us to perform our functions and that the information is relevant and limited to what is necessary.
5.2 In order to ensure compliance with this principle, the Trust will check records at appropriate intervals for missing, irrelevant or seemingly excessive information and may contact Data Subjects to verify certain items of data.
5.3 Trust employees must also give due consideration to any forms stakeholders are asked to complete and consider whether the all the information is required. We may only collect Personal Data that is needed to operate as a school functions and we should not collect excessive data. We should ensure that any Personal Data collected is adequate and relevant for the intended purposes.
5.4 The Trust will implement measures to ensure that Personal Data is processed on a ‘Need to Know’ basis. This means that the only members of staff, academy councillors or trustees who need to know Personal Data about a Data Subject will be given access to it and no more information than is necessary for the relevant purpose will be shared. In practice, this means that the Trust may adopt a layered approach in some circumstances, for example, members of staff, trustees or academy councillors may be given access to basic information about a pupil or employee if they need to know it for a particular purpose but other information about a Data Subject may be restricted to certain members of staff who need to know it, for example, where the information is Sensitive Personal Data, relates to criminal convictions or offences or is confidential in nature (for example, child protection or safeguarding records).
5.5 When Personal Data is no longer needed for specified purposes, it must be deleted or anonymised in accordance with the Trust’s data retention guidelines.
6 Accurate and, where necessary, kept up-to-date
6.1 Personal data must be accurate and kept up-to-date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed.
6.2 If a Data Subject informs the Trust of a change of circumstances their records will be updated as soon as is practicable.
6.3 Where a Data Subject challenges the accuracy of their data, the Trust will immediately mark the record as potentially inaccurate, or ‘challenged’. In the case of any dispute, we shall try to resolve the issue informally, but if this proves impossible, disputes will be referred to the Data Protection Officer for their judgement. If the problem cannot be resolved at this stage, the Data Subject should refer their complaint to the Information Commissioner’s Office. Until resolved the ‘challenged’ marker will remain and all disclosures of the affected information will contain both versions of the information.
6.4 Notwithstanding paragraph 6.3, a Data Subject continues to have rights under the GDPR and may refer a complaint to the Information Commissioner’s Office regardless of whether the procedure set out in paragraph 6.3 has been followed.
7 Data to be kept for no longer than is necessary for the purposes for which the Personal Data are processed
7.1 Personal data should not be kept longer than is necessary for the purpose for which it is held. This means that data should be destroyed or erased from our systems when it is no longer required.
7.2 It is the duty of the DPO, after taking appropriate guidance for legal considerations, to ensure that obsolete data are properly erased. The Trust has a retention schedule for all data.
8 Data to be processed in a manner that ensures appropriate security of the Personal Data
8.1 The Trust has taken steps to ensure that appropriate security measures are taken against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data. Data Subjects may apply to the courts for compensation if they have suffered damage from such a loss.
8.2 The GDPR requires us to put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.
8.3 We will develop, implement and maintain safeguards appropriate to our size, scope, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
8.4 Data Users are responsible for protecting the Personal Data we hold. Data Users must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. Data Users must exercise particular care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.
8.5 Data Users must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. Data Users must comply with all applicable aspects of our Data Security Policy and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the GDPR and relevant standards to protect Personal Data.
8.6 Data Users must be aware that it is a criminal offence for someone to knowingly or recklessly obtain or disclose Personal Data without the Trust’s consent (or to ask someone to do it on their behalf) and / or to retain it without our knowledge (for example, if a member of staff accesses Personal Data about pupils or other members of staff without our consent and / or shares that data with people who are not permitted to see it). It is also an offence to sell or try to sell such Personal Data. These offences will also be treated as disciplinary issues in accordance with the Trust’s HR policies.
8.7 Maintaining data security means guaranteeing the confidentiality, integrity and availability of the Personal Data, defined as follows:
Confidentiality means that only people who are authorised to use the data can access it.
Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
Availability means that authorised users should be able to access the data if they need it for authorised purposes.
8.8 It is the responsibility of all members of staff, trustees and academy councillors to work together to ensure that the Personal Data we hold is kept secure. We rely on our colleagues to identify and report any practices that do not meet these standards so that we can take steps to address any weaknesses in our systems. Anyone who has any comments or concerns about security should notify the Principal of the relevant Academy or the DPO.
8.9 Please see our Data Security Policy for details for the arrangements in place to keep Personal Data secure.
8.10 Trustees and academy councillors
8.10.1 Trustees and academy councillors are likely to process Personal Data when they are performing their duties, for example, if they are dealing with employee issues, pupil exclusions or parent complaints. Trustees and academy councillors should be trained on the Trust’s data protection processes as part of their induction and should be informed about their responsibilities to keep Personal Data secure. This includes:
Ensuring that Personal Data which comes into their possession as a result of their trustee or local governor duties is kept secure from third parties, including family members and friends;
Ensuring they are provided with a copy of the Trust’s Data Security Policy.
Using a Trust email account for any Trust-related communications;
Ensuring that any Trust-related communications or information stored or saved on an electronic device or computer is password protected [and encrypted;
Taking appropriate measures to keep Personal Data secure, which includes ensuring that hard copy documents are securely locked away so that they cannot be access by third parties.
8.10.2 Trustees and academy councillors will be asked to read and sign an Acceptable Use Agreement.
9 Processing in line with Data Subjects’ rights
9.1 Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
withdraw Consent to Processing at any time;
receive certain information about the Data Controller’s Processing activities;
request access to their Personal Data that we hold;
prevent our use of their Personal Data for direct marketing purposes;
ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
restrict Processing in specific circumstances;
challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
request a copy of an agreement under which Personal Data is transferred outside of the EEA;
object to decisions based solely on Automated Processing, including profiling (Automated Decision Making);
prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
make a complaint to the supervisory authority (the ICO); and
in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.
9.2 We are required to verify the identity of an individual requesting data under any of the rights listed above. Members of staff should not allow third parties to persuade them into disclosing Personal Data without proper authorisation.
10 Dealing with subject access requests
10.1 The GDPR extends to all Data Subjects a right of access to their own Personal Data. A formal request from a Data Subject for information that we hold about them must be made in writing. The Trust or its academies can invite a Data Subject to complete a form but we may not insist that they do so.
10.2 It is important that all members of staff are able to recognise that a written request made by a person for their own information is likely to be a valid Subject Access Request, even if the Data Subject does not specifically use this phrase in their request or refer to the GDPR. In some cases, a Data Subject may mistakenly refer to the “Freedom of Information Act” but this should not prevent an Academy or the Trust from responding to the request as being made under the GDPR, if appropriate. Some requests may contain a combination of a Subject Access Request for Personal Data under the GDPR and a request for information under the Freedom of Information Act 2000 (“FOIA”). Requests for information under the FOIA must be dealt with promptly and in any event within 20 school days.
10.3 Any member of staff who receives a written request of this nature must immediately forward it to the Academy Data Protection Manager as the statutory time limit for responding is one calendar month from receipt of the request.. Under the Data Protection Act 1998 (DPA 1998), Data Controllers previously had 40 calendar days to respond to a request. The Academy Data Protection Manager must inform the DPO about the subject access request but it is likely that the Academy Data Protection Manager will project manage the response to the request with input from the DPO. If a request is received by the central team at the Trust, the DPO must be notified without delay.
10.4 As the time for responding to a request does not stop during the periods when an academy is closed for the holidays, we will attempt to mitigate any impact this may have on the rights of data subjects to request access to their data by implementing the following measures:
A designated GDPR email address will be used to receive Subject Access Requests (SARs): GDPR@knste-shaw.org.uk
Emails will be regularly monitored to ensure that a response is provided within the statutory timescale.
A fee may no longer be charged to the individual for provision of this information (previously a fee of £10 could be charged under the DPA 1998).
10.5 The Academy or central team at the Trust may ask the Data Subject for reasonable identification so that they can satisfy themselves about the person’s identity before disclosing the information.
10.6 In order to ensure that people receive only information about themselves it is essential that a formal system of requests is in place.
10.7 Requests from pupils who are considered mature enough to understand their rights under the GDPR will be processed as a subject access request as outlined below and the data will be given directly to the pupil (subject to any exemptions that apply under the
GDPR or other legislation). As the age when a young person is deemed to be able to give Consent for online services is 13, we will use this age as a guide for when pupils may be considered mature enough to exercise their own subject access rights. In every case it will be for the Trust, as Data Controller, to assess whether the child is capable of understanding their rights under the GDPR and the implications of their actions, and so decide whether the Parent needs to make the request on the child’s behalf. A Parent would normally be expected to make a request on a child’s behalf if the child is younger than 13 years of age.
10.8 Requests from pupils who do not appear to understand the nature of the request will be referred to their Parents or carers.
10.9 Requests from Parents in respect of their own child will be processed as requests made on behalf of the Data Subject (the child) where the pupil is aged under 13 (subject to any exemptions that apply under the Act or other legislation). If the Parent makes a request for their child’s Personal Data and the child is aged 13 or older and / or the Trust considers the child to be mature enough to understand their rights under the GDPR, the Trust shall ask the pupil for their Consent to disclosure of the Personal Data if there is no other lawful basis for sharing the Personal Data with the Parent (subject to any enactment or guidance which permits the Trust to disclose the Personal Data to a Parent without the child’s Consent). If Consent is not given to disclosure, the Trust shall not disclose the Personal Data if to do so would breach any of the data protection principles.
10.10 It should be noted that the Education (Pupil Information) (England) Regulations 2005 do not apply to academies so the rights available to parents in those Regulations to access their child’s educational records are not applicable to academies in the Trust. Instead, requests from Parents for Personal Data about their child must be dealt with under the GDPR (as outlined above). This is without prejudice to the obligation on the Trust in the Education (Independent School Standards) Regulations 2014 to provide an annual report of each registered pupil’s progress and attainment in the main subject areas taught to every parent (unless they agree otherwise in writing).
10.11 Following receipt of a subject access request, and provided that there is sufficient information to process the request, an entry should be made in the Trust’s Subject Access log book, showing the date of receipt, the Data Subject’s name, the name and address of requester (if different), the type of data required (e.g. Student
Record, Personnel Record), and the planned date for supplying the information (not more than one calendar month from the request date). The nominated data official is responsible for completing the log if the request is received at Academy level and the DPO is responsible for completing the log for requests received at Trust level. Should more information be required to establish either the identity of the Data Subject (or agent) or the type of data requested, the date of entry in the log will be date on which sufficient information has been provided.
10.12 Where requests are “manifestly unfounded or excessive”, in particular because they are repetitive, the Trust can:
charge a reasonable fee taking into account the administrative costs of providing the information; or
refuse to respond.
10.13 Where we refuse to respond to a request, the response must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. Members of staff should refer to any guidance issued by the ICO on Subject Access Requests and consult the DPO before refusing to respond to a request.
10.14 Certain information may be exempt from disclosure so members of staff will need to consider what exemptions (if any) apply and decide whether you can rely on them. For example, information about third parties may be exempt from disclosure. In practice, this means that you may be entitled to withhold some documents entirely or you may need to redact parts of them. Care should be taken to ensure that documents are redacted properly. Please seek further advice or support from the DPO if you are unsure which exemptions apply.
10.15 In the context of an Academy a subject access request is normally part of a broader complaint or concern from a Parent or may be connected to a disciplinary or grievance for an employee. Members of staff should therefore ensure that the broader context is taken into account when responding to a request and seek advice if required on managing the broader issue and the response to the request.
11 Providing information over the telephone
Section Title
11.1 Any member of staff dealing with telephone enquiries should be careful about disclosing any Personal Data held by the Trust whilst also applying common sense to the particular circumstances. In particular they should:
Check the caller’s identity to make sure that information is only given to a person who is entitled to it.
Suggest that the caller put their request in writing if they are not sure about the caller’s identity and where their identity cannot be checked.
Refer to their line manager or the DPO for assistance in difficult situations. No-one should feel pressurised into disclosing personal information.
12 Authorised disclosures
12.1 The Trust will only disclose data about individuals if one of the lawful bases apply.
12.2 Only authorised and trained staff are allowed to make external disclosures of Personal Data. The Trust and its academies will regularly share Personal Data with third parties where it is lawful and appropriate to do so including, but not limited to, the following:
Local Authorities
the Department for Education
the Education & Skills Funding Agency
the Disclosure and Barring Service
the Teaching Regulation Agency
the Teachers’ Pension Service
the Local Government Pension Scheme
our external HR providers
our external payroll providers
our external IT Provider
HMRC
the Police or other law enforcement agencies
our legal advisors and other consultants
insurance providers / the Risk Protection Arrangement
occupational health advisors
Section Title
exam boards;
the Joint Council for Qualifications;
NHS health professionals including educational psychologists and school nurses;
Education Welfare Officers;
Courts, if ordered to do so;
Prevent teams in accordance with the Prevent Duty on schools;
other schools, for example, if we are negotiating a managed move and we have Consent to share information in these circumstances;
confidential waste collection companies;
12.3 Some of the organisations we share Personal Data with may also be Data Controllers in their own right in which case we will be jointly controllers of Personal Data and may be jointly liable in the event of any data breaches.
12.4 Data Sharing Agreements should be completed when setting up ‘on-going’ or ‘routine’ information sharing arrangements with third parties who are Data Controllers in their own right. However, they are not needed when information is shared in one-off circumstances but a record of the decision and the reasons for sharing information should be kept.
12.5 All Data Sharing Agreements must be signed off by the Data Protection Officer who will keep a register of all Data Sharing Agreements.
12.6 The GDPR requires Data Controllers to have a written contract in place with Data Processors which must include specific clauses relating to the way in which the data is Processed (“GDPR clauses”). A summary of the GDPR clauses is set out in Appendix 1. It will be the responsibility of the Academy entering into the contract to ensure that the GDPR clauses have been added to the contract with the Data Processor. Personal data may only be transferred to a third-party Data Processor if they agree to put in place adequate technical, organisational and security measures themselves.
12.7 In some cases Data Processors may attempt to include additional wording when negotiating contracts which attempts to allocate some of the risk relating to compliance with the GDPR, including responsibility for any Personal Data Breaches, onto the Trust. In these circumstances, the member of staff dealing with the contract
Section Title
should contact the DPO for further advice before agreeing to include such wording in the contract.
13 Reporting a Personal Data Breach
13.1 The GDPR requires Data Controllers to notify any Personal Data Breach to the ICO and, in certain instances, the Data Subject.
13.2 A notifiable Personal Data Breach must be reported to the ICO without undue delay and where feasible within 72 hours, unless the data breach is unlikely to result in a risk to the individuals.
13.3 If the breach is likely to result in high risk to affected Data Subjects, the GDPR, requires organisations to inform them without undue delay.
13.4 It is the responsibility of the DPO, or the nominated deputy, to decide whether to report a Personal Data Breach to the ICO.
13.5 We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
13.6 The Trust recognises that as our academies are closed or have limited staff available during school holidays, there will be times when our ability to respond to a Personal Data Breach promptly and within the relevant timescales will be affected. We will consider any proportionate measures that we can implement to mitigate the impact this may have on Data Subjects when we develop our Data Breach Response Plan.
13.7 If a member of staff, trustee or local governor knows or suspects that a Personal Data Breach has occurred, our Data Breach Response Plan must be followed. In particular, the DPO or such other person identified in our Data Breach Response Plan must be notified immediately. You should preserve all evidence relating to the potential Personal Data Breach.
14 Accountability
14.1 The Trust must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Trust is responsible for, and must be able to demonstrate, compliance with the data protection principles.
14.2 The Trust must have adequate resources and controls in place to ensure and to document GDPR compliance including:
appointing a suitably qualified DPO (where necessary) and an executive team accountable for data privacy;
Section Title
implementing Privacy by Design when Processing Personal Data and completing Data Protection Impact Assessments (DPIAs) where Processing presents a high risk to rights and freedoms of Data Subjects;
integrating data protection into internal documents including this Data Protection Policy, related policies and Privacy Notices;
regularly training Trust employees, trustees and academy councillors on the GDPR, this Data Protection Policy, related policies and data protection matters including, for example, Data Subject’s rights, Consent, legal bases, DPIA and Personal Data Breaches. The Trust must maintain a record of training attendance by Trust personnel; and
regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
15 Record keeping
15.1 The GDPR requires us to keep full and accurate records of all our Data Processing activities.
15.2 We must keep and maintain accurate records reflecting our Processing including records of Data Subjects’ Consents and procedures for obtaining Consents.
15.3 These records should include, at a minimum, the name and contact details of the Data Controller and the DPO, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place. In order to create such records, data maps should be created which should include the detail set out above together with appropriate data flows.
16 Training and audit
16.1 We are required to ensure all Trust personnel have undergone adequate training to enable us to comply with data privacy laws. We must also regularly test our systems and processes to assess compliance.
16.2 Members of staff must attend all mandatory data privacy related training.
17 Privacy by Design and Data Protection Impact Assessments (DPIA)
Section Title
17.1 We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.
17.2 This means that we must assess what Privacy by Design measures can be implemented on all programs/systems/processes that Process Personal Data by taking into account the following:
the state of the art;
the cost of implementation;
the nature, scope, context and purposes of Processing; and
the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
17.3 We are also required to conduct DPIAs in respect to high risk Processing.
17.4 The Trust and its academies should conduct a DPIA and discuss your findings with the DPO when implementing major system or business change programs involving the Processing of Personal Data including (but not limited to):
use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
Automated Processing including profiling and ADM;
large scale Processing of Sensitive Data; and
large scale, systematic monitoring of a publicly accessible area.
17.5 We will also undertake a DPIA as a matter of good practice to help us to assess and mitigate the risks to pupils. If our processing is likely to result in a high risk to the rights and freedom of children then a DPIA should be undertaken.
17.6 A DPIA must include:
a description of the Processing, its purposes and the Trust’s legitimate interests if appropriate;
an assessment of the necessity and proportionality of the Processing in relation to its purpose;
an assessment of the risk to individuals; and
the risk mitigation measures in place and demonstration of compliance.
Section Title
18 CCTV
18.1 The Trust and its academies use CCTV in locations around their sites. This is to:
protect the academy buildings and their assets;
increase personal safety and reduce the fear of crime;
support the Police in a bid to deter and detect crime;
assist in identifying, apprehending and prosecuting offenders;
provide evidence for the Trust to use in its internal investigations and / or disciplinary processes in the event of behaviour by staff, pupils or other visitors on the site which breaches or is alleged to breach the Trust’s policies;
protect members of the school community, public and private property; and
assist in managing the academy.
19 Policy Review
19.1 It is the responsibility of the directors to facilitate the review of this policy on a regular basis. Recommendations for any amendments should be reported to the DPO.
19.2 We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.
19.3 This policy should be reviewed by the Trust periodically and at least every 2 years.
20 Enquiries
20.1 Further information about the School’s Data Protection Policy is available from the DPO.
20.2 General information about the Act can be obtained from the Information Commissioner’s Office: www.ico.gov.uk
Appendix 1 – Definition of terms
Section Title
Biometric Data means Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images;
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
Data is information which is stored electronically, on a computer, or in certain paper-based filing systems or other media such as CCTV;
Data Subjects for the purpose of this policy include all living individuals about whom we hold Personal Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data.
Data Controllers means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Data Users include employees, volunteers, trustees and academy councillors whose work involves using Personal Data. Data Users have a duty to protect the information they handle by following our data protection and security policies at all times;
Data Processors means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
Parent has the meaning given in the Education Act 1996 and includes any person having parental responsibility or care of a child;
Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Privacy by Design means implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR;
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
Section Title
otherwise making available, alignment or combination, restriction, erasure or destruction;
Sensitive Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Appendix 2 – Data Protection Officer
Section Title
The Data Protection Officer (the “DPO”) is responsible for ensuring the Trust is compliant with the GDPR and with this policy. This post is held at Trust level by Natalie Kennedy, Marketing and Communications Officer, who is available to contact on Natalie.kennedy@shaw-education.org.uk. In the event that the DPO is unavailable for any reason, the DPO’s responsibilities will be undertaken by Gavin Lawrie, Director of Operations. In addition, a ‘link’ person will be appointed at each academy within the Trust and will report to the DPO on matters relating to data protection compliance, to be known as the Academy Data Protection Lead. Any questions or concerns about the operation of this policy should be referred in the first instance to the DPO.
The DPO will play a major role in embedding essential aspects of the GDPR into the Trust’s culture, from ensuring the data protection principles are respected to preserving data subject rights, recording data processing activities and ensuring the security of processing.
The DPO should be involved, in a timely manner, in all issues relating to the protection of personal data. To do this, the GDPR requires that DPOs are provided with the necessary support and resources to enable the DPO to effectively carry out their tasks. Factors that should be considered include the following:
senior management support;
time for DPOs to fulfil their duties;
adequate financial resources, infrastructure (premises, facilities and equipment) and staff where appropriate;
official communication of the designation of the DPO to make known existence and function within the organisation;
access to other services, such as HR, IT and security, who should provide support to the DPO;
continuous training so that DPOs can stay up-to-date with regard to data protection developments;
where a DPO team is deemed necessary, a clear infrastructure detailing roles and responsibilities of each team member;
whether the Trust should give the DPO access to external legal advice to advise the DPO on their responsibilities under this Data Protection Policy.
The DPO is responsible for ensuring that the Trust’s Processing operations adequately safeguard Personal Data, in line with legal requirements. This means that the governance structure within the Trust must ensure the independence of the DPO.
The Trust will ensure that the DPO does not receive instructions in respect of the carrying out of their tasks, which means that the DPO must not be instructed how to
Section Title
deal with a matter, such as how to investigate a complaint or what result should be achieved. Further, the DPO should report directly to the highest management level, i.e. the board of directors.
The requirement that the DPO reports directly to the board of directors ensures that the Trust’s directors are made aware of the pertinent data protection issues. In the event that the Trust decides to take a certain course of action despite the DPO's advice to the contrary, the DPO should be given the opportunity to make their dissenting opinion clear to the board of directors and to any other decision makers.
A DPO appointed internally by the Trust is permitted to undertake other tasks and duties for the organisation, but these must not result in a conflict of interests with his or her role as DPO. It follows that any conflict of interests between the individual's role as DPO and other roles the individual may have within the organisation impinge on the DPO's ability to remain independent.
In order to avoid conflicts the DPO cannot hold another position within the organisation that involves determining the purposes and means of processing personal data. Senior management positions chief financial officer, head of IT or head of human resources positions are likely to cause conflicts. Some other positions may involve determining the purposes and means of processing, which will rule them out as feasible roles for DPOs.
In the light of this and in the event that the Trust decides to appoint an internal DPO, the Trust will take the following action in order to avoid conflicts of interests:
identify the positions incompatible with the function of DPO;
draw up internal rules to this effect in order to avoid conflicts of interests which may include, for example, allocating some of the DPO’s other duties to other members of staff, appointing a deputy DPO and / or obtaining advice from an external advisor if appropriate;
include a more general explanation of conflicts of interests;
declare that the DPO has no conflict of interests with regard to his or her function as a DPO, as a way of raising awareness of this requirement.
Include safeguards in the internal rules of the organisation and ensure that the job specification for the position of DPO or the service contract is sufficiently precise and detailed to avoid conflicts of interest.
External service providers will have different considerations over conflicts of interests, such as whether other advice provided to the organisation (for example, relating to the organisation's use of personal data) would affect their independence in the role of DPO.
If you consider that the policy has not been followed in respect of Personal Data about yourself or others you should raise the matter with the DPO.
View the Data Security Protection pdf HERE or see below.
For the purpose of this document, the term ‘Academy’ is also used in reference to the School Centred Initial Teacher Training provider (SCITT), unless otherwise stated. The term Principal is also used in reference to the SCITT Executive Director unless otherwise stated.
Physical security arrangements
1. Site security
1.1 All staff members will act in accordance with the Academy’s security policies or those in place at the site in which they are located.
1.2 During Academy events, all rooms except those required will be locked. Only the site manager, or other designated persons, will have a copy of the keys required to access the rooms.
1.3 Unless needed, all paperwork and equipment will be securely stored away.
1.4 When the Academy site is open for events, the event organiser and data expert will carry out an extensive risk assessment to ensure the security of data.
1.5 All Academies will implement a clear desk policy under which personal and sensitive data will not be kept in plain view, such as employee’s keeping paperwork which contains pupil information on their desk.
1.6 Any paper documents containing sensitive or confidential information will be securely stored using a lock. Only the relevant member of staff will have a copy of the key required to access the data. This member of staff is responsible for ensuring the security of this key.
1.7 Each Academy is responsible for maintaining an up-to-date record of any key holders.
1.8 Where Academy devices are used at home, a record of all devices taken off the Academy site will be maintained.
2. Devices and equipment
2.1. When using devices such as hard drives to store data, the device may be approved and encrypted by the ICT support team prior to use. SCITT staff use Microsoft One Drive and do not generally store data on the hard drive of their laptops. If they need to store data they encrypt individual files stored on laptops, personal computers or other devices rather than utilising full hard drive encryption
2.2. Devices will be locked and secured when not in use, ensuring that access to data is password protected.
Data Security Policy
2.3. All electronic equipment is stored in a secure location at the end of each day.
2.4. After using Academy equipment, staff members are responsible for ensuring that it is returned to the appropriate storage location and secured.
2.5. Staff, pupils, parents, visitors and contractors are responsible for their personal belongings, and any data stored on their devices, and the Academy is not liable for any damage or loss which may occur.
2.6. Any equipment which someone wishes to take off the Academy site will be approved by the Principal in advance and a record of the loan kept, in line with the Academy’s Personal Devices Policy.
2.7. Where the security of equipment storing data has been breached, the Academy’s data expert will be immediately informed. The expert will then report the incident to the Trust’s DPO, where necessary to do so.
E-security arrangements
1. Secure configuration
1.1. An inventory will be kept of all IT hardware and software currently in use at each Academy, including mobile phones and other personal devices provided by the Academy. This will be stored in each Academy’s office and will be audited by the data expert on a termly basis to ensure it is up-to-date.
1.2. Any changes to the IT hardware or software will be documented using the inventory, and will be authorised by the ICT support team before use.
1.3. All systems will be audited on a termly basis to ensure the software is up-to-date. Any new versions of software or new security patches will be added to systems, ensuring that they do not affect network security, and will be recorded on the inventory.
1.4. Any software that is out-of-date or reaches ‘end of life’ will be removed from systems, i.e. when suppliers end their support for outdated products, such that any security issues will not be rectified by suppliers.
1.5. Only cloud computing systems agreed and configured by the ICT support team will be used.
1.6. Each Academy’s data expert will ensure that a high-quality filtering system is in place at the Academy.
Data Security Policy
1.7. All hardware, software and operating systems, including cloud computing, will require passwords for individual users before use.
1.8. Passwords will be changed on a 90 day basis to prevent access to facilities which could compromise network security.
1.9. Passwords will not be written down or stored in a file.
1.10. Staff members will not share private information, such as employee contact details and passwords.
1.11. The Academy believes that locking down hardware, such as through strong passwords, is an effective way to prevent access to facilities by unauthorised users. This is detailed in section 6 of this policy.
1.12. Staff members leaving the Academy will be removed from the Academy’s system immediately.
2. Network security
2.1. The Academy will employ firewalls in order to prevent unauthorised access to the systems.
The Academy’s firewall will be deployed as a centralised deployment. The broadband service connects to a firewall that is located within a data centre or other major network location.
2.2. In relation to centralised deployments, the Academy’s firewall is managed locally by a third-party, the firewall management service will be thoroughly investigated by the ICT support team, to ensure that:
Any changes and updates that are logged by authorised users within the Academy, are undertaken efficiently by the provider to maintain operational effectiveness.
Patches and fixes are applied quickly to ensure that the network security is not compromised.
2.3. In relation to localised deployments, the Academy’s firewall is managed on the premises, it is the responsibility of the ICT support team to effectively manage the firewall. The ICT support team will ensure that:
The firewall is checked regularly for any changes and/or updates, and that these are recorded using the inventory.
Any changes and/or updates that are added to servers, including access to new services and applications, do not compromise the overall network security.
Data Security Policy
The firewall is checked regularly to ensure that a high level of security is maintained and there is effective protection from external threats.
Any compromise of security through the firewall is recorded using an incident log and is reported to the data expert. The ICT support team will react to security threats to find new ways of managing the firewall.
2.4. In relation to centralised deployments, the Academy will consider installing additional firewalls on the servers in addition to the third-party service as a means of extra network protection. This decision will be made by the Academy’s Principal, taking into account the level of security currently provided and any incidents that have occurred.
3. Email usage
3.1. Any emails being sent externally which contain sensitive data, such as those pertaining to safeguarding concerns, will be encrypted to reduce the risk of it being viewed by anyone other than the intended audience.
3.2. KNSTE use Egress to encrypt emails containing personal data.
3.3. Circular and bulk emails to third parties are sent blind carbon copy (bcc), so email addresses are not disclosed to other recipients.
4. Managing user privileges
4.1. The Academy understands that controlling what users have access to is important for promoting network security. User privileges will be differentiated, i.e. pupils will have different access to data and the network than members of staff.
4.2. Each Academy Principal will clearly define what users have access to and will communicate this to the ICT support team, ensuring that a written record is kept.
4.3. The ICT support team will ensure that user accounts are set up appropriately such that users can access the facilities required, in line with the Principal’s instructions, whilst minimising the potential for deliberate or accidental attacks on the network.
4.4. The ICT support team will ensure that websites are filtered on a weekly basis for inappropriate and malicious content. Any member of staff or pupil that has accessed inappropriate or malicious content will be recorded in accordance with the monitoring process in section 7 of this policy.
Data Security Policy
4.5. Pupils are responsible for remembering their own passwords; where appropriate to do so, the ICT support team will have an up-to-date record of all usernames and passwords.
4.6. In Primary Academies, KS1 pupils will not have individual logins and class logins will be used instead. If it is appropriate for a pupil to have their individual login, the ICT support team will set up their individual user account, ensuring appropriate access and that their username and password is recorded.
4.7. The ‘master user’ password used by the ICT support team will be made available to the Principal and will be kept in a secure place.
4.8. A multi-user account will be created for visitors to the Academy, such as volunteers, and access will be filtered as per the Principal’s instructions. Usernames and passwords for this account will be changed on a 90 day basis, and will be provided as required.
4.9. Academy business managers or Principals should establish robust systems for informing the ICT support team to delete inactive users or users who have left the Academy. The ICT support team will manage this provision to ensure that all users that should be deleted are, and that they do not have access to the system.
5. Monitoring usage
5.1. Monitoring user activity is important for early detection of attacks and incidents, as well as inappropriate usage by pupils or staff.
5.2. The Academy will inform all pupils and staff that their usage will be monitored, in accordance with the Academy’s Acceptable Use Policy and E-safety Policy.
5.3. An alert will be sent to the ICT support team or appropriate line manager when monitoring usage, if the user accesses inappropriate content or a threat is detected. Alerts will also be sent for unauthorised and accidental usage.
5.4. Alerts will identify the user, the activity that prompted the alert and the information or service the user was attempting to access.
5.5. The ICT support team or appropriate line manager will record any alerts using an incident log and will report this to the data expert. All incidents will be responded to in accordance with the Data Protection Policy.
5.6. All data gathered by monitoring usage will be kept in a secure location for easy access when required. This data may be used as a method of
Data Security Policy
evidence for supporting a not yet discovered breach of network security.
6. Removable media controls and home working
6.1. The Academy understands that pupils and staff may need to access the Academy network from areas other than on the premises. Effective security management will be established to prevent access to, or leakage of, data, as well as any possible risk of malware.
6.2. The ICT support team will encrypt all Academy-owned devices for personal use, such as laptops, USB sticks, mobile phones and tablets. If any portable devices are lost, this will prevent unauthorised access to personal data.
6.3. The SCITT does not promote the use of removable media devices by its staff and requires all staff to agree to, and act in accordance with, the SCITT’s Laptop Computer Responsible Use Policy.
6.4. In exceptional circumstances SCITT staff may encrypt individual files stored on laptops, personal computers or other devices rather than utilising full hard drive encryption.
6.5. Pupils and staff are not permitted to use their personal devices where the Academy provides alternatives, such as work laptops, tablets and USB sticks, unless instructed otherwise by the Academy Principal.
6.6. If pupils and staff are instructed that they are able to use their personal devices, they will ensure that they have an appropriate level of security and firewall to prevent any compromise of the Academy’s network security. This will be checked by the ICT support team.
6.7. When using laptops, tablets and other portable devices, the data expert will determine the limitations for access to the network, as described in section 6 of this policy.
6.8. Staff who use Academy-owned laptops, tablets and other portable devices will use them for work purposes only, whether on or off of the Academy premises.
6.9. The ICT support team will filter the use of websites on devices when used onsite, in order to prevent inappropriate use and external threats which may compromise the network security.
6.10. All data will be held on systems centrally in order to reduce the need for the creation of multiple copies, and/or the need to transfer data using removable media controls.
6.11. The Wi-Fi network at the Academy will be password protected and will only be given out as required. Staff and pupils are not permitted to use
Data Security Policy
the Wi-Fi for their personal devices, such as mobile phones or tablets, unless instructed otherwise.
6.12. A separate Wi-Fi network will be established for visitors at the Academy to limit their access from printers, shared storage areas and any other applications which are not necessary.
7. Malware prevention
7.1. The Academy understands that malware can be damaging for network security and may enter the network through a variety of means, such as email attachments, social media, malicious websites or removable media controls.
7.2. The ICT support team will ensure that all Academy devices have secure malware protection, including regular malware scans.
7.3. The ICT support team will update malware protection on a daily basis to ensure they are up-to-date and can react to changing threats.
7.4. Malware protection will also be updated in the event of any attacks to the Academy’s hardware and software.
7.5. Filtering of websites, as detailed in section 6 of this policy, will ensure that access to websites with known malware is blocked immediately and reported to the ICT support team.
7.6. The Academy will use mail security technology, which will detect and block any malware that is transmitted by email. This will also detect any spam or other messages which are designed to exploit users.
7.7. The ICT support team will review the mail security technology on a termly basis to ensure it is kept up-to-date and is effective.
Processor protocol
1.1 When handling personal data, staff members will:
o Act in accordance with the Academy’s Data Protection Policy.
o Verify the identity of the person requesting the information before releasing any data.
o Be cautious about communications which involve phrases such as ‘urgent matter’, ‘forgotten password’ or ‘computer virus emergency’.
o Report to the Academy data expert any form of intimidation for data from ‘higher level management’ and where the requester is ‘name dropping’ to give the appearance that they are authorised personnel.
Data Security Policy
o Verify with the Academy data expert any third-party authorisation before releasing any information.
o Immediately end any communication which they believe to be suspicious.
o Be cautious of popup windows, mail attachments and suspicious looking websites, such as those claiming to offer something for free.
o Treat information in the strictest confidence.
o Only share the information on a need-to-know basis.
1.2 When handling personal data, staff members will not:
o Share the information with an unauthorised individual.
o Release data where the requester’s identity cannot be verified.
o Share information which requires releasing information that will reveal passwords, serial numbers, financial data or confidential information.
o Open any emails which they believe to be suspicious.
o Use the Academy system to open or send chain letters, as well as spam or hoax emails.
o Enter their personal or sensitive data, such as their password, if someone is stood looking over their shoulder.
1.3 Before sharing data, all staff members will ensure:
o They are allowed to share it.
o That adequate security is in place to protect it.
o Who will receive the data has been outlined in a privacy notice to the data subject.
1.4 Third-party data processors are bound by the same data requirements as the Trust and, therefore, are expected to act in accordance with the processes and responsibilities outlined in this policy.
Retention and disposal of data
1.1 All data will be retained in line with the Trust’s Data Protection Policy and KNSTE’s Data Retention Policy, as well as the guidelines provided by the Information and Records Management Society.
1.2 The Trust will apply the principle that electronic data and document will be retained as if they were paper documents.
1.3 Where a piece of electronic data, such as an email, is required to be retained indefinitely, or retained beyond the designated retention
Data Security Policy
period, the data should be printed in hard copy and kept in the appropriate physical document file.
1.4 All hard copies of personal data will be shredded and disposed of once its purpose has been fulfilled.
1.5 Where it is not practical to segregate and manage specific data types uniquely, then a blanket seven year policy will be applied to all data with a prescribed retention period of six years or less.
Staff training and awareness
1.1 Each Academy Principal is responsible for ensuring that data related policies and procedures are effectively communicated to staff members.
1.2 Relevant staff members, such as administrative staff who regularly undertake data processing, will receive training on an annual basis and in regards to any changes in practice or policy.
1.3 All staff members will be made aware of the Trust’s data security arrangements as part of their induction training.
1.4 Staff members will undertake cyber-security awareness training as part of their induction training.
1.5 Staff members will receive up-to-date refresher training regarding cyber security and data protection measures on a regular basis.
1.6 In-house training will be provided in each Academy in regards to changes in law and policy, such as GDPR training. The Principal of each Academy is responsible for ensuring that this is undertaken within their establishment.
1.7 All staff members will be made aware of the different methods of social engineering which are most commonly used, including:
o Human-based
o Impersonation – this usually involves a social engineer pretending to be a Academy’s employee, board member or technical support in order to gain access to Academy-specific data, such as employee contact details. This can happen over the phone, in person or via email.
o Third-party authorisation – where a social engineer has obtained the name of someone in the Academy and says that they have been granted access to specific information.
Data Security Policy
o ‘Shoulder surfing’ – this is when someone is stood looking over an individual’s shoulder whilst they enter data, such as their personal details.
o Computer-based
o Popup windows – this is where a window will appear on the screen, saying something like the individual has lost their internet connection and must re-enter their details.
o Mail attachments – viruses can be hidden in email attachments. These are often given names to entice the individual or a long file name.
o Chain, spam and hoax emails – these types of email are often used to gain individual’s email addresses and can contain computer viruses.
1.8 Staff members will understand how to prevent and manage concerns for both computer-based and human-based social engineering.
Monitoring
1.1 The impact of this policy and the associated procedures will be monitored by the DPO.
1.2 Each Academy Principal and data expert is responsible for communicating any concerns in relation to data procedures to the DPO.
1.3 This policy will be reviewed and, where necessary, amended on an annual basis by the DPO, in liaison with Academy data experts.
1.4 Following the reporting of a data breach, the DPO and Academy’s data expert will review the security arrangements in place and amend as necessary to avoid recurrence of the breach and improve practice.
View the Associate Teacher Privacy Notice pdf HERE or see below.
Keele and North Staffordshire Teacher Education (‘KNSTE’) collects a lot of data and information about our Associate Teachers (‘ATs’) so that we can run our teacher training programme effectively. This privacy notice explains how and why we collect ATs’ data, what we do with it and what rights ATs have.
KNSTE is a school centred initial teacher training provider (SCITT) within the Shaw Education Trust (“the Trust”), a multi academy trust with numerous academies. The Trust is a charitable company limited by guarantee (registration number 09067175) whose registered office is The Lodge Wolstanton High, Milehouse Lane, Newcastle Under Lyme, Staffordshire, England, ST5 9JU. The Trust is the Data Controller for all the academies within the Trust and the SCITT.
The Data Protection Officer for the Trust is Natalie Kennedy, natalie.kennedy@shaweducation.
org.uk.
Why do we collect and use associate teacher information?
We collect and use associate teacher information under the following lawful bases:
a. where we have the consent of the data subject (Article 6 (a));
b. where it is necessary for compliance with a legal obligation (Article 6 (c));
c. where processing is necessary to protect the vital interests of the data subject or another
person (Article 6(d));
d. where it is necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller (Article 6 (e).
Where the personal data we collect about ATs is sensitive personal data, we will only process it
where:
a. we have explicit consent;
b. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
and / or
c. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Please see our Data Protection Policy for a definition of sensitive personal data.
We use the AT data to fulfil our legal requirements and to support the application process and delivery and administration of the course, in part, but not limited to, the following:
a. to decide who to offer a place to on the course;
b. to support AT learning in connection with PGCE and QTS awards;
c. to monitor and report on AT progress;
d. to provide appropriate pastoral care;
e. to assess the quality of our services;
f. to comply with the law regarding data sharing;
g. for the protection and welfare of ATs and others in our partnership schools;
h. for the safe and orderly running of the programme;
i. to promote the SCITT;
j. in order to respond to investigations from our regulators or to respond to complaints raised by our stakeholders;
k. in connection with any legal proceedings threatened or commenced against the SCITT
The categories of Associate Teacher information that we collect, hold and share include:
a. Personal information (such as name, address, unique UCAS and SLC reference);
b. Characteristics (such as ethnicity, medical conditions, nationality, country of birth )
c. Attendance information (such as sessions attended, number of absences and absence
reasons)
d. Assignment and assessment point data
e. Safeguarding checks including those pertaining to childcare disqualification.
f. Referee statements
g. Photographs
This data may be obtained through requests for information including, but not limited to, the
following:
• Passport, National Insurance or driving licence
• Recent utility bill/bank statement/council tax bill (proof of address)
• Proof of your qualifications
• Completed DBS declaration
From time to time and in certain circumstances, we might also process personal data about ATs, some of which might be classed as “special categories” of more sensitive personal information.
For example, information about criminal proceedings/convictions is collected in respect of
determining an individual’s suitability to teach. Child protection/safeguarding information is routinely collected about ATs but is only likely to be processed by the SCITT in specific circumstances relating to particular ATs, for example, if a protection issue arises or if an AT is involved in a criminal matter. Where appropriate, such information may be shared with external agencies such as the child protection team at the Local Authority, the Local Authority Designated Officer and/or the Police. Such information will only be processed to the extent that it is lawful to do so and appropriate measures will be taken to keep the data secure.
In order to fulfil statutory duties in respect of determining your fitness to teach, we also collect medical information through the form of an Occupational Health medical check. We also collect information about disabilities through completion of a disclosure.
We collect information about ATs when they join the programme and update it during their time on the course as and when new information is acquired.
Collecting Associate Teacher information
Whilst the majority of AT information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain AT information to us or if you have a choice in this. Where appropriate, we will ask ATs for consent to process personal data where there is no other lawful basis for processing it, for example where we wish to use photos or images of ATs on our website or on social media to promote school activities, or if we want to ask your permission to use your information for marketing purposes. ATs may withdraw consent at any time.
In addition, some of our partner schools use CCTV cameras around their school site for security purposes and for the protection of staff, associate teachers and pupils. CCTV footage may be referred to during the course of disciplinary procedures (for staff or associate teachers) or to investigate other issues. CCTV footage involving associate teachers will only be processed to the extent that it is lawful to do so. Please see the CCTV policy implemented at the site you are located at for more details.
Storing Associate Teacher data
In most cases we hold AT data for six years after the completion of the programme. We may also keep it longer if this is necessary in order to comply with our legal obligations.
We have a data retention policy which sets out how long we must keep AT data for. Our retention policy is available on the KNSTE website.
A significant amount of personal data is stored electronically, for example, on our database. KNSTE uses a number of IT systems and servers, such as:
- Office 365 is a cloud based system provided by Microsoft. They have many servers all over the world; however, Microsoft are fully compliant with data protection requirements.
- A restricted area on an administration server located at Seabridge Primary School, Roe Lane Newcastle Staffs ST5 3PJ.
- Paragon, a fully managed and hosted cloud-based application providing a data management system, stored on servers run by Rackspace at one of their UK data centres. Data submitted to Paragon employs end-to-end encryption Data is not transferred outside of Europe without the Users express permission.
Data stored electronically may be saved on a cloud based system which may be hosted in a different country. Personal data may be transferred to other countries if, for example, we are arranging a trip to a different country. Appropriate steps will be taken to keep the data secure.
Any information stored electronically or in hard copy will be done so in accordance with the Data Protection Policy.
Who do we share Associate Teacher information with?
We routinely share associate teacher information with:
- the Department for Education (DfE);
- KNSTE Strategic Board
- our partner schools (see list below);
- the central team at the Trust;
- Keele University;
- Student Loan Company.
- Ofsted
Where appropriate, we share AT information with the following lead schools and their partner schools:
- Blackfriars Academy
- Hempstalls Primary School
- Seabridge Primary School
- St Mary’s Catholic Academy Norton
- Painsley Catholic College
- Potteries Teaching School Alliance
- Societas Multi Academy Trust
- Parkside Primary School
- City Learning Trust
- St Mary’s C of E (A) Primary School, Tunstall
- Thomas Alleyne’s Uttoxeter Learning Trust.
From time to time, we may also share AT information with other third parties including the following:
- the Police and law enforcement agencies;
- Occupational Health;
- Courts, if ordered to do so;
- the Department for Education (DfE);
- Prevent teams in accordance with the Prevent Duty on schools;
- our HR providers, for example, if we are seeking HR advice and an AT is involved in an issue;
- UCAS;
- I&I;
- external providers and session teachers;
- our legal advisors;
- our insurance providers/the Risk Protection Arrangement.
Some of the above organisations may also be Data Controllers in their own right in which case we will be jointly controllers of your personal data and may be jointly liable in the event of any data breaches.
In the event that we share personal data about ATs with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.
Why we share Associate Teacher information
We do not share information about our ATs with anyone without consent unless the law allows us to do so.
We share AT data with the Department for Education (DfE) on a statutory basis.
Data collection requirements:
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the ITT census) go to https://www.gov.uk/government/collections/ initial-teacher-training
The DfE has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data;
- the purpose for which it is required;
- the level and sensitivity of data requested; and
- the arrangements in place to store and handle the data.
To be granted access to AT information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the department’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
To contact DfE: https://www.gov.uk/contact-dfe
Associate Teacher Privacy Notice
Requesting access to your personal data
Under data protection legislation, ATs have the right to request access to information about them that we hold (“Subject Access Request”).
Subject to the section below, the legal timescales for the SCITT to respond to a Subject Access Request is one calendar month. As the SCITT has limited staff resources outside of term time, we encourage ATs to submit Subject Access Requests during term time and to avoid sending a request during periods when the SCITT is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible. For further information about how we handle Subject Access Requests, please see our Data Protection Policy.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress;
- prevent processing for the purpose of direct marketing;
- object to decisions being taken by automated means;
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the our data protection responsibilities.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Contact:
If you would like to discuss anything in this privacy notice, please contact:
Natalie Kennedy, DPO, via Natalie.kennedy@shaw-education.org.uk
View our Employee PrivacyNotice pdf HERE or see below.
What is the purpose of this document?
The Academy is committed to protecting the privacy and security of your personal information.
Keele and North Staffordshire Teacher Education (‘KNSTE’) is a School Centred Initial Teacher Training provider (‘SCITT’) within the Shaw Education Trust (“the Trust”), a multi academy trust with numerous academies. The Trust is a charitable company limited by guarantee (registration number 09067175) whose registered office is The Lodge Wolstanton High, Milehouse Lane, Newcastle under Lyme, Staffordshire, England, ST5 9JU. The Trust is the Data Controller for all the academies within the Trust.
This privacy notice describes how we collect and use personal information about you before, during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR).
The Trust is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to current and former employees, seconded staff workers and contractors. This notice does not form part of any contract of employment or other type of contract to provide services. We may update this notice at any time.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
(a) Used lawfully, fairly and in a transparent way.
(b) Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
(c) Relevant to the purposes we have told you about and limited only to those purposes.
(d) Accurate and kept up to date.
(e) Kept only as long as necessary for the purposes we have told you about.
(f) Kept securely.
The type of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection.
We will collect, store, and use the following categories of personal information about you:
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
Date of birth
Gender
Marital status and dependants
Next of kin and emergency contact information
National Insurance number
Bank account details, payroll records and tax status information
Salary, annual leave, pension and benefits information
Teacher Reference Number
Start date
Location of employment or workplace
Copy of driving licence
Recruitment information (including copies of pre-vetting recruitment and identity checks (including, where appropriate, information about your employment history, Standard or Enhanced Disclosure and Barring Service Checks, Barred Lists Checks, prohibition checks [/section 128 checks] and disqualification checks, for example under the Childcare (Disqualification) Regulations 2009 and any further checks that are required if you have lived or worked outside the UK), your nationality and right to work documentation, references and other information included in a CV, application form or cover letter or as part of the application process)
Employment records (including job titles, work history, working hours, training records and professional memberships)
Compensation history
Performance information
Disciplinary and grievance information, including warnings issued to you]
CCTV footage and other information obtained through electronic means such as swipecard records
Information about your use of our information and communications systems]
Photographs
We may also collect, store and use the following “special categories” of more sensitive personal information:
Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
Trade union membership
Information about your health, including any medical condition, health and sickness records
Genetic information and biometric data
Information about your criminal record
How is your personal information collected?
We collect personal information about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, the Local Authority or other background check agencies.
We will also collect additional personal information in the course of job-related activities throughout the period of you working for us.
How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
(a) Where we need to perform the contract we have entered into with you.
(b) Where we need to comply with a legal obligation.
We may also use your personal information in the following situations:
(c) Where we need to protect your interests (or someone else’s interests).
(d) Where it is needed in the public interest or for official purposes.
Situations in which we will use your personal information
We need all the categories of information in the list above primarily to allow us to perform our contract with you, to enable us to comply with legal obligations and/or where it is needed in the public interest or for official purposes. The situations in which we will process your personal information are listed below.
-
- Making a decision about your recruitment or appointment
- Determining the terms on which you work for us
- Checking you are legally entitled to work in the UK
- Checking the award of Qualified Teacher Status, completion of teacher induction and prohibitions, sanctions and restrictions that might prevent the individual from taking part in certain activities or working in specific positions via the Teacher Services Online platform
- To maintain our single central record and to comply with our general safeguarding obligations
- To provide information on our website about our employees
- Where appropriate, to disclose certain information in the Academy’s accounts in accordance with the Accounts direction
- Paying you and, if you are an employee, deducting tax and National Insurance contributions
- Liaising with your pension provider
- Administering the contract we have entered into with you
- In order to operate as a school, which may involve us sharing certain information about our staff with our stakeholders or processing correspondence or other documents, audits or reports which contain your personal data
- Business management and planning, including accounting and auditing
- Conducting performance reviews, managing performance and determining performance requirements
- Making decisions about salary reviews and compensation
- Assessing qualifications for a particular job or task, including decisions about promotions
- Gathering evidence for possible grievance or disciplinary hearings
- Responding to complaints or investigations from stakeholders or our regulators
- Making decisions about your continued employment or engagement
- Making arrangements for the termination of our working relationship
- Providing references to prospective employers
- Education, training and development requirements
- Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- Ascertaining your fitness to work
- Managing sickness absence
- Complying with health and safety obligations
- To prevent fraud
- To monitor your use of our information and communication systems to ensure compliance with our IT policies
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- To conduct data analytics studies to review and better understand employee retention and attrition rates
- In connection with the Transfer of Undertaking (Protection of Employment) Regulations 2006, for example, if a service is outsourced or in connection with an academy conversion.
- To maintain and promote equality in the workplace
- To receive advice from external advisors and consultants
- In appropriate circumstances to liaise with regulatory bodies, such as the NCTL, the Department for Education, the DBS and the Local Authority about your suitability to work in a school or in connection with other regulatory matters
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
In addition, some of our partner schools use CCTV cameras around their school site for security purposes and for the protection of staff and pupils. CCTV footage may be referred to during the course of disciplinary procedures (for staff, pupils or associate teachers) or to investigate other issues. CCTV footage involving staff will only be processed to the extent that it is lawful to do so. Please see the CCTV policy implemented at the site you are located at for more details.
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers) or we may be unable to discharge our obligations which may be in the public interest or for official purposes.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How we use particularly sensitive personal information
“Special categories” of particularly sensitive personal information require us to ensure higher levels of data protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out our legal obligations and in line with our Data Protection Policy. Where it is needed in the public interest, such as for equal opportunities monitoring, or in relation to our occupational pension scheme, and in line with our Data Protection Policy.
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are, or where you have already made the information public.
Our obligations as an employer
We will use your particularly sensitive personal information in the following ways:
- We will use information relating to leaves of absence including the reasons for the leave, which may include sickness absence or family-related leave, sabbaticals, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to comply with the Equality Act 2010, to monitor and manage sickness absence and to administer benefits.
- We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
- We will use trade union membership information to pay trade union subscriptions, register the status of a protected employee and to comply with employment law obligations.
Do we need your consent?
We do not need your consent if we use your particularly sensitive information in accordance with our written policy where processing is necessary:
- to carry out our legal obligations or exercise specific rights in the field of employment law;
- for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and we provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
In other circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract of employment with us that you agree to any request for consent from us.
Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy.
Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We envisage that we will hold information about criminal convictions, for example, if information about criminal convictions comes to light as a result of our recruitment and Disclosure and Barring Service checks, or if information about criminal convictions comes to light during your employment with us.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such
Employee Privacy Notice
information directly by you in the course of you working for us. We will use information about criminal convictions and offences in the following ways:
- to meet safer recruitment requirements
- to fulfil our duties as an employer
- to fulfil safeguarding requirements
Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration.
- Where it is necessary to meet our obligations under your employment contract and ensure that appropriate measures are in place to safeguard your rights.
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Data sharing
We may have to share your data with third parties, including third-party service providers and other organisations.
In particular, we may share your data with organisations including, but not limited to, the following:
-
- the Local Authority
- the Department for Education
- the Education & Skills Funding Agency
- the Disclosure and Barring Service
- the Teaching Regulation Agency
- the Teachers’ Pension Service
- the Local Government Pension Scheme which is administered by Staffordshire Pension Fund
- our external HR provider
- our external payroll provider
- Our IT Provider
- HMRC
- the Police or other law enforcement agencies
- our legal advisors
- insurance providers / Risk Protection Arrangement
Employee Privacy Notice
We require third parties to respect the security of your data and to treat it in accordance with the law. Some of the organisations referred to above are joint data controllers. This means we are all responsible to you for how we process your data.
We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
Why might we share your personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you, where it is needed in the public interest or for official purposes, or where we have your consent.
Which third-party service providers process your personal information?
“Third parties” includes third-party service providers (including contractors and designated agents). The following activities are carried out by third-party service providers: payroll, pension administration, HR, benefits provision and administration, IT services.
Department for Education
We share personal data with the Department for Education (DfE) on a statutory basis. This data sharing underpins workforce policy monitoring, evaluation, and links to school funding / expenditure and the assessment educational attainment.
We are required to share information about our pupils with the Department for Education (DfE) under regulation 7 of the Education (Supply of Information about the School Workforce) (England) Regulations 2007 as amended.
DfE data collection requirements
The following is information provided by the DfE concerning the reason it collects data about school employees:
- The DfE collects and processes personal data relating to those employed by schools (including Multi Academy Trusts) and local authorities that work in state funded schools (including all maintained schools, all academies and free schools and all special schools including Pupil Referral Units and Alternative Provision). All state funded schools are required to make a census submission because it is a statutory return under sections 113 and 114 of the Education Act 2005.
- To find out more about the data collection requirements placed on us by the DfE including the data that we share with them, go to https://www.gov.uk/education/data- collection-and-censuses-for-schools.
The DfE may share information about school employees with third parties who promote the education or well-being of children or the effective deployment of school staff by:
- conducting research or analysis;
- producing statistics; and / or
- providing information, advice or guidance
The DfE has robust processes in place to ensure that the confidentiality of personal data is maintained and there are stringent controls in place regarding access to it and its use. Decisions on whether DfE releases personal data to third parties are subject to a strict approval process and based on a detailed assessment of:
- who is requesting the data;
- the purpose for which it is required;
- the level and sensitivity of data requested; and
Employee Privacy Notice
- the arrangements in place to securely store and handle the data
To be granted access to school workforce information, organisations must comply with the DfE’s strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
For more information about the DfE’s data sharing process, please visit: https://www.gov.uk/data-protection-how-we-collect-and-share-research-data To contact the department: https://www.gov.uk/contact-dfe
How secure is your information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
What about other third parties?
We may share your personal information with other third parties, for example if there was a TUPE transfer of staff in future. We may also need to share your personal information with a regulator or to otherwise comply with the law.
From time to time, we may disclose your personal data in response to a request for information pursuant to the Freedom of Information Act 2000 or following a data subject access request. We may approach you for your consent but, in any event, we will only disclose your personal data if we are satisfied that it is reasonable to do so in all the circumstances. This means that we may refuse to disclose some or all of your personal data following receipt of such a request.
Transferring information outside the EU
Where necessary, we will transfer the personal information we collect about you outside the EU in order to perform our contract with you.
We may sometimes transfer your personal data outside of the EU if, for example, we are arranging a trip and we are booking transport, accommodation or activities. In these circumstances, we will obtain your consent for us to process your data in this way.
Data security
We have put in place measures to protect the security of your information. Details of these measures are available in our Data Security Policy.
Third parties who are processing personal data on our behalf will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the DPO.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Employee Privacy Notice
Data retention
How long will we use your information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, insurance or reporting requirements. Details of retention periods for different aspects of your personal information are available in our Data Retention Policy which is available on the KNSTE website. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our Data Retention Policy and applicable laws and regulations.
Rights of access, correction, erasure, and restriction
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the DPO in writing.
Employee Privacy Notice
The legal timescales for the school / trust to respond to a Subject Access Request is one calendar month. As the school/trust has limited staff resources outside of term time, we encourage local governor / trustees to submit Subject Access Requests during term time and to avoid sending a request during periods when the School is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible. For further information about how we handle Subject Access Requests, please see our Data Protection Policy.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Data protection officer
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact the DPO, Natalie Kennedy, on natalie.kennedy@shaw-education.org.uk
View the External Sessional Provider/Supplier Privacy Notice pdf HERE or see below.
External Sessional Provider/Supplier Privacy Notice
The Shaw Education Trust (“the Trust”) is committed to protecting the privacy and security of your personal information. The Trust is a charitable company limited by guarantee (registration number 09067175) whose registered office is The Lodge Wolstanton High, Milehouse Lane, Newcastle Under Lyme, Staffordshire, England, ST5 9JU. The Trust is the Data Controller for all the academies within the Trust.
Keele and North Staffordshire Teacher Education is a School Centred Initial Teacher Training Provider (SCITT). The Trust is the legal entity for the SCITT; therefore, for the purpose of this privacy notice, where there is a reference to the academies within the Trust the SCITT will also be included.
The Data Protection Officer for the Trust is Natalie Kennedy, who can be contacted at The Lodge, Wolstanton High, Milehouse Lane, Newcastle Under Lyme, Staffordshire, ST5 9JU or via email on: natalie.kennedy@shaw-education.org.uk
This privacy notice describes how we collect and use personal information about you before, during and after your relationship with us a supplier, in accordance with the General Data Protection Regulation (GDPR).
The Trust is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
The type of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection.
We will collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, addresses, telephone numbers, and personal email addresses
- Bank account details provided by you in order to make payment for goods/services supplied
External Sessional Provider/Supplier Privacy Notice
How is your personal information collected?
We collect personal information about suppliers at the point whereby you are requested by an Academy within The Shaw Education Trust to be set up as a supplier on our central Purchase Ledger. Contact is made with you by the Finance Team at The Shaw Education Trust to ensure that data stored about you is correct.
If by any means a request is made to The Shaw Education Trust to amend your data then you will be contacted again to ensure the data we have on your record is correct. If any of your personal data changes then it will be your responsibility to inform The Shaw Education Trust regarding these changes.
How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you
- Where we need to comply with a legal obligation
- Where we need to protect your interests (or someone else’s interests)
- Where it is needed in the public interest or for official purposes
Situations in which we will use your personal information
The situations in which we will process your personal information are listed below.
- Setting up an account on our central Purchase Ledger
- Making payment for supply of goods/services
- Dealing with any queries regarding Purchase Orders or payments due to you
- Business management, administrative and planning purposes, including accounting and auditing
- Responding to complaints or investigations from stakeholders or our regulators
- Sending you communications connected with your role as a supplier
- Complying with health and safety obligations
- Complying with safeguarding obligations
- To prevent fraud
- In appropriate circumstances to liaise with regulatory bodies, the Department for Education, the DBS and the Local Authority about your suitability to be a supplier or in connection with other regulatory matters
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
If you fail to provide personal information
If you fail to provide certain information when requested, we may be prevented from complying with our legal obligations or we may be unable to discharge our obligations which may be in the public interest or for official purposes.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an
External Sessional Provider/Supplier Privacy Notice
unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Data sharing
We may have to share your data with third parties, including third-party service providers and other organisations.
In particular, we may share your data with organisations including, but not limited to, the following:
- Finance system provider
- Banking provider
- HMRC
- the Local Authority
- the Department for Education
- the Education & Skills Funding Agency
- the Shaw Education Trust
- the Disclosure and Barring Service
- the Police or other law enforcement agencies
- our legal advisors / other external consultants
- insurance providers
We require third parties to respect the security of your data and to treat it in accordance with the law. Some of the organisations referred to above are joint data controllers. This means we are all responsible to you for how we process your data.
Why might we share your personal information with third parties?
We will share your personal information with third parties where required by law, where it is needed in the public interest or for official purposes.
Which third-party service providers process your personal information?
“Third parties” includes third-party service providers (including contractors and designated agents). The following third-party service provider’s process personal information about you for the following purposes: finance system and banking provider to The Shaw Education Trust for the purposes of making BACS payments to you for goods/services supplied.
How secure is your information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
What about other third parties?
We may share your personal information with other third parties, for example if there are changes to the Trust in future. We may also need to share your personal information with a regulator or to otherwise comply with the law.
External Sessional Provider/Supplier Privacy Notice
From time to time, we may disclose your personal data in response to a request for information pursuant to the Freedom of Information Act 2000 or following a data subject access request. We may approach you for your consent but, in any event, we will only disclose your personal data if we are satisfied that it is reasonable to do so in all the circumstances. This means that we may refuse to disclose some or all of your personal data following receipt of such a request.
Data security
We have put in place measures to protect the security of your information. Details of these measures are available upon request.
Third parties who are processing personal data on our behalf will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the DPO.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
DATA RETENTION:
How long will we use your information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, insurance or reporting requirements. Details of retention periods for your personal information are available in our Data Retention Policy which is available on the KNSTE website. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a supplier to the Trust we will retain and securely destroy your personal information in accordance with applicable laws and regulations.
RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION:
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes whilst you are a supplier of goods/services to the trust.
External Sessional Provider/Supplier Privacy Notice
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the DPO in writing.
The legal timescales for the trust to respond to a Subject Access Request is one calendar month. As the trust has limited staff resources outside of term time, we encourage you to submit any Subject Access Requests during term time and to avoid sending a request during periods when the Trust is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible. For further information about how we handle Subject Access Requests, please see our Data Protection Policy.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
External Sessional Provider/Supplier Privacy Notice
Data protection officer
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO Natalie Kennedy, The Lodge, Wolstanton High, Milehouse Lane, Newcastle Under Lyme, Staffordshire, ST5 9JU. Email: Natalie.kennedy@shaw-education.org.uk
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact the Data Protection Officer.
View the Strategic Board Privacy Notice pdf HERE or see below.
The Shaw Education Trust (“the Trust”) is committed to protecting the privacy and security of your personal information. The Trust is a charitable company limited by guarantee (registration number 09067175) whose registered office is The Lodge Wolstanton High, Milehouse Lane, Newcastle Under Lyme, Staffordshire, England, ST5 9JU. The Trust is the Data Controller for all the academies within the Trust.
The Data Protection Officer for the Trust is Natalie Kennedy, natalie.kennedy@shaw- education.org.uk.
This privacy notice describes how we collect and use personal information about you before, during and after your relationship with us as an Academy Councillor or Trustee, in accordance with the General Data Protection Regulation (GDPR).
The Trust is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
For the purpose of this Privacy Notice, the terms ‘Academy Councillors’ and ‘Trustees’ is used in reference to the Keele and North Staffordshire Teacher Education’s (KNSTE) Strategic Board members.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
The type of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection.
We may collect, store, and use the following categories of personal information about you:
-
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- Date of birth
- Gender
- Occupation
- Start date
- Skills and experience
- Information acquired as part of your application to become a local governor or trustee (including copies of identity checks (including, where Standard or Enhanced Disclosure and Barring Service Checks, Barred Lists Checks, and disqualification checks,
Academy Councillors and Trustees
Privacy Notice
information about bankruptcy, references and other information included in a CV, application form or cover letter or as part of the application process)
- Information about pecuniary or business held by you or your family members
- Information about other posts held by you
- Information about your conduct
- CCTV footage and other information obtained through electronic means such as swipecard records
- Information about your use of our information and communications systems
- Photographs
We may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
- Information about your health, including any medical condition
- Information about your criminal records, fines and other similar judicial records
How is your personal information collected?
We collect personal information about Academy Councillors and Trustees through the application and recruitment process, either directly from individuals or sometimes from an external organisation such as SGOSS, Academy Ambassadors or the Local Authority.
We will also collect additional personal information in the course of local governor and trustee activities throughout the term of your appointment.
How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
(a) Where we need to comply with a legal obligation
- Where we need to protect your interests (or someone else’s interests)
- Where it is needed in the public interest or for official purposes
- Where we have your consent.
Situations in which we will use your personal information
The situations in which we will process your personal information are listed below.
-
- Making a decision about whether to appoint you as a local governor or trustee
- Dealing with any processes for the election of Academy Councillors
- Checking your suitability to be a local governor or trustee
- Complying with our general safeguarding obligations
- Providing information on our website about our Academy Councillors and Trustees
- Providing information on any online databases to set out our governance arrangements
- Communicating with stakeholders about the school / trust
- Delivering the school / trust’s services to our community, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in our constitution and statutory framework
- Business management, administrative and planning purposes, including accounting and auditing
- Financial information such as expenses claimed
- Responding to complaints or investigations from stakeholders or our regulators
- Sending you communications connected with your role as a local governor or trustee
Academy Councillors and Trustees
Privacy Notice
- Making decisions about your continued appointment as a local governor or trustee
- Making arrangements for the termination of your appointment
- Education, training and development requirements
- For the purposes of carrying out governance reviews
- Dealing with legal disputes involving you or other stakeholders
- Complying with health and safety obligations
- For the purposes of keeping records about local governor or trustee decision-making processes, including copies of minutes, reports and other documentation
- Where you sit on a committee or a panel on a school or Trust matter we may process your name, opinions, comments and decisions attributed to you, for example, if you sit on a panel for the purposes of considering a complaint, exclusion or HR issue
- To prevent fraud
- To monitor your use of our information and communication systems to ensure compliance with our IT policies
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- To maintain and promote equality
- To receive advice from external advisors and consultants
- In appropriate circumstances to liaise with regulatory bodies, the Department for Education, the DBS and the Local Authority about your suitability to be a local governor or trustee or in connection with other regulatory matters
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
If you fail to provide personal information
If you fail to provide certain information when requested, we may be prevented from complying with our legal obligations (such as to discharge our safeguarding obligations) or we may be unable to discharge our obligations which may be in the public interest or for official purposes.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How we use particularly sensitive personal information
“Special categories” of particularly sensitive personal information require us to ensure higher levels of data protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
-
- In limited circumstances, with your explicit written consent.
- Where we need to carry out our legal obligations and in line with our Data Protection Policy.
- Where it is needed in the public interest and in line with our Data Protection Policy.
Academy Councillors and Trustees
Privacy Notice
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Our obligations
We will use your particularly sensitive personal information in the following ways:
- We will hold information relating to sickness-related absence from your local governor or trustee commitments.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety and to provide appropriate adjustments to comply with the Equality Act 2010.
Do we need your consent?
We do not need your consent if we use your particularly sensitive information in accordance with our written policy where processing is necessary:
- for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, where we respect the essence of the right to data protection and where we provide for suitable and specific measures to safeguard your fundamental rights.
In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy.
Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We envisage that we will hold information about criminal convictions, for example, if information about criminal convictions comes to light as a result of our appointment and Disclosure and Barring Service checks, or if information about criminal convictions comes to light during your time as a local governor or trustee.
Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
(a) Where we have notified you of the decision and given you 21 days to request a reconsideration.
Academy Councillors and Trustees
Privacy Notice
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Data sharing
We may have to share your data with third parties, including third-party service providers and other organisations.
In particular, we may share your data with organisations including, but not limited to, the following:
-
- the Local Authority
- the Department for Education
- the Education & Skills Funding Agency
- the Shaw Education Trust
- the Disclosure and Barring Service
- our external HR providers, for example, if you are involved in considering a disciplinary matter
- the Police or other law enforcement agencies
- our IT provider
- our legal advisors / other external consultants
- insurance providers
We require third parties to respect the security of your data and to treat it in accordance with the law. Some of the organisations referred to above are joint data controllers. This means we are all responsible to you for how we process your data.
We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
Why might we share your personal information with third parties?
We will share your personal information with third parties where required by law, where it is needed in the public interest or for official purposes or where we have your consent.
Which third-party service providers process your personal information?
“Third parties” includes third-party service providers (including contractors and designated agents). The following activities are carried out by third-party service providers:
-
- personal data will be stored on a restricted area on an administration server located at Seabridge Primary School, Roe Lane.
Academy Councillors and Trustees
Privacy Notice
How secure is your information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
What about other third parties?
We may share your personal information with other third parties, for example if there are changes to the Trust in future. We may also need to share your personal information with a regulator or to otherwise comply with the law.
From time to time, we may disclose your personal data in response to a request for information pursuant to the Freedom of Information Act 2000 or following a data subject access request. We may approach you for your consent but, in any event, we will only disclose your personal data if we are satisfied that it is reasonable to do so in all the circumstances. This means that we may refuse to disclose some or all of your personal data following receipt of such a request.
Data security
We have put in place measures to protect the security of your information. Details of these measures are available within our Data Security Policy.
Third parties who are processing personal data on our behalf will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the DPO.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Data retention
How long will we use your information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, insurance or reporting requirements. Details of retention periods for different aspects of your personal information are available in our Data Retention Policy which is available from the KNSTE website. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a local governor or trustee of the Trust we will retain and securely destroy your personal information in accordance with our Data Retention Policy and applicable laws and regulations.
Academy Councillors and Trustees
Privacy Notice
Rights of access, correction, erasure, and restriction
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your appointment as a trustee or local governor.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the DPO in writing.
The legal timescales for the school / trust to respond to a Subject Access Request is one calendar month. As the school / trust has limited staff resources outside of term time, we encourage you to submit any Subject Access Requests during term time and to avoid sending a request during periods when the School is closed or is about to close for the holidays where possible. This will assist us in responding to your request as promptly as possible. [For further information about how we handle Subject Access Requests, please see our Data Protection Policy].
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Academy Councillors and Trustees
Privacy Notice
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the DPO. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Data protection officer
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO, Natalie Kennedy, via natalie.kennedy@shaw- education.org.uk. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact the DPO, Natalie Kennedy, on natalie.kennedy@shaw-education.org.uk