General Data Protection Regulations (GDPR)
The General Data Protection Regulations(GDPR) is a European Directive that was brought into UK law as part of the updated Data Protection Act for May 2018.
The Data Protection Act 1998 was replaced with the Data Protection Act 2018(DPA).
The UK GDPR and new DPA exist to look after individual’s data. It is a series of safeguards for every individual. Information about individuals needs to be treated with respect and be secure.
The UK GDPR exists to protect individual rights in an increasingly digital world.
To understand how the school collects and uses data please read the Privacy Notice. For clarity regarding your rights to data collection then please read below.
Data Protection and the UK GDPR – My Rights
In a school setting, personal data is stored and used for a variety of reasons. You may be a parent, carer, pupil, staff member, governor, visitor or anyone else who the school store data about. There are a number of categories of people, and many different types of data that is used in schools on a daily basis.
Whilst Privacy Notices set out details about why data may be collected, stored and used, there are some overriding principles that apply to every person (the Data Subject) when a school stores data. As Data Subjects, sometimes our consent is necessary for a school to process data about us. That might relate to photographs in school, reports in local press or similar. Consent is dealt with in the separate parts of the policy and can be accessed on the website or through the school office.
There are other occasions when data about us or our children may be used by the school to fulfil a legal obligation, a contract or some other lawful usage.
We all have other rights.
- The right to rectification. Where data held about us is inaccurate, we have a right to apply for it to be amended and put right. This has to be done within one month, or within three months if it was complex. To do this we have to contact the data compliance manager within school, or the data protection officer. We have a right to complain if this is not done.
- The right of access. This is a subject access request and is dealt with in more detail as part of the data protection policy. In essence, we have a right to see information about us that is classed as “personal data”. There is a separate process for us to make this request within school, and the school may ask us to clarify or be more specific about what kind of data we are asking for if there is a lot of it. Again, there is a one month timeframe for this that can be extended for three months in complex cases.
- We have a right to erasure. This means that in certain circumstances we can ask for data about us to be permanently deleted. However, this can be limited if the data needs to be kept for some official or lawful purpose. The right to erasure sometimes occurs if we withdraw consent to a process.
- We sometimes have the right to restrict processing. If we believe that data is inaccurate, and we have asked for it to be erased, we can ask the data processor and controller to stop any processing until the investigation into erasure or amendment has taken place.
- There is also the right to data portability, this has little bearing in the school setting. Transfer of data for pupils is regulated by guidance from the Department for Education. Data about staff is part of HMRC contractual obligations. Data portability would usually apply to things like utility companies or bank accounts.
- Individuals also have the right to object to personal data being used for marketing. Again, in the school setting this is likely to be very limited as the only marketing tends to be limited to school fetes, fairs and plays. Schools and academy trusts should not be sharing data with commercial third party entities to enable direct marketing of individuals. If this was the case, then an individual could object and ensure that the data was no longer used for that purpose.
- As individuals we also have the right to ask that decisions are made about us on the basis of our data, rather than by an automated process. Again, any application of this in schools would be extremely limited. This tends to be regarding situations such as reference agency checks for loans and mortgages for example.
These rights are important and sit alongside the school’s legal obligations to manage our data properly.
Please also see the Privacy Notices and Data Protection Policy.
If you feel that any of the Rights set out here are not being managed properly, or if that information held of our files is inaccurate or should not be there or should be changed or amended, please do let us know.
Please write to us providing as much detail as you can about why you think we have got something wrong, or why we are holding information that we should not be keeping, it makes the process much simpler for you.
We will respond within 28 days of receiving the form, and we will give our reasons in writing for any decision we make.
When you get the decision you can accept it, and you need do nothing more. You can ask for a review by us and our Data Protection Officer, you can complain using our policy if you feel that we have not acted properly or you can make a referral to the Information Commissioner – whose details are found at https://ico.org.uk/ or by phone 0303 123 1113
Our Data Protection Officer details are found below:
J A Walker, 6 Delamore Park, Cornwood, Ivybridge, PL21 9QP
For GDPR specific policies please click the link to the EMBARK Trust Website to view the Trust's approach to GDPR.
Should you wish to request paper copies or further details with reference to GDPR please contact the school's Data Compliance lead, Mrs P Walters, via the school office.