General Data Protection Regulations
The Kingsmead school governing body which includes Mrs Rutter-Brown, take your data seriously and ensure that our school is compliant and handles data in accordance with GDPR guidance. We have appointed a Data Protection Officer, Martin Waters who undertakes the role for many schools in Cheshire West and Chester. Mrs Sam Taylor, our School Business Manager, is the Data Protection Lead here in school. Compliance has been and is achieved through: a full data audit; the generation of new policies (our Data Protection and Freedom of Information Policy was updated in Summer 2018) including child friendly policies and amendments to existing policies; staff training, and challenge and support from governors.
The GDPR is designed to strengthen the safety and security of all data held within an organisation, and make sure procedures are consistent. It focuses on the privacy rights of individuals and the idea that everyone should know what data is held about them and how it is used.
Why is it important? GDPR has required many changes to existing data protection rules and regulations that schools adhere to – including policies.
Main new elements of GDPR
Accountability – schools must prove their compliance with data protection principles by having effective policies and procedures in place.
Privacy – new information must be included in privacy notices, e.g. legal basis for processing data, retention periods, rights to complain to the Information Commissioner's Office (ICO). This information must be in a concise, clear and easy-to-understand language.
Individuals' rights – a new right to 'data portability' means data must be provided in a commonly used, electronic format. Other rights under the GDPR include: subject access requests; to have inaccuracies corrected; to have information erased; to prevent direct marketing; and data portability.
Subject access – there's a reduced time frame to comply with subject access requests (SARs) – from 40 days to 1 month. To refuse requests you must have policies and procedures in place to show the refusal meets the criteria. Unfounded or excessive SARs can be charged or refused. Additional information is needed for those making SARs, including retention periods and the right to have inaccurate data corrected.
Legal basis – schools' legal basis for processing personal data must be explained in privacy notices.
Consent – data controllers must demonstrate that, where necessary, consent was given, and it has to be a positive indication of agreement to personal data being processed.
Children – special protection is given for children's personal data – consent is needed from a parent to process this data, unless the child is over the age of 13, in that case they are able to provide their own consent in certain circumstances. Privacy notices must be written in a language that can be understood by children.
Data breaches – a breach notification duty is applied to all schools, and those that are likely to cause damage, e.g. identity theft, have to be reported to the ICO within 72 hours – failure to do so can result in a fine.
Data protection impact assessment – this will be carried out when using new technologies, and the processing is likely to result in a high risk to the rights and freedoms of individuals.
Data protection officer (DPO) – schools are required to appoint a DPO.
Google Education and Gmail for education
We use Google Education as the platform for our website and Google classrooms. You can find out more about their security here. With Google classrooms, teachers can message the whole school, a class, group or individual child. So if you see a message for you child only, it cannot be seen by others and is private. This is why we share reports through Google classroom, they are linked straight to you child's unique log on and it reduces the risk of a data breach though insecure email.
Our school email accounts which all end @kingsmead.cheshire.sch.uk are Google Mail for Education accounts. This means they are more secure than a normal gmail account you can set up at home and can be used for some personal or sensitive information to other secure email addresses. Secure addresses might be to a Local Authority address or the nhs or police all of which are GDPR compliant and secure. We also use Egress for personal and sensitive data.
We use CPOMS for recording any safeguarding, behaviour, safety and child protection records. CPOMS enables the safe sharing of information for lawful and legitimate purposes and is widely used with schools. CPOMS reduces risk of information shared in error and works through the schools information management system (Arbor) and is used by partner primary and high schools with whom information may be passed between.