UK GDPR
Data plays a key role at Gayton: we collect and hold personal information relating to our pupils and may also receive information about them from their previous school, local authority and/or the Department for Education (DfE). We use this personal data to:
- support our pupils’ learning
- monitor and report on their progress
- provide appropriate pastoral care; and
- assess the quality of our services.
The new data protection legislation that came into effect in May 2018 provides an opportunity to refresh our policies and procedures relating to the safeguarding of data.
Data Protection Policy
Click here to view our Data Protection Policy. This outlines all key personnel and key procedures that we follow to comply with UK GDPR.
Data Protection and the UK GDPR – My Rights
In a school setting, personal data is stored and used for a variety of reasons. You may be a parent, carer, pupil, staff member, governor, visitor or anyone else who the school store data about. There are a number of categories of people, and many different types of data that is used in schools on a daily basis.
Whilst Privacy Notices set out details about why data may be collected, stored and used, there are some overriding principles that apply to every person (the Data Subject) when a school stores data. As Data Subjects, sometimes our consent is necessary for a school to process data about us. That might relate to photographs in school, reports in local press or similar. Consent is dealt with in the separate parts of the policy and can be accessed on the website or through the school office.
There are other occasions when data about us or our children may be used by the school to fulfil a legal obligation, a contract or some other lawful usage.
We all have other rights.
- The right to rectification. Where data held about us is inaccurate, we have a right to apply for it to be amended and put right. This has to be done within one month, or within three months if it was complex. To do this we have to contact the data compliance manager within school, or the data protection officer. We have a right to complain if this is not done.
- The right of access. This is a subject access request and is dealt with in more detail as part of the data protection policy. In essence, we have a right to see information about us that is classed as “personal data”. There is a separate process for us to make this request within school, and the school may ask us to clarify or be more specific about what kind of data we are asking for if there is a lot of it. Again, there is a one month timeframe for this that can be extended for three months in complex cases.
- We have a right to erasure. This means that in certain circumstances we can ask for data about us to be permanently deleted. However, this can be limited if the data needs to be kept for some official or lawful purpose. The right to erasure sometimes occurs if we withdraw consent to a process.
- We sometimes have the right to restrict processing. If we believe that data is inaccurate, and we have asked for it to be erased, we can ask the data processor and controller to stop any processing until the investigation into erasure or amendment has taken place.
- There is also the right to data portability, this has little bearing in the school setting. Transfer of data for pupils is regulated by guidance from the Department for Education. Data about staff is part of HMRC contractual obligations. Data portability would usually apply to things like utility companies or bank accounts.
- Individuals also have the right to object to personal data being used for marketing. Again, in the school setting this is likely to be very limited as the only marketing tends to be limited to school fetes, fairs and plays. Schools and academy trusts should not be sharing data with commercial third party entities to enable direct marketing of individuals. If this was the case, then an individual could object and ensure that the data was no longer used for that purpose.
- As individuals we also have the right to ask that decisions are made about us on the basis of our data, rather than by an automated process. Again, any application of this in schools would be extremely limited. This tends to be regarding situations such as reference agency checks for loans and mortgages for example.
These rights are important and sit alongside the school or trust’s legal obligations to manage our data properly.
Please also see the Privacy Notices and Data Protection Policy.
If you feel that any of the Rights set out here are not being managed properly, or if that information held of our files is inaccurate or should not be there or should be changed or amended, please do let us know.
There is a form to complete at the end of this document. By providing us with as much detail as you can about why you think we have got something wrong, or why we are holding information that we should not be keeping, it makes the process much simpler for you.
We will respond within 28 days of receiving the form, and we will give our reasons in writing for any decision we make.
When you get the decision you can accept it, and you need do nothing more. You can ask for a review by us and our Data Protection Officer, you can complain using our policy if you feel that we have not acted properly or you can make a referral to the Information Commissioner – whose details are found at https://ico.org.uk/ or by phone 0303 123 1113
Please use this form if you consider that your personal data, or that of a child for who you hold parental responsibility, is not being correctly stored, processed, used or shared. It may be necessary to confirm your identity. You have a right to request details of how personal data is used or not used, if you feel that it should be erased or deleted, if you think that the details and data held is wrong or if it should not have been collected in the first place.
