Data Protection Policy

September 6, 2015

Introduction

We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes.

This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

 

Definitions

 

Business purposes The purposes for which personal data may be used by us:

 

Personnel, administrative, financial, regulatory, payroll and business development purposes.  

Business purposes include the following:

    Compliance with our legal, regulatory and corporate governance obligations and good practice. For example, our obligations for processing data in relation to staff pension schemes.

    Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests. For example, fulfilling a request for information in the course of personal injury claim against the school.

    Ensuring business policies are adhered to (such as policies covering email and internet use). For example, the use of privacy notices and email disclaimers to all.

    Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, For example, Ashbourne has a regulatory requirement to carry out disclosure barring service checks on all newly recruited staff.

–       Investigating complaints.  

    Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments

–   Monitoring staff conduct, disciplinary matters

–   Marketing our School

–   Improving services

Personal data Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts.

 

Personal data we gather on students  may include:

 

  • Personal details: this includes name, date of birth, address, qualifications, next of kin (and places of work, if relevant), telephone numbers plus a photograph.
  • Details concerning health – for instance whether they are diabetic, suffer from asthma etc.
  • Details of any disabilities which might have an impact on your academic study e.g. dyslexia.
  • Details about academic performance, expected and actual results, references and attendance.  
  • A copy of the  student contract Copies of any other related agreements – e.g. use of IT, permission to attend trips.
  • Details of any meetings held with family/and or external agencies.
  • Details of any change of course taken.  
  • Details of any certificates/assessments held concerning academic progress, e.g. reports, referrals.  
  • Personal details required for examination entries and any other communications with examination boards.
  • Details of any disciplinary meetings held with members of staff.

 

The following information is held by the college on staff:

  • Personal details: name, address, date of birth, qualifications, next of kin.  
  • Details of physical and/or mental health: details about specific conditions individuals may suffer from, such as asthma or diabetes;
  • information about sickness absences and any medical reports we may have received.  
  • Details about work performance, including notes of observation sessions, appraisals, and staff development.
  • Personal information: details about start date, pension and pay details, any current disciplinary or grievance matters, any deductions from salary or any loans.  
  • Details about any criminal record.
  •  References produced by the college.

 

Sensitive personal data Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.

In this document the phrase ‘data processing’ means almost anything to do with information accordance with the Data Protection Act, Ashbourne ensures that personal information stored by the College is fairly and lawfully processed

Scope

This policy applies to all staff who must be familiar with this policy and comply with its terms.This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time.  Staff will be notified of changes.

The Data Protection Principles

Ashbourne  sets this policy in the spirit of the Data Protection Principles; set out by legislation and expressed below:

  1. Data must be processed fairly and lawfully.
  2. Data should be obtained only for one or more specified and lawful purposes
  3. Personal data held shall be adequate, relevant, and not excessive.
  4. Data should be accurate and up to date.
  5. Data should be held no longer than for the purpose it was originally collected.
  6. Data should be processed in accordance with the data subject’s rights under the Act.
  7. Data should be secured.
  8. Data should only be transferred to other countries if they have suitable or equivalent security measures.

 

Ashbourne College ensures that we process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

Who is responsible for this policy?

The Principal Michael Kirby is the Data Controller (Data Protection Officer)  and as such is the person who is responsible for the processing of data. The Data Controller must ensure that data processing is done within the Act and determines the purposes for which the data will be used and implement this policy on a day to day basis.

The  Data Controller/ Data Protection Officer’s responsibilities:

  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and policies on a regular basis.
  • Arranging data protection training and advice for all staff members and those included in this policy.
  • Answering questions on data protection from staff, board members and other stakeholders .
  • Responding to individuals, such as Parents/ Guardians, Students and employees who wish to know which data is being held on them by the College.
  • Checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing.

 

Responsibilities of the IT Manager:

  • Ensure all systems, services, software and equipment meet acceptable security standards.
  • Checking and scanning security hardware and software regularly to ensure it is functioning properly.
  • Researching third-party services, such as cloud services the company is considering using to store or process data.

 

Responsibilities of the Marketing Manager:

  • Approving data protection statements attached to emails and other marketing copy
  • Addressing data protection queries from Parents/ Guardians, Students, prospective employees, target audiences or media outlets
  • Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy

 

Ashbourne Procedure

The processing of all data:

Ashbourne shall always have a legitimate reason for the collecting and storing of data (for example to provide information to the Department of Education’s annual census) and will always ensure that the processing of data has no adverse effect on any individual. It will be transparent in processing data and where appropriate inform individuals through a ‘privacy notice’ that their personal information is being processed.

 

The processing of all data must be:

  • Necessary to deliver our services
  • In our legitimate interests and not unduly prejudice the individual’s privacy
  • In most cases this provision will apply to routine School data processing activities.

Privacy Notice

Ashbourne’s terms of business contains a Privacy Notice to students, staff, contractors and all other individuals dealing with the college on data protection.

The notice:

  • Sets out the purposes for which we hold personal data on students  and employees
  • Highlights that our work may require us to give information to third parties such as professional advisers and external agencies.
  • Provides that students have a right of access to the personal data that we hold about them.

The privacy notice can be found on Ashbourne’s website.

 

Sensitive personal data

In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work/ Safeguarding etc). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

 

Sometimes it is necessary to process information about a person’s criminal convictions, race and gender and family details. This may be to ensure that Ashbourne is a safe place for everyone, or to operate other policies, such as the Equality and Diversity Policy and Safeguarding. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes or disabilities. The College will only use the information for the protection of the health and safety of the individual, but will need consent to process this information, for example in the event of a medical emergency. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this without good reason.

 

Conditions for processing personal data

Before data may be processed one of the following conditions must be met:

  1. the individual (data subject) has given their consent
  2. the processing is necessary in relation to a contract
  3. the processing is necessary because of a legal obligation
  4. the processing is necessary to protect the individual’s vital interests
  5. the processing is necessary for the administration of justice or other statutory functions
  6. any other legitimate interest

 

Conditions for processing sensitive personal data

Because such information might be used in a discriminatory way, these are more stringent and must include one of the following conditions:

  1. the individual has given consent
  2. the processing is required by employment law
  3. the processing is necessary to protect the vital interests of the individual or third part
  4. the individual has made the information public
  5. the processing is necessary for statutory reasons
  6. the processing is carried out with a third party who is bound by a professional code of conduct (a doctor for example)
  7. the processing is required to monitor equal opportunities
  8. the processing is necessary to prevent crime or protect the public.

 

Exemptions

Generally all personal data collected and processed will be subject to the Data Protection Act. However, some exemptions apply For example, Ashbourne on occasions will ask for references ( a confidential reference given by the College to a third party regarding, education, employment/training, appointment to a public office, a service being provided by the data subject etc)  will remain confidential and is exempt from the requirements of the Act. References we have received and kept on file are not exempt. We must, however, ensure that the rights of the referee are considered. Information about the individual referee should not be disclosed without explicit consent (anonymising the information is acceptable). The college cannot refuse to disclose confidential references without providing reasons. Crime and taxation – personal data may have to be disclosed to government departments or the Police. Data will only be released on the basis of properly drawn up requests. Vital interests – personal data may be released if it is in the vital interests of the individual e.g. a medical emergency. Under 19 students – the College will normally release information about a student’s progress and attendance to parents or guardians of students under 19 years of age on the previous 31st August.

 

Accuracy and relevance

Ashbourne will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO, Principal Mike Kirby.

 

Your personal data

Employees and students  must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Data Protection Officer so that they can update your records. Examples of the type of data Ashbourne may process are set out above in the section titled “ Definitions, Personal Data”.

 

Data security

All members of the Ashbourne community must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations. For example, payment of pensions and salaries are outsourced to third parties.

 

Storing data securely

In cases when data is stored on printed paper, it is kept in a secure place where unauthorised personnel cannot access it. Printed data is shredded when it is no longer needed. Data stored on a computer is protected by strong passwords that are changed regularly. All staff  and students use a password manager to create and store their passwords.

 

Data stored on CDs or memory sticks must be locked away securely when they are not being used.

 

The DPO must approve any cloud used to store data.

 

Servers containing personal data must be kept in a secure location, away from general office space.

 

Data should be regularly backed up in line with  Ashbourne’s backup procedures.

 

Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.

All servers containing sensitive data must be approved and protected by security software and strong firewall.

 

We store all sensitive personal information securely either in locked filing cabinets or in computer files which are password protected.

Our computer network system is protected by a robust firewall which is monitored by both our premises manager, Mr F Carpene, as well as an external supplier, BTA.

All admin and teaching staff are trained about the proper use of personal data. For example, they only communicate with clients and persons related to clients through authorized channels. They must properly annotate and store all such communication. They must report all breaches of data security to the Data Controller. They are aware that they may be subject to criminal proceedings should they deliberately try to access or disclose without authority

They are aware of the threat posed by ‘phishing’ emails and hackers.

Although rarely used we ensure that fax transmissions of sensitive data are double checked to ensure the correct telephone number. We should ensure that we are confident of the receiver’s identity and that the receiver is standing by their fax machine. We use cover sheets for all fax transmissions and where appropriate seek other modes of transmission.

Before we dispose of any computer equipment we ensure that there is no data stored within the equipment. The college is committed to keeping our security systems and security software systems up-to-date and has suffered no major incidents at the time of writing this policy.

All staff are aware of the importance of checking credentials.

The premises manager is responsible for maintaining security of access, maintaining security of data and physical protection of data on  our premises.  This includes:

  • The proper training of all staff about authorized entry to the building
  • Maintenance of our keypad security entry systems
  • The proper admission procedure for all guests to the college
  • The maintenance of our CCTV system
  • Fire Safety

Breaches of security

Ashbourne takes breaches of security seriously. Examples of potential breaches of security can be caused by a number of factors. Some examples are:

– Loss or theft of pupil, staff data and/ or equipment on which data is stored;

– Inappropriate access controls allowing unauthorised use;

–  Equipment Failure;

– Human Error;

–  Unforeseen circumstances such as fire or flood;

–  Hacking;

–  ‘Blagging’ offences where information is obtained by deception.

Ashbourne  aims to carry out the following procedure to mitigate such circumstances:

  1. have a data recovery plan
  2. proper assessment of risks
  3. notify all related parties such as the ICO, relevant data subjects, the police, banks
  4. institute a proper procedure of evaluation and response
  5. protocol in relation to breach of security is  regularly updated.
  6. The computer databases are password-protected.

 

See Appendix 1 for full Breach of Security Procedure.

 

Data retention

Ashbourne retains personal data for no longer than is necessary for the purpose for which it was collected. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines ( See Appendix 2) .

 

Transferring data internationally

 

There are restrictions on international transfers of personal data which Ashbourne abides by.  Staff and Students are made aware that they must not transfer personal data anywhere outside the UK without first consulting the Data Protection Officer.

 

Subject access requests

Ashbourne is aware under the Data Protection Act 1998, individuals are entitled, subject to certain exceptions, to request access to information held about them.

 

Staff who receive a subject access request  should refer that request immediately to the DPO whom may ask you to help us comply with those requests.

 

Staff and Students may contact the Data Protection Officer if they would like to correct or request information that Ashbourne hold about them. There are also restrictions on the information to which individuals are entitled under applicable law.

 

Processing data in accordance with the individual’s rights

Information must be processed consistent with the rights of individuals with regard to processing personal data. These rights include:

a. A right to a copy of all processed information; in this case the individual will make a ‘subject access request’. We understand that information about our students belongs to them so any request for information by a related third party may only be granted with the consent of the student.

 

This provision is subject to:

  1. The student’s maturity
  2. The nature of the personal data
  3.  Any court orders
  4. Our duty of confidence to the child
  5. The consequences of disclosing the information especially in cases of suspected abuse
  6. Any detriment to the student should the third party not have access to the information
  7. The views of the student.

A request for information which involves others may be declined unless the other’s consent.

b. A right to object to the processing of information. Any such objection must be provided in proper written form and, depending on circumstances defined by the Act, may not always be granted.

c. In certain circumstances a right to have inaccurate information rectified, blocked, erased or destroyed

d. right to claim compensation.

e.A right not to participate in any direct marketing.

f. Secure.

 

Marketing

Ashbourne will not send direct marketing material to someone electronically (e.g. via email) unless we have an existing business relationship with them in relation to the services being marketed or an understanding that parties have given consent.

 

All members of the Ashbourne community will contact the  Data Protection Officer for advice on direct marketing before starting any new direct marketing activity.

 

 

Training

All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided through an in-house seminar on a regular basis. It will cover:

  • The law relating to data protection
  • Our data protection and related policies and procedures.

 

Completion of training is compulsory.

It is our policy to develop an understanding of the rights of individuals under the Data Protection Act through internal programmes as well as with training of all teachers and admin staff. Topics would include: What is personal data? How may personal data be used? How should you keep personal data safe? What rights do you have with regard to processing personal data?etc.

 

Other types of Data not covered by the act.

This is data that does not identify a living individual and therefore is not covered by the remit of the DPA; this may fall under other access to information procedures.  This would include:

  • Plans (where no individual pupil is named),
  • Teaching Resources,
  • Other information about the college which does not relate to an individual.

 

Some of this data would be available publically (for instance the diary for the forthcoming year), and some of this may need to be protected by the college. For example, if the Ashbourne has written a detailed scheme of work that it wishes to sell to other colleges).  Ashbourne may choose to protect some data in this category but there is no legal requirement to do so.

 

General Data Protection Regulation (GDPR provisions)

Where not specified previously in this policy, the following provisions will be in effect on or before 25 May 2018.

Privacy Notice – transparency of data protection

Being transparent and providing accessible information to individuals about how we will use their personal data is important for Ashbourne.  The following are details on how we collect data and what we will do with it:

 

What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
Identity and contact details of any data controllers
Details of transfers to third country and safeguards
Retention period

 

Conditions for processing

Ashbourne will ensure that  any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.

 

Justification for  holding personal personal data

Ashbourne will process personal data in compliance with all eight data protection principles as stated in this policy.

 

Ashbourne will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.

Consent

The data that Ashbourne collects  is subject to active consent by the data subject. This consent can be revoked at any time.  However, Ashbourne reserves the right to process data where consent may not be obtained in line with competing statutory duties; for example in accordance with Ashbourne’s duty of care in relation to safeguarding; see Safeguarding Policy and Procedure a nd exemptions  clause above.

Criminal record checks

Any criminal record checks are justified by law as an education provider.

 

Data portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Data Protection Officor will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.

 

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

International data transfers

No data may be transferred outside of the EEA without first discussing it with the Data Protection Officer. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.

 

Data audit and register

Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

 

Reporting breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

  • Investigate the failure and take remedial steps if necessary
  • Maintain a register of compliance failures
  • Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

 

Monitoring

All Students and staff must observe this policy. The Data Protection Officer  has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.

 

All staff and students are responsible for the following:

  • Checking that any information that they provide to the Ashbourne in connection with their employment is accurate and up to date  informing the college of any changes to or errors in information, which they have provided, i.e. changes of address.
  • They must ensure that changes of address, etc are notified to the admin staff. The college cannot be held responsible for any such errors unless the staff member or student has informed the Ashbourne of them.
  • If and when, as part of their responsibilities, staff collect information about other people, for example, about students’ coursework, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with this policy.

 

Consequences of failing to comply

Ashbourne takes compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.

 

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.

 

Surveillance

Ashbourne  acknowledges its data protection Obligations in relation to CCTV.  It adopts, where applicable the ICO’s code of practise as found at the following link : https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice.pdf

 

This section also serves as a notice and a guide to data subjects (including pupils, parents, staff, volunteers, visitors to the School and members of the public) regarding their rights in relation to personal data recorded via the CCTV system.

 

All fixed cameras are in plain sight on  premises and Ashbourne does not routinely use CCTV for covert monitoring or monitoring of private property outside the  college.

 

Data captured for the purposes below will not be used for any commercial purpose.

 

Objectives of the System :

  • To protect pupils, staff, volunteers, visitors and members of the public with regard to their personal safety.
  • To protect the School buildings and equipment, and the personal property of pupils, staff, volunteers, visitors and members of the public.
  • To support the police in preventing and detecting crime, and assist in the identification and apprehension of offenders.
  • To monitor the security of the site.
  • To monitor staff and contractors when carrying out work duties.
  • To promote good behaviour of students.

 

Locations have been selected that the college reasonably believes require monitoring to address the stated objectives.

 

Warning signs are placed in prominent positions to inform anyone entering the area, such as pupils, staff, volunteers, visitors and members of the public that they are entering a monitored area, identifying the college as the Data Controller and giving contact details for further information regarding the system.

 

No images will be captured from areas in which individuals would have a heightened expectation of privacy, including changing and washroom facilities.

 

Maintenance

The CCTV system will be operational 24 hours a day, every day of the year.

 

The System Manager (defined below) will check and confirm that the system is properly recording and that cameras are functioning correctly, on a regular basis.

 

The system will be checked and (to the extent necessary) serviced, annually.

 

Supervision of the System

Staff authorised by Ashbournel to conduct routine supervision of the System may include:

 

Images will be viewed and/or monitored in a suitable environment where it is unlikely they will be accessed or inadvertently viewed by unauthorised persons.

 

Storage of Data

The system is administered and managed by Ashbourne, who will act as the Data Controller. The day-to-day management of images will be the responsibility of the IT Services Manager who will act as the System Manager, or such suitable person as the System Manager.

 

Images will be stored for two weeks, and automatically over-written unless Ashbourne considers it reasonably necessary for the pursuit of the objectives outlined above, or if lawfully required by an appropriate third party such as the police or local authority.

 

Where such data is retained, it will be retained in accordance with the Act and our Data Protection Policy. Information including the date, time and length of the recording, as well as the locations covered and groups or individuals recorded, will be recorded in the system log book.

 

Access to Images

Access to stored CCTV images will only be given to authorised persons, under the supervision of the System Manager, in pursuance of the above objectives (or if there is some other overriding and lawful reason to grant such access).

 

The System Manager must satisfy themselves of the identity of any person wishing to view stored images or access the system and the legitimacy of the request. The following are examples when the System Manager may authorise access to CCTV images:

 

  • Where required to do so by the  Principal, the Police or some relevant statutory authority and in accordance with the law;
  • To make a report regarding suspected criminal behaviour;
  • To enable the Designated Safeguarding Lead or his/her appointed deputy to examine behaviour which may give rise to any reasonable safeguarding concern;
  • To assist the School in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the School’s management of a particular incident;
  • To data subjects (or their legal representatives) pursuant to an access request under the Act provided that the time, date and location of the recordings is furnished to the School (see the Data Protection Policy); 6.2.6 To the School’s insurance company where required in order to pursue a claim for damage done to insured property;
  • In any other circumstances required under law or regulation.

 

Where images are disclosed aforementioned above a record will be made in the system log including the person viewing the images, the time of access, the reason for viewing the images, the details of images viewed and a crime incident number (if applicable).

 

Where images are provided to third parties  above, wherever practicable steps will be taken to obscure images of non-relevant individuals.

 

 

 

Other CCTV systems

Ashbourne may be provided by third parties with CCTV images and will manage these in accordance with the college’s  own Data Protection policy and/or Behaviour policy.

For example, many pupils travel on coaches provided by third party contractors and a number of these coaches are equipped with CCTV systems. Ashbourne  may use these in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the college’s  management of a particular incident.  Parents are informed of this as part of the Coach Service Registration document, to which they agree when registering their son or daughter for the coach service.

 

Complaints

Any complaints in relation to the School’s CCTV system or its use of CCTV should be referred to the Principal, Mike Kirby.

 

We have notified the Information Commissioner’s Office that we process and store personal information, as we are required to do by the Data Protection Act.

Authorised by The Principal
Date June 2017
Effective date of the policy June 2017
Circulation Teaching staff / all staff / parents / Students on request
Review date June 2018

DATA PROTECTION REGISTRATION NO.: Z1019160.

Appendix 1

 

Data Breach Procedure

Policy Statement

Ashbourne holds large amounts of personal and sensitive data. Every care is taken to protect personal data and to avoid a data protection breach. In the unlikely event of data being lost or shared inappropriately, it is vital that appropriate action is taken to minimise any associated risk as soon as possible. This breach procedure applies to all personal and sensitive data held by Ashbourne.

This procedure applies to all school staff.

Purpose

This breach procedure sets out the course of action to be followed by all staff at Ashbourne  if a data protection breach takes place.

Legal Context

The Data Protection Act 1998 makes provision for the regulation of the processing (use) of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

Principle 7 of the Act states that organisations which process personal data must take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

Types of Breach

Ashbourne takes breaches of security seriously. Examples of potential breaches of security can be caused by a number of factors. Some examples are:

– Loss or theft of pupil, staff odata and/ or equipment on which data is stored;

– Inappropriate access controls allowing unauthorised use;

–  Equipment Failure;

– Human Error;

–  Unforeseen circumstances such as fire or flood;

–  Hacking;

–  ‘Blagging’ offences where information is obtained by deception.

 

Immediate Containment/Recovery

In discovery of a data protection breach, the following steps should be followed:

  1. The person who discovers/receives a report of a breach must inform the Data Protection Officer and the Principal.

If the breach occurs or is discovered outside normal working hours, this should begin as soon as is practicable.

  1. The Data Protection Officer along with the Principle  must ascertain whether the breach is still occurring. If so, steps must be taken immediately to minimise the effect of the breach. An example might be to shut down a system, or to alert relevant staff such as the IT technician.
  2. As a registered Data Controller, it is Ashbourne’s  responsibility to take the appropriate action and conduct any investigation.
  3.  The Data Protection Officer and Principal must also consider whether the Police need to be informed. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
  4. The Data Protection Officer and Principal must quickly take appropriate steps to recover any losses and limit the damage. Steps might include:
  • Attempting to recover lost equipment.
  • Consideration should be given to a global email to all school staff. If an inappropriate enquiry is received by staff, they should attempt to obtain the enquirer’s name and contact details if possible and confirm that they will ring the individual making the enquiry back.
  • Whatever the outcome of the call, it should be reported immediately to the Data Protection Officer and Principal
  • The use of back-ups to restore lost/damaged/stolen data. e. If bank details have been lost/stolen, consider contacting banks directly for advice on preventing fraudulent use.
  • If the data breach includes any entry codes or IT system passwords, then these must be changed immediately and the relevant agencies and members of staff informed.

Investigation

In most cases, the next stage would be for the  Data Protection Officer and Principal to fully investigate the breach.  They should ascertain whose data was involved in the breach, the potential effect on the data subject and what further steps need to be taken to remedy the situation.

The investigation should consider:

  •  type of data;
  • Its sensitivity;
  • What protections are in place (e.g. encryption);
  • What has happened to the data;
  • Whether the data could be put to any illegal or inappropriate use;
  • How many people are affected;
  • What type of people have been affected (pupils, staff members, suppliers etc) and whether there are wider consequences to the breach.
  • A clear record should be made of the nature of the breach and the actions taken to mitigate it.

The investigation should be completed as a matter of urgency and, wherever possible, within 5 days of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.

Notification

Some people/agencies may need to be notified as part of the initial containment. However, the decision will normally be made once an investigation has taken place. The Data Protection Officer and Principal should, after seeking expert or legal advice, decide whether anyone should be notified of the breach.

In the case of significant breaches, the Information Commissioner’s Office (ICO) should be notified. Incidents should be considered on a case by case basis. The following points will help you to decide whether and how to notify:

  • Are there any legal/contractual requirements to notify?
  • Will notification help prevent the unauthorised or unlawful use of personal data?
  • Could notification help the individual – could they act on the information to mitigate risks?

If a large number of people are affected, or there are very serious consequences, you should notify the ICO. The ICO should only be notified if personal data is involved. There is guidance available from the ICO on when and how to notify them, which can be obtained at: http://www.ico.gov.uk/for_organisations/data_protection/the_guide/~/med ia/documents/library/Data_Protection/Practical_application/breach_report ing.ashx.

Consider the dangers of over-notifying. Not every incident warrants notification and over-notification may cause disproportionate enquiries and work.  The notification should include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to mitigate the risks posed by the breach.  When notifying individuals, give specific and clear advice on what they can do to protect themselves and what you are willing to do to help them.

 

You should also give them the opportunity to make a formal complaint if they wish following the college’s Complaints Procedure.

 

Review and Evaluation

Once the initial aftermath of the breach is over, the Data Protection Officer and Principle should fully review both the causes of the breach and the effectiveness of the response to it. It should be written and sent to the next available management team meeting for discussion.

 

If systemic or ongoing problems are identified, then an action plan must be drawn up to put these right.

 

If the breach warrants a disciplinary investigation, the manager leading the investigation should do so in line with Ashbourne’s Disciplinary Procedure and Policy.

 

This breach procedure may need to be reviewed after a breach or after legislative changes, new case law or new guidance. Consideration should be given to reviewing this breach procedure whenever the data protection policy is reviewed.

 

Implementation

Ashbourne will ensure that staff are aware of the Data Protection policy and its requirements including this breach procedure. This should be undertaken as part of induction and supervision. If staffs have any queries in relation to the policy, they should discuss this with their line manager, Data Protection Officer  or the Principle.

 

 

 

Appendix 2

Ashbourne’s Retention and Disposal Schedule

 

  1. Management & Organisation

 

Record Minimum Retention Period Action After Retention
Senior Management Team-Meeting Minutes Current acedemic year + 6 years Archive for Permanent Preservation
Staff Meeting Minutes Academic year + 6 years Destroy
College Development Plan Retain in College for 10 years from closure of Plan Archive  for Permanent Preservation
Policies Retain while current. Retain 1 copy of old policy for 2 years after being replaced Destroy
Visitors Book Current academic  year + 6 years Destroy
Circulars to Staff, Parents and Pupils Current academic year + 3 years Destroy
College Brochures/ Prospectus Current academic year + 3 years Destroy
Comments/Complaints 5 years after closing. Review for further retention in the case of contentious disputes Destroy
Annual Report Retain in College for 10 years from date of

Report

Archive for Preservation
Emergency Planning/Business Continuity Plan Until superseded Destroy

 

 

Legislation and Guidance from DE, ELB, ESA, CCMS etc

 

Record Minimum Retention Period Action After Retention
Circulars, Guidance, Bulletins from DE, ELB etc Until superseded Destroy
Correspondence re: Statistical Returns to DE, ELB etc Current financial year + 6 years Destroy
DE Reports, Inspections Until superseded Destroy

 

  1. Students
Record Minimum Retention Period Action After Retention
Pupil Admission Data
Applications for enrolment 3 years after enrolment Destroy
Transfer applications (Transfer Forms) 3 years after enrolment Destroy
Pupil Attendance Information/Registers Date of Register + 10 years Archive for Preservation
Pupil Education Records  – School/Progress Reports etc Until pupil is 23 years old Destroy
Pupil Education Records  – School/Progress Reports etc (Special Educational Needs) Until Pupil is 26 years old Destroy
Child Protection Information- Record of concerns where case was not referred to Social Services 10 years after last entry on file Destroy
Child Protection Information- Social Services investigation outcome was unfounded or malicious 10 years after last entry on file Destroy
Child Protection Information- Social Services investigation outcome was inconclusive, unsubstantiated or substantiated Until pupil is 30 years old Destroy
Disciplinary Action (Suspension/Expulsion)/Offences – bullying Until pupil is 23 years old Destroy
Disciplinary Action (Suspension/Expulsion)/Offences – bullying (Special Educational Needs) Until pupil is 26 years old Destroy
Timetables + Class Groupings Retain while current Destroy
Examination Results Current school year + 6 years Destroy
Careers Advice Current school year + 6 years Destroy
Trips – Financial & Administration details Current financial year + 6 years Destroy
Trips-Attendance/Staff Supervision etc Current financial year + 6 years. In the case of an incident/accident involving a pupil, retain until pupil is 23 years old or 26 for a pupil with special educational needs Destroy
Reports of Stolen/Damaged Items Current financial year + 6 years Destroy
Medical Records – records of Students with medical conditions and details for the administration of drugs when necessary. Until pupil is 23years old or in the case of a Special Needs Students, until 26 years old Destroy

 

  1. Staff

 

Record Minimum Retention Period Action After Retention
Staff Personnel Records (including, appointment details, training, staff development etc.) 7 years after leaving employment Destroy
Interview notes and recruitment records Date of interview + 6 months Destroy
Staff Salary Records 7 years after leaving employment Destroy
Staff Sickness Records (copies of Medical Certs) Current school year + 6 years Destroy
Substitute Staff Records-non teaching Current school year + 6 years Destroy
Student Records-non teaching Current school year + 6 years Destroy
Procedures for Induction of Staff Until superseded Destroy
Staff/Teachers’ Attendance Records 7 years after leaving Destroy
Staff Performance Review 7 years after leaving Destroy

 

Finance

Record Minimum Retention Period Action After Retention
Annual budget and budget deployment Current financial year + 6 years Destroy
Budget Monitoring Current financial year + 6 years Destroy
Annual Statement of Accounts         (Outturn Statement) Current financial year + 6 years Destroy
Order Books, Invoices, Bank Records, Cash Books, Till Rolls, Lodgement books etc Current financial year + 6 years Destroy
Postage Book Current financial year + 6 years Destroy
Audit Reports Current financial year + 6 years Destroy

 

Health & Safety

 

Record Minimum Retention Period Action After Retention
Accident Reporting (Adults) Date of incident + 7 years Destroy
Accident Reporting (Children) Until pupil is 23years old or in the case of a Special Needs pupil, until 26 years old Destroy
Risk Assessments – work experience locations/pupils 7 years Destroy
H & S Reports 15 years Destroy
Fire Procedure Until superseded Destroy
Security System File For the life of the system Destroy