Staff Data Protection Policy

Similar documents
European College of Business and Management Data Protection Policy

DATA PROTECTION POLICY STATUTORY

Data Protection Policy

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

RECRUITMENT, SELECTION AND DISCLOSURES POLICY AND PROCEDURE

Data Protection Act 1998 Policy

LEICESTER GRAMMAR SCHOOL TRUST RECRUITMENT POLICY

The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales).

Including all of the Pre-Prep Department and Early Years Foundation Stage. Recruitment Policy

How we use Personal Information

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

APPLICATION AND RECRUITMENT PROCESS EXPLANATORY NOTE

Recruitment, Selection and Disclosures Policy and Procedure

DBS CHECKS AND EMPLOYING EX- OFFENDERS: GUIDE TO POLICY AND PROCEDURE

How we use Personal Information

Recruitment, Selection and Disclosures Policy

Charities & Not-for-Profits Overview of Data Protection Law

DBS Policy Agreed: September 2016 Signed: (HT) Signed: (CofG) Review Date: September 2017

Data Protection Act 1998

ARTICLE 29 Data Protection Working Party

CRIMINAL RECORDS CHECK (DBS) POLICY. Author/Reviewer: Date Approved: Jan 2006

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Disclosure Barring Service (DBS) Checks & Employing Ex-offenders

DATA SHARING AND PROCESSING

BACKGROUND INFORMATION

Access to Personal Information Procedure

THE ORATORY SCHOOLS ASSOCIATION. Recruitment, Selection & Disclosure Policy and Procedure

Recruitment Policy and Procedures

Disclosure and Barring Service

Data Protection Policy

Port Glasgow St Andrew s Data Protection Policy

AIA Australia Limited

DISCIPLINARY PROCEDURE FOR TEACHING STAFF AT LOCALLY MANAGED SCHOOLS

Recruitment Policy. This document applies to all parts of The Pilgrims School, including the Early Years Foundations Stage

Data Protection Policy

Recruitment, selection and disclosure policy and procedure

DISCLOSURE AND BARRING SERVICE (DBS) POLICY

Human Resources People and Organisational Development. Disclosure and Barring Service (DBS) Checks Guidelines for Managers and Employees

DECLARATION FORM. Page1

Whistleblowing & Serious Misconduct Policy

Data Protection Bill [HL]

Data Protection Policy

Recruiting ex offenders policy

CCTV CODE OF PRACTICE

Safer School Recruitment Policy

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

COBIS Policy on Disclosure & Barring Service Checks for Member Schools COBIS Policy on the Recruitment of Ex-Offenders... 3

Privacy. Purpose. Scope. Policy. Appendix A

Recruitment, Selection and Disclosures Policy and Procedure

Dauntsey s School Recruitment Policy

Disclosure and Barring Scheme Policy and Procedure

Guidelines on Disclosure & Barring Service (DBS) Checks

DATED DISCIPLINARY RULES AND PROCEDURE AND GRIEVANCE PROCEDURE

- and - OPINION. Reasons

EDEN HOUSING ASSOCIATION LIMITED DISCLOSURE AND BARRING SERVICE (DBS) POLICY

DBS and Safeguarding Policy

September RECRUITMENT, SELECTION AND DISCLOSURES POLICY AND PROCEDURES GENERAL

Merrydale Infant School Freedom of Information Act

Data Protection Policy and Procedure

Education Workforce Council

Disciplinary Policy and Procedure

Health Information Privacy Code 1994

Page1. Employment of Ex- Offenders. Issue Date 01/01/2017 Issue 1 Document No: 105 Uncontrolled when copied

Holy Trinity Catholic School. Whistle Blowing Policy 2017 BIRMINGHAM CITY COUNCIL WHISTLEBLOWING POLICY 2015 ADOPTED BY HOLY TRINITY CATHOLIC SCHOOL

INFORMATION SHARING AGREEMENT This document is NOT PROTECTIVELY MARKED

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

CONCERNS & COMPLAINTS POLICY. November 2017

Version No. Date Amendments made Authorised by N/A ACC Hamilton (PSNI)

Disclosure and Barring Service (DBS) Checks Policy

Criminal Records Checks

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Policy Statement on processing applications from applicants declaring a criminal conviction. Approved by the Admissions Policy Group (APG)

Durants School Disclosure and Barring POLICY

DISCLOSURE & BARRING CHECKS POLICY

Last review: January 2018 ESF Approved: February 2018 Next review: September 2020 Version 2 DISCLOSURE AND BARRING SERVICE POLICY

DISCIPLINARY PROCEDURE FOR TEACHERS NOTES OF GUIDANCE FOR RELEVANT BODIES

PRIVACY MANAGEMENT PLAN

Data Protection Bill [HL]

Law Enforcement processing (Part 3 of the DPA 2018)

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

Policies and Procedures

DATA PROTECTION (JERSEY) LAW 2005

ORMISTON HORIZON ACADEMY. Disclosure and Barring Checks Policy

DISCIPLINARY PROCEDURE FOR TEACHERS NOTES OF GUIDANCE FOR RELEVANT BODIES

WASHINGTON COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

Park View Primary School

The installation of CCTV can provide information on activities at the Water,

DISCLOSURE AND BARRING SERVICE (DBS) CHECKS POLICY AND PROCEDURE FOR SALISBURY PLAIN ACADEMIES

A closed circuit television system is used at the Memorial Hall by the Parish Council.

Data Protection Policy

Brussels, 16 May 2006 (Case ) 1. Procedure

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Great Leighs Primary School. Data Protection and Freedom of Information Policy. Adopted: April Review Date: April 2018.

The Act on Processing of Personal Data

16 March Purpose & Introduction

The Privacy Policy links to the following Objective contained within the City Plan

As approved by the Office of Communications for the purposes of Sections 120 and 121 of the Communications Act 2003 on 21 June 2016

SELF-DECLARATION FORM FOR A CHILD CARE POSITION

Regulations for the consideration of criminal convictions for students on courses leading to professional registration

Transcription:

Staff Data Protection Policy Version: 9.0 Approval Status: Approved Document Owner: Graham Feek Classification: External Review Date: 02/11/2016 Effective from: 1 July 2015

Table of Contents 1. The Data Protection Act 1998... 3 2. Principles of Data Protection... 3 3. Responsibilities... 6 4. Access to Information... 8 5. Disclosure of Personal Data... 9 6. Third Party Disclosures... 11 7. General Guidance for Staff... 11 8. Monitoring and Review... 16 9. Information held about Pupils... 16 10. Sensitive Personal Data... 17 Introduction This document sets out the Trust s and it s Academies responsibilities under the Data Protection Act 1998 ( the Act ) and provides guidance on the maintenance of and access to data, including employment and educational records in accordance with the provisions of the Act. Title: Staff Data Protection Policy Page 2 of 17

1. The Data Protection Act 1998 1.1 The Data Protection Act 1998 came into force on 1 March 2000. It introduced into UK law the provisions of the European Commission Data Protection Directive (95/46/EC). It applies to anyone who processes, stores or is the subject of personal data. The Act works in two ways and provides that: anyone who records and uses personal information (data controllers) must be open about how the information is used and must follow the eight principles of good information handling. all individuals (data subjects) have the right to see information that is held about them and the right to have information corrected if it is wrong. the Act applies to all electronic records that contain information about living and identifiable individuals and extends data protection to manual files where the personal data of a data subject is readily accessible (a structured filing system). The main aim of the Act is to protect data from unnecessary, unauthorised or harmful use and to provide individuals with some control over the use of their personal data. Individuals have the right to take action for compensation caused by inaccurate, lost or destroyed data or unauthorised disclosure of information. They also have the right to complain to the Information Commissioner who may serve an enforcement notice and, in some circumstances, impose a financial penalty. 1.2 Notification Notification is the process by which a data controller's details are added to a public register along with information about the types of personal data that are processed and the purposes and nature of that processing. The register is maintained by the Information Commissioner and can be consulted by individuals to find out what processing of personal data is being carried out by a particular data controller. The Greenwood Academies Trust is registered as data controller for all Trust and Academy data. All Academy Data Protection Officers must advise the Trust Data Controller if there are any changes to the use of personal data that are not covered by the Trust registration. 2. Principles of Data Protection In collecting, using, storing and disposing of data, the Trust or Academy will comply with the requirements of the Act that govern the processing of personal data. Under these requirements, the information will be collected and used fairly, stored safely and not disclosed to any other person where to do so would be in breach of those requirements or would otherwise be unlawful. The Academy and its staff who process or use personal information will ensure they comply with the following eight data protection principles which are laid out in the Act. 2.1 Principle 1: Fairness Personal data will be processed fairly and lawfully. The collection and disclosure of data is subject to scrutiny and is only lawful if it meets at least one of the following criteria (as specified in Schedule 2 to the Act): With the consent of the data subject, e.g. pupil, parent/guardian or employee. The current legal requirements are that the Trust is not obliged to share education records with pupils or parents/guardians. All requests for pupil records must be cleared by the Regional Education Director before being released Title: Staff Data Protection Policy Page 3 of 17

In performance of a contract, for example to process an application as part of the admissions process, or, If there is a legal obligation, for example under prevention of terrorism legislation, or, For the protection of the vital interests of the individual, for example to prevent injury or other damage to the health of the data subject, or, In the legitimate interest of any party, unless it is prejudicial to the interests of the individual. The processing of personal data must meet all of the following criteria in order to be processed fairly : Data will only be collected from persons who have the authority to disclose it. If personal information is collected from a third party, the data subject will be informed of the use of the information When personal data is collected then a Privacy Notice is required that states: - the identity of the organisation in control of the processing - the purpose, or purposes, for which the information will be processed - any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair In addition to the requirements outlined above, Sensitive Personal Data may only be processed if the processing also meets at least one of the following criteria, as specified in Schedule 3 to the Act: The data subject has given explicit consent It is necessary to meet requirements of employment law It is necessary to protect the vital interests (i.e. if the situation is a matter of life or death) of the subject or another person The data subject has already made the information public It is necessary for legal proceedings, obtaining legal advice or defending legal rights It is necessary for the carrying out of statutory functions It is necessary for medical purposes It is necessary for equal opportunities It is necessary in order to comply with legislation from the Secretary of State 2.2 Principle 2: Purpose Personal data will be obtained only for one or more specified and lawful purpose. Data will not be further processed in any manner incompatible with the initial specified purpose or those purposes for which it was obtained as specified in the Privacy Notice. 2.3 Principle 3: Quality Data must be adequate, relevant and not excessive. Personal information which is not necessary for the intended processing must not be acquired i.e. personal information cannot be collected just because it may be useful. Only the minimum information required for the purposes for which it is obtained should be held. Title: Staff Data Protection Policy Page 4 of 17

2.4 Principle 4: Accuracy Data must be accurate and up to date. The Trust or Academy must ensure that there is a system in place to review data for accuracy and to ensure it is up to date. Procedures must be in place to make any amendments requested by a data subject or a record kept if the amendment is not considered appropriate. 2.5 Principle 5: Storage Data must not be kept for longer than required for the purpose for which it was obtained. Refer to the Greenwood Academies Trust Data Retention and Disposal Policy for further information. Information should not be kept any longer than the time period indicated to the data subject. The Trust or Academy must regularly review data held in order to assess whether information is still required in accordance with the Greenwood Academies Trust Data Retention and Disposal Policy. Before disposing of any data (physical or electronic), the Data Manager responsible for the data must ensure he/she has consulted the Greenwood Academies Trust Data Retention and Disposal Policy to ensure the data is disposed of in the correct manner. Before disposing of any data in accordance with Section 1.8 - Principle 7: Data must be processed in a secure manner, the Trust or Academy will consider the following key points: Any legal requirements (e.g. possible negligence action). The length of any appeals procedure relating to the information. The number of times in the last two or three years that a particular type of record has been accessed. 2.6 Principle 6: Individual s Rights Data must be processed in line with the rights of data subjects. This is linked to the first principle of fair and lawful processing and the rights afforded to data subjects by the Act. Data subjects have the right to know details of the processing of their personal data and have the right of access to personal information. A data subject (including a member of staff) has the right to object to data processing relating to them which is likely to cause substantial and unwarranted damage or distress to that data subject or another person. There are a number of provisos to this right. Data subjects must make such a request in writing and, where their request is refused, can apply to the Court for an order. All requests and Court orders must be managed by the Trust Infrastructure Manager and, where applicable, the Academy Data Manager. In addition, the Act gives data subjects the right to object to processing used for the purpose of direct marketing and/or wholly automated decision making. Data subjects have the right to request that the data controller rectifies or erases inaccurate data and to block future processing in cases of unlawful/unfair processing. Data subjects must make such a request in writing and, where their request is refused, can apply to the Court for an order for rectification/erasure. All requests will be managed by the Trust Infrastructure Manager. Title: Staff Data Protection Policy Page 5 of 17

2.7 Principle 7: Data must be processed in a secure manner The Trust and the Academy must guard against unauthorised and unlawful processing (e.g. access, alteration, disclosure or disposal). Appropriate security records must be kept in order to provide an audit trail of any disposal of personal data. Personal information will, so far as possible, be: kept in a locked filing cabinet, or in a locked drawer; or if it is computerised, be password protected, or kept only on disk or other media which is encrypted. When personal data is to be destroyed, paper or microfilm records will be disposed of by shredding or incineration. Data on computer hard disks or other magnetic media will be destroyed using a recognised supplier and destruction certificates obtained and retained. Optical media is to be shredded. 2.8 Principle 8: Outside the European Economic Area (EAA) Personal data shall not be transferred outside of the EAA unless that country or territory ensures an adequate level of protection. Certain countries/territories, such as Australia, have been certified as providing an adequate level of protection. Where it is proposed to transfer to a country/territory that has not been so certified, the data controller must satisfy itself that the country/territory affords an adequate level of protection. If the data is to be transferred to a country or territory that does not have adequate protection, then the Trust Infrastructure Manager must approve the transfer and at least one of the following conditions must be met: The data subject has given consent to the transfer. It is necessary for the performance of a contract between the data subject and the data controller or with a view to entering into such a contract. The transfer is necessary for reasons of substantial public interest. The personal data is already on a public register. The transfer is necessary for the purposes of legal proceedings, legal advice or defending legal rights The transfer is necessary to protect the vital interests of the data subject 3. Responsibilities All staff have a duty to observe the principles of the Data Protection Act. These guidelines are intended to assist staff to understand the aims and principles of the Act and to set out the main areas in which staff are likely to be affected by data protection issues in the course of their work. 3.1 The Trust Board The Trust Board has responsibility for: Approving and reviewing this policy Ensuring the implementation of the Act Title: Staff Data Protection Policy Page 6 of 17

Ensuring that Trust or Academy policies, procedures and practices are consistent with the objectives of the Act Ensuring that complaints about the handling of personal data are investigated and dealt with effectively Ensuring that appropriate training takes place for all staff. 3.2 The Trust Infrastructure Manager The Trust Infrastructure Manager will act as the Trust Data Protection Officer and is responsible to the Trust to ensure that: the Trust and its Academies are appropriately registered with the Information Commissioner s Office. It is the responsibility of the Academy s Data Manager to affect the registration and ensure that any changes required to the registration are implemented. this policy is implemented in the Trust and Academies procedures and practices. the Trust Board is appropriately advised of all relevant information relating to the Act including any changes to the Act and any effect on the Trust and Academies. the processes for managing complaints, Subject Access Requests and Freedom of Information requests are properly managed. this policy is brought to the attention of all employees, data subjects and that all staff, including temporary, volunteer, supply and agency personnel, receive appropriate training. achieving compliance with this policy is sought at a practical level through action in recruitment and selection, training and development and general management. good practice is encouraged by all staff and any breaches of the Act and this policy are dealt with appropriately. Refer to the Greenwood Academies Trust Data Breach Management Procedure for further information. advice and guidance on the aspects of current data protection legislation are provided. 3.3 The Academy Data Controller The Academy Data Controller is responsible for: ensuring that the Academy is appropriately registered with the Information Commissioner s Office. seeking to ensure that this policy is implemented in Academy procedures and practices and monitoring staff and other data subjects when processing data. ensuring that this policy is brought to the attention of all employees and data subjects and all staff, including temporary, volunteer, supply and agency personnel, receive appropriate training in line with the training standards. seeking to achieve compliance with this policy at a practical level through action in recruitment and selection, training and development and general management within their Academy. providing advice on the current data protection legislation to the Academy. reporting to the Trust Infrastructure Manager any breaches of the Act and policy according to the Greenwood Academies Trust Data Breach Management Procedure. Title: Staff Data Protection Policy Page 7 of 17

determining the purposes for which and the manner in which any personal data is or is to be processed. ensuring the associated Greenwood Academies Trust policies and procedures governing the use, storage and disposal of data are adhered to and reporting any variances to the Trust Infrastructure Manager. 3.4 All Staff Staff must ensure they understand how their work is affected by the Act and abide by the principles of the Act when processing personal data. All staff must assess the information used in the course of their work and their responsibility for any personal data. All personal data collected should be factually accurate and relevant. Staff must respect that all sensitive data must be kept confidential and that any breaches of that confidentiality may result in legal action. It is a condition of employment that employees will abide by the rules and policies made by the Trust from time to time. All staff must be aware of and ensure that they comply with this Policy. Non-compliance may result in appropriate disciplinary or legal action being taken against the Trust, the Academy and/or the member of staff. All contractors and volunteers employed by the Greenwood Academies Trust that have access to personal data are required to comply with this policy and its supporting policies as specified in the Data Protection schedule of their contract. 4. Access to Information The Act gives all individuals about whom the Trust or Academy holds personal information the right to access information that relates to them, whether it is held electronically or in manual form. Although the Act refers to a structured manual filing system, access to information held in an unstructured filing system may also be requested but further information may be required from the data subject to help the Trust or Academy retrieve the data. Each Academy has a legal responsibility to respond to Subject Access Requests and Freedom of Information requests and must inform the individuals making the request that the request has been received. All Subject Access Requests or Freedom of Information Requests received by Academies must then be passed to the Trust Infrastructure Manager for processing. The Trust will only allow access once a request has been received in writing (or by email) and the Trust is satisfied as to the identity of the person making the request. Proof of identity, confirming name and address, will be requested for this purpose. A pupil s parent or legal guardian may make requests for access to their child s educational records only if they have the pupil s permission or the pupil is unable to act on their own behalf. Proof of this relationship will be required before access is granted. On receipt of a subject access request, the Trust will inform the data subject of: the personal data of which that individual is the data subject, the purpose or purposes for which the information is or are to be processed, and the recipients or classes of recipients to whom the information may be disclosed. The data subject is however entitled to request a copy of the information related to her/him which will be supplied by the Trust or Academy unless the supply is not possible or would involve disproportionate effort. Dealing with the request will be subject to a fee as per the Information Commissioners Office current fee rates. That fee must be paid before the request is dealt with. Title: Staff Data Protection Policy Page 8 of 17

The right of access extends to children and young people who understand what it means to exercise that right. Where a pupil under 14 years makes a request for access to her/his records, the Trust or Academy or a relevant authority (e.g. doctor or educational psychologist) will decide whether or not he/she has sufficient understanding to do so. If the request is from a Parent/Legal Guardian, then children over the age of 14 years have the right to refuse access to the data providing they are considered competent to exercise that right. 4.1 Dealing with Requests The Trust/Academy will comply with Freedom of Information Requests as defined in the Greenwood Academies Trust Freedom of Information Policy. For Subject Access Requests for personal information, the Trust/Academy will ensure that requests for access are dealt with within the timescale specified by legislation. The Trust s Data Subject Access Request procedure provides detailed guidance about how requests should be dealt with. Request for copies of educational records, once cleared by the Regional Education Director, will be dealt with within fifteen (15) school days. The Trust or Academy will process requests for all other information received from data subjects within forty (40) calendar days. An initial response will be sent to the requestor within twenty-one (21) days of receiving an access request. The response will confirm the request has been complied with, indicate the intention to comply or give the reasons for not complying with the request. If for any reason these timescales cannot be met, the reason will be explained, in writing, to the individual making the request. Any person wishing to exercise their right of access should obtain a copy of the Trust s Freedom of Information Policy or Subject Access Request Policy by writing to the Trust or Academy. 5. Disclosure of Personal Data The following attempts to illustrate when personal data can be disclosed. This list is not exhaustive and, if further guidance is required, staff should contact the Trust Data Protection Officer. 5.1 Staff Who Need to Know Access to personal data will be provided to members of staff who need to know it in order to carry out their normal duties. However, only access to the data that is required will be provided. 5.2 Purposes Specified Data will only be disclosed for use for the purposes specified when it was collected and any additional purpose of which the data subject has been notified. Any other use amounts to unlawful processing. For example, if information has been collected in order to pay school uniform grants in previous years, the Academy will not be allowed to use that information as a mailing list for a library service without having first notified the data subjects of the intention to do so and given data subjects the opportunity to opt out of such processing. Title: Staff Data Protection Policy Page 9 of 17

5.3 Specific Agreement of Data Subject Data subjects should be made aware, via the relevant privacy notice, that their personal data may be disclosed to various third parties, without needing specific consent, during the normal course of business activities. Data may be used for other purposes such as Ofsted Inspections or other governmental/regulatory activity, accounting and statistical analysis, Internal and External Audit and also to prevent or detect fraud or other crimes for example. In all other cases data will only be disclosed to a third party if the data subject has given specific consent, ideally in writing. 5.4 Telephone Enquiries/ Home Addresses and Telephone Numbers Requests from third parties are often made by telephone, giving the added problem of verifying the identity of the caller. Even when the call appears to be genuine, personal data must not be disclosed (save where necessary for one of the purposes mentioned above and where the identity of the caller, purpose of the enquiry and proposed use of the information have been verified). Where appropriate, the caller will be asked to put their request in writing or an offer will be made to contact the data subject concerned, on behalf of the caller and pass on any message. Home addresses or personal telephone numbers of staff or other data subjects must not be given out to third parties unless the individual has given permission to do so. Alternative approaches include taking the caller's contact details and advising that a message will be passed on requesting that the caller is contacted, or offering to forward correspondence to a pupil or a member of staff on behalf of the caller. It is important to take care when handling such requests. An individual's pupil/staff status is personal data. The Trust or Academy should be careful to neither confirm nor deny that the person is a pupil or member of staff at the Academy or that the person is otherwise known to the Trust or Academy. 5.5 The Police Disclosures to the Police are not compulsory except in cases where the Trust or Academy is served with a Court Order requiring information. Requests from the Police for access to information must be made, in writing, from one of the Constabulary s Data Protection officers. In cases where the Trust or Academy has not been served with a Court Order but receives a request, consideration must be given to the implications of disclosure before any action is taken and to the nature of the information sought and the reasons for the request. The Trust or Academy may be required to provide an explanation for any disclosure of the data subject s personal information at a later date and must be able to provide justifiable reasons for doing so, for example where the Trust or Academy believes that failure to release the information would prejudice a criminal investigation. In such cases the Trust Infrastructure Manager or Academy Data Manager who receives the request must make a clear and accurate record of the circumstances, the advice sought and the decision making process followed so that there is clear evidence of the reasoning and the prevailing circumstances. Section 29 (3) of the Act allows organisations to disclose personal data where necessary for the prevention and detection of crime. At least one of the conditions of Schedule 2, and in the case of sensitive personal data, Schedule 3, must be satisfied in relation to the processing. Title: Staff Data Protection Policy Page 10 of 17

6. Third Party Disclosures There are a number of circumstances under which data can be disclosed to a third party without the consent of the data subject. The circumstances are set out in the Act as follows: Data required by law for example data supplied to statutory bodies. Data that is in the vital interests of the data subject for example in a life or death situation. Data that would prevent harm to a third party. Data that would prevent a crime. Data that would be in the interests of national security. Even in these circumstances, proof of identity, confirming name and address and a request in writing, will be required where practicable and only the minimum information necessary to achieve the relevant purpose should be disclosed. 7. General Guidance for Staff The Trust or Academy needs to collect and use data (information) about its staff and other individuals for a variety of purposes. The purposes of processing data include the recruitment and payment of staff, organisation and administration of courses, monitoring of health and safety arrangements, monitoring of performance and achievements and in connection with the statutory functions of the Local Authority, government agencies and other regulatory bodies. Included below is a list of general areas where the issue of data protection may arise. These guidelines do not attempt to cover every situation. 7.1 Recruitment and Selection It is important to ensure that applicants who are responding to job advertisements or completing application forms know exactly to whom or where they are supplying their information and for what purposes their information will be used. Only information relevant to the recruitment decision should be requested. Applicants should have explained to them as early as possible what verification checks may be undertaken. This is currently covered in the application form where the individual is requested to sign a declaration of consent. Personal information is also used in less obvious ways such as for Accounting and Statistical Analysis, Internal and External Audit purposes Ofsted Inspections and the prevention and detection of fraud and other crimes. Before attempting to obtain any information from a third party, for example for the purpose of confirming qualifications or employment history, it is necessary to obtain a signed consent form or some similar form of consent from applicants (this is currently covered in the declaration of consent on the application form). Information should not be sought from applicants unless it can be justified as being necessary to enable the recruitment decision to be made or for a related purpose such as equal opportunities monitoring. For example, there is no obvious reason why the Trust or Academy should ask applicants for information about their membership of a trade union. It is important to ensure that the processing of personal data during and retained after the interview process is relevant and necessary. The Trust or Academy may be asked to prove that the non-selection of a candidate was on the basis of something other than a discriminatory attitude held by the interviewer. Applicants will have subject access rights in relation to any interview notes taken. It is for this reason that all interview notes must be legible and understandable. It is recommended that interview notes be kept for a period of six (6) months after the date of interview. Title: Staff Data Protection Policy Page 11 of 17

7.2 Disclosure and Barring Service Checks The Trust will require all applicants (paid and voluntary) for all posts to declare criminal convictions, which are spent or unspent and including any cautions and pending prosecutions. Such declarations will be made on the relevant application form. This information must only be disclosed to those that are authorised to see it in the course of their duties. For those working in the Early Years Foundation Stage (EYFS), there are also childcare disqualification requirements ; this means further criteria is asked in addition to inclusion of the Children s Barred List for the individual and their household, known as disqualification by association. Details of any convictions/cautions may be explored through the interview process as part of the Trust s safeguarding obligations as outlined in the Keeping Children Safe in Education statutory guidance. Exemptions from the Rehabilitation of Offenders Act apply in this context and following the making of an offer of employment, further details on any convictions may be obtained through the completion of the Disclosure Barring Service (DBS) check. 7.3 Confidential References The Act allows data subjects to access references about themselves received by the Trust or Academy (subject to respecting the confidentiality of third parties), but provides an exemption to the right of subject access in respect of those provided by the Trust or Academy. Although confidential references received by the Trust or Academy are not exempt from the right of access, consideration must be given to the data privacy rights of the referee. Information contained in, or about, a confidential reference need not be provided in response to a subject access request if the release of this information would identify an individual referee unless: the identity of the referee can be protected by anonymising the information the referee has given his/her consent, or it is reasonable in all the circumstances to release the information without consent. The Trust or Academy may not refuse to disclose references received from third parties without providing reasons e.g. the referee may have refused permission for the information to be made available. Opinions expressed by third parties, such as a referee, constitute their personal data and there is a presumption within the Act that such data will not be disclosed without their consent. Consent in cases where a confidential reference discloses the identity of an organisation but not an identifiable individual, as referee, disclosure will not breach data privacy rights. Confidential references written by the Trust or Academy are exempt from subject access requests. When writing a reference it must be kept in mind that the details of the reference may, at a later date, be disclosed to the individual, for example by the new employer. The Trust or Academy must ensure that all information provided is up to date and accurate. Where a reference requests it, the Trust or Academy can disclose information regarding the number of days sickness absence of a data subject. Title: Staff Data Protection Policy Page 12 of 17

However, detailed information about the data subject s health or sickness record, including reasons for absence, falls within the definition of sensitive personal data and must only be disclosed with the explicit (i.e. written) consent of the data subject. 7.4 Education Records There is no legal requirement for Trusts or Academies to disclose Education Records. All requests for the data held in Education Records by pupils or parents/legal guardians must be cleared by the Regional Education Director. All requests for data from third parties must conform to the principles of the Act and must be covered with a Data Sharing Agreement. All Data Sharing Agreements taken out by the Trust or Academy must undergo a Privacy Impact Assessment as defined in the Greenwood Academies Trust Privacy Impact Assessment guidance and the results of the assessment to be kept on file with the Data Sharing Agreement. 7.5 Examination Results The Academy must ensure that strict confidentiality and secure office practices are followed while papers, including examination coursework, are being marked and while results are being compiled. The Act does not give pupils the right to access their own examination scripts but it does allow access to comments made upon them by examiners. However, pupils are able, under subject access rights, to see the breakdown of marks awarded for particular questions or sections of examinations. Examination marks should not be shared, either verbally or in writing, with any other person unless the individual pupil has given their permission e.g. the displaying of examination results on a Academy notice board or a list sent around the classroom is prohibited. Exceptions are other Trust or Academy staff relevant to their role, Ofsted and the DfE. 7.6 E-mail Addresses Personal email addresses must not be disclosed for non-work purposes. If asked to disclose another member of staff's personal email address, the caller can be asked to give her/his email address and told that it will be passed on to the individual s/he is trying to contact if she/he is a member of the Trust or Academy. It is not appropriate to disclose a colleague's work email details to someone who claims she/he wishes to contact her/him regarding a non-work related matter. 7.7 Sickness and Accident Records Sickness and accident records will include information about an employee s physical or mental health. This information constitutes sensitive personal data and is therefore subject to enhanced protection under the Act. There is a distinction between sickness, accident and absence records. Sickness and accident records contain details of the illness, condition or accident suffered by the individual and, as such, contain sensitive personal data. Absence records, however, may explain the reason for the absence as sickness or accident but not include any reference to specific medical conditions and as such contain personal data. The Information Commissioner recommends that sickness and accident records should be separated from absence records and that sickness and accident records should not be accessed where records of absence could be used instead. Title: Staff Data Protection Policy Page 13 of 17

In order to process the sickness and accident records, the Trust or Academy has to satisfy at least one of the conditions for processing sensitive personal data. Those conditions that may be most directly relevant to sickness and accident records are: The processing is necessary for the purposes of the exercising or performing of any right or obligation, which is conferred or imposed by law on the Trust or Academy in connection with employment. This could include obligations under Health and Safety legislation or for the purpose of administering statutory sick pay. This condition may also be relevant to the need to maintain sickness records so that the Trust or Academy can ensure that an employee is treated fairly. The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or is necessary for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights. This condition may therefore apply where the Trust or Academy is defending itself against actual or threatened tribunal or court proceedings. The data subject has given his or her explicit consent to the processing. This will only apply where the employee understands what personal data is involved and has given a positive indication of agreement (such as a signature). The consent must also be freely given i.e. the employee must not be made subject to a detriment if he/she withholds their consent. Being known as an employee of the Trust or Academy may mean being asked for information, for instance by parents, about a member of staff who is off sick. Although this can be awkward, parents must be informed that employees are unable to discuss confidential Trust or Academy matters. Persistent enquiries must be referred to the Principal or Trust Infrastructure Manager. 7.8 Payroll, Pension, Occupational Health and Insurance Schemes Payroll, Pension schemes, Occupational Health, private medical and permanent health insurance schemes and other employment related schemes can be administered by the Trust but provided or controlled by third parties. Personal data required to administer such schemes should not be used for other purposes and any data passed to the scheme providers should be limited to that which is necessary to operate the relevant scheme. It should be made clear to employees who join these schemes what data will be passed between the employer and the scheme controller and for what purposes this will be used. 7.9 Photographs, Videos and CCTV Where it is wished for photographs to be taken or video recordings to be made of staff and/or pupils, as individuals, as small groups or organised groups, the individual(s) concerned must give their consent and be informed of the purpose(s) for which the information is to be used. For general photographs or video recordings of the Academy grounds and public places, whereby individuals cannot be identified, consent is not required. If the Academy intends to record an Academy event such as a sports day or Academy play, parents must be informed of the intention and the purpose(s) for which the recording will be used. A parent may choose to withdraw their child from such an event if they object to the recording. The Academy must ensure the recorded images are stored securely, and in a location/on a medium where only authorised persons have access to them. The recorded images must only be retained long enough for any incident to come to light (e.g. for a theft to be noticed). The Academy may disclose recordings to a law enforcement agency in order to help with the prevention or detection of crime but must not release the images to any other third party. Title: Staff Data Protection Policy Page 14 of 17

Further guidance on the use of CCTV can be found on the Information Commissioners website under Topic guides for organisations : http://ico.org.uk/for_organisations/data_protection/topic_guides 7.10 Equal Opportunities Monitoring The Act specifically allows for processing of data on racial or ethnic origin, religion and disability if it is necessary for keeping under review the existence, or absence, of equality of opportunity. The collection of this information is exclusively used for the statistical evaluation of the Trust s equal opportunities policy within recruitment and employment. The Trust, where possible, will ensure anonymity of information when meaningful monitoring is required. The equal opportunities monitoring form, which collects information for this purpose, must be removed from all applications before any assessment of suitability for the post is considered. 7.11 Discipline, Grievance and Dismissal Employees have the same rights of access to files containing information about disciplinary matters or grievances about themselves as they do to other personal data held. All of the normal data protection and access obligations apply to data created or accessed in the course of dealing with disciplinary and grievance issues. Any information referring to a third party must be removed or anonymised before access is granted. Disciplinary warnings typically expire after a specified period provided that no further warnings have been issued and no disciplinary action has been taken against the employee during that period. In these circumstances, the warnings will generally be disregarded for future disciplinary purposes but not removed from the employee s personal file. Exceptions to the specified expiration limit will apply where child protection issues are raised - refer to the Safeguarding Policy for further information. Details regarding information relating to discipline/grievance issues must not be disclosed to a third party; exceptions are Employment Tribunals and Trust Solicitors. For example, being known as an employee of the Academy may mean being asked, for instance by parents, about the alleged suspension of another member of staff. Under no circumstances should this information be disclosed or confirmed and persistent enquiries must be referred to the Trust Infrastructure Manager or Principal. 7.12 The Internet Data placed on the Trust s or Academy s website and made available via the Internet will be available in countries which do not have a data privacy regime considered adequate by the EU. Where the Trust or Academy wishes to make staff/pupil personal data available in this way, the consent of the staff and/or pupil(s) concerned must be obtained. Consent can be withdrawn at any point. Internet pages are sometimes used to collect personal data such as names and addresses of individuals who request Trust or Academy information e.g. from those who are registering to attend an open day. The relevant web page should indicate the purpose or purposes for which the data is collected, the recipients to whom it may be disclosed and an indication of the time period for which it will be kept (e.g. "while we process your application", rather than a specific date). All sites that collect information from site visitors must provide a Privacy Statement. The purpose of this statement is to help individuals to decide whether they want to visit Title: Staff Data Protection Policy Page 15 of 17

the site and, if so, whether to provide any personal information. Privacy Statements must be prominently displayed. The following is an example of a privacy statement: This Website aims to provide on-line information about all of the Trust s or Academy s services. We do not use cookies for collecting user information from the site and we will not collect any information about you via this website without your consent. The above does cover all requirements and consideration must be given to the intended audience and the use their data may be put to deliver Trust obligations. All Privacy Statements need to be reviewed by the Trust Infrastructure Manager before they are published. Individuals must be given the opportunity to opt out of parts of the collection or use of the data not directly relevant to the specific purpose. 7.13 Collecting Personal Information Before collecting or processing personal information, the Trust or Academy must consider whether the personal data collected about staff and other data subjects is necessary in the context of the relationship and is covered by a privacy notice. For example, information concerning an employee s life outside work is unlikely to be necessary unless it is to determine potential or actual conflicts of interest and connected or related party transactions. However, it might be legitimate to request information about an employee s other jobs where there is a justifiable need, for example, in connection with the Working Time Regulations, or to request information about her/his children in connection with an application for parental leave. Information collected for a particular purpose should not be used for any other, incompatible purposes. 8. Monitoring and Review The Trust s or Academy s Data Controller will report on the policy to the Chief Executive, Deputy Chief Executive or Principal as appropriate. The Chief Executive, Deputy Chief Executive or Principal will report to the Trust Board or Advisory Councils on any relevant aspects of the working of this policy (including non-compliance) as appropriate. The Trust will review this policy every two (2) years. 9. Information held about Pupils A pupil, or someone acting on their behalf, may make a SAR in respect of personal data held about the pupil by a school. If the school is in England, Wales or Northern Ireland, the SAR should be dealt with by the school. If the school is in Scotland, the SAR should be dealt with by the relevant education authority or the proprietor of an independent school. There are two distinct rights to information held about pupils by schools. They are: the pupil s right of subject access under the DPA; and the parent s right of access to their child s educational record (in England, Wales and Northern Ireland this right of access is only relevant to maintained schools not independent schools, English academies or free schools. However in Scotland the right extends to independent schools). Although this code is only concerned with the right of subject access, it is important to understand what is meant by a pupil s educational record. This is because there is an Title: Staff Data Protection Policy Page 16 of 17

overlap between the two rights mentioned above and also because educational record is relevant when ascertaining the fee you may charge for responding to a SAR. The statutory definition of educational record differs between England and Wales, Scotland and Northern Ireland. Broadly speaking, however, the expression has a wide meaning and includes most information about current and past pupils that is processed by or on behalf of a school. However, information kept by a teacher solely for their own use does not form part of the educational record. It is likely that most of the personal information a school holds about a particular pupil will form part of the pupil s educational record. However, it is possible that some of the information could fall outside the educational record; e.g. information about the pupil provided by the parent of another child is not part of the educational record. Unlike the distinct right of access to the educational record, the right to make a SAR is the pupil s right. Parents are only entitled to access information about their child by making a SAR if the child is unable to act on their own behalf or has given their consent. If it is not clear whether a requester has parental responsibility for the child or is acting on their behalf, you should clarify this before responding to the SAR. In deciding what information to supply in response to a SAR, you need to have regard to the general principles about exemptions from subject access described elsewhere in this code. Examples of information which (depending on the circumstances) it might be appropriate to withhold include: information that might cause serious harm to the physical or mental health of the pupil or another individual; information that would reveal that the child is at risk of abuse, where disclosure of that information would not be in the child s best interests; information contained in adoption and parental order records; and certain information given to a court in proceedings concerning the child. 10. Sensitive Personal Data 'Sensitive personal data means personal data consisting of information as to: a) the racial or ethnic origin of the data subject b) their political opinions c) their religious beliefs or other beliefs of a similar nature d) whether they are a member of a trade union e) their physical or mental health or condition f) their sexual life g) the commission or alleged commission by them of any offence, or h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. Title: Staff Data Protection Policy Page 17 of 17

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback