General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people's personal data is processed and kept safe, and the legal rights individuals have in relation to their own data.
'Personal data' means information that can identify a living individual.
The regulation will apply to all schools from 25th May 2018, and will apply even after the UK leaves the EU.
The GDPR sets out the key principles that all personal data must be processed in line.
- Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected.
There are also stronger rights for individuals regarding their own data.
- The individual's rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all.
Lawful basis and consent
Dean Valley School's lawful basis for processing data is PUBLIC TASK. This means in the majority of cases where we process data it is done on the basis that we need to process the information to carry out our official function of providing children with an education.
Schools only need to obtain consent to process data when they cannot do so under any other lawful basis, such as complying with a regulatory requirement.
For example, consent would not need to be obtained to process data that the school provides to the Department for Education (DfE) as part of the census - this is a legal obligation therefore the data can be processed lawfully without consent.
However, consent would need to be obtained, for example, where the school wishes to collect parents' email addresses to send fundraising and marketing emails to them.
Consent must be given freely and be specific and informed. Pre-ticked opt-in boxes are not allowed. Consent needs to be kept under review and can be withdrawn unless there is another lawful basis to process the data.
Individuals have the right to access the personal data and supplementary information school holds about them. This allows them to be aware of, and verify the lawfulness of, school processing this data. This right applies to everyone whose personal data the school holds, including staff, governors, volunteers, parents and pupils.
School must provide the information free of charge, must comply within 1 month and should provide the information in a commonly used electronic format, if the request as made electronically.
We have appointed a Data Protection Officer (DPO) to oversee the way the school handles data and ensure that requests for data are dealt with in accordance with GDPR.
Any subject access requests (SAR), Freedom of Information requests (FOI) and queries you have about the way in which your data is handled please contact our DPO.
Please see the relevant policies in the School Policies section of our website for school specific content. For more detailed information about the general data protection regulation please visit the Information Commissioner's Office guide to the general data protection regulation.