Data Protection Policy
Purpose: To protect personal privacy and uphold individual’s rights
General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) is the law that protects personal privacy and upholds individuals’ rights. It
applies to anyone who handles or has access to people’s personal data.
This policy is intended to ensure that personal data is dealt with properly and securely and in accordance with the DPA. It will apply to personal data regardless of
the way it is used, recorded and stored and whether it is held in paper files or electronically.
All staff must have a general understanding of the law and understand how it may affect their decisions in order to make an informed judgement about how information
is gathered, used and ultimately deleted. All staff must read, understand and comply with this policy.
1. Scope of the Policy
Personal data is any information that relates to a living individual who can be identified from the information. This includes any expression of opinion about an
individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings.
The School collects a large amount of personal data every year including: staff records, names and addresses of those requesting prospectuses, examination
marks, references, fee collection as well as the many different types of research data used by the School. In addition, it may be required by law to collect and use certain
types of information to comply with statutory obligations of Local Authorities (LAs),government agencies and other bodies.
2. The Principles
The principles set out in the GDPR must be adhered to when processing personal data:
1. Personal data must be processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency).
2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
(purpose limitation).
3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed (data minimisation).
4. Personal data shall be accurate and where necessary kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate
are erased or rectified without delay (accuracy).
5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is
processed (storage limitation).
6. Appropriate technical and organisational measures shall be taken to safeguard the rights and freedoms of the data subject and to ensure that personal
information are processed in a manner that ensures appropriate security of the personal data and protects against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or damage to, personal data (integrity and confidentiality). In addition, there are rules about transferring data
outside of the UK. Llangattock School Limited will comply with these rules.
3. Lawful Basis for Processing Personal Data
Processing means anything done with personal data, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, use, disclosure, dissemination
or otherwise making available, restriction, erasure or destruction.
Personal data may be processed only if one of the following reasons applies:
● Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the school.
● Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to
entering into a contract.
● Processing is necessary for compliance with a legal obligation to which the data controller is subject.
● Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
● Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party.
● The data subject has given consent to the processing of his or her data for one or more specific purposes. Data subjects must be easily able to withdraw consent
to processing at any time and withdrawal must be promptly honoured.
4. Responsibilities
4.1 The school will:
• Be clear of the basis on which any personal data needs to be held and processed and ensure that the data held is suitable for that purpose.
• Have obtained the Data Subject’s explicit consent to obtain, hold and process this personal data. A Data Subject is a living, identified or identifiable individual
about whom personal data is held.
• Inform Data Subjects why the school needs their personal information, how they will use it and with whom it may be shared. This is known as a Privacy Notice.
• Obtain only the minimum amount of personal data required.
• Check the quality and accuracy of the information held.
• Retain personal data for the minimum length of time it is required and afterwards dispose of it securely.
• Manage and process personal data sensitively and securely. Securely means:
▪ ensuring appropriate security measures are in place to safeguard personal data whether that is held in paper files or on a computer system
▪ that only people who have a need to know and are authorised to use the personal data can access it.
• Where the school uses external organisations to process personal information on its behalf, ensure those organisations follow the same Data Protection Principles.
• Set out clear procedures for responding to requests for access to personal information known as subject access in the DPA.
• Train all staff appropriately so that they are aware of their responsibilities and of the school’s relevant policies and procedures.
• Where processing is likely to result in high risk to an individual’s data protection rights (for example where a new technology is being implemented) undertake a
Data Protection Impact Assessment to assess whether the processing is necessary and proportionate in relation to its purpose, the risks to individuals and
what measures can be put in place to address those risks and protect personal information.
• Only share personal information with others when it is necessary and legally appropriate to do so.
4.2 The school, as a corporate body, is named as the Data Controller under the DPA. Data Controllers are people or organisations who hold and use personal
information. They decide how and why the information is used and have aresponsibility to establish workplace practices and policies that are in line with
GDPR. The Data Controller is responsible for and must be able to demonstrate compliance with the six principles listed above.
4.3 The school is required to register with the Information Commissioner that it is processing personal data. This information will be included in a public register
which is available on the Information Commissioner’s website at ico.org.uk.
4.4 Every member of staff that holds personal data has to comply with the DPA when managing that data. Any failure to comply with any part of this policy may lead to
disciplinary action under the school’s procedures and this action may result in dismissal for gross misconduct.
5. Sensitive Personal Data
Sensitive personal data is data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or
orientation or is genetic or biometric data which uniquely identifies a natural person.
Sensitive personal data will only be processed if there is a lawful basis for doing and one of the special conditions applies. These conditions are:
● the individual (‘data subject’) has given explicit informed consent.
● the processing is necessary for the purposes of exercising the employment law rights or obligations of the school or the data subject.
● the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent.
● the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit
body with a political, philosophical, religious or trade-union aim.
● the processing relates to personal data which are manifestly made public by the data subject.
● the processing is necessary for the establishment, exercise or defence of legal claims.
● the processing is necessary for reasons of substantial public interest.
● the processing is necessary for purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, the
provision of social care and the management of social care systems or services.
● the processing is necessary for reasons of public interest in the area of public health.
6. Documentation and Records
Written records of the regular personal data processing activities which the school undertakes will be kept and recorded including:
● the name(s) and details of individuals or roles that carry out the processing
● the lawful basis of the processing
● a description of the categories of individuals and categories of personal data
● categories of recipients of personal data
● a description of technical and organisational security measures.
Records will also be kept where sensitive personal data is processed.
The School will conduct periodic reviews of the personal data (including sensitive personal data) it processes and update its documentation accordingly.
7. Data Breaches
Data breach investigations will be undertaken using the school’s Data Breach Management Plan. The School will report any data breach to the Information
Commissioner’s Office (ICO) without undue delay and where possible within 72 hours, if the breach is likely to result in a risk to the rights and freedoms of
individuals. The school must also notify the affected individuals if the breach is likely to result in a high risk to their rights and freedoms.
Staff should ensure they inform their line manager immediately that a data breach is discovered and make all reasonable efforts to recover the information, following the
school’s agreed breach reporting process.
8. Evaluation and Review
The Data Breach Management plan includes an evaluation of any breach. In addition, the Principal will review the policy and evaluations at least annually to
satisfy herself that the policies and procedures remain effective.
9. Further Information
This policy will be updated as necessary to reflect best practice or amendments made to GDPR and the DPA.
Please follow this link to the ICO’s website (www.ico.org.uk) which provides further detailed guidance on a range of topics including individuals’ rights, exemptions from
the DPA, dealing with subject access requests, how to handle requests from third parties for personal data to be disclosed etc. In particular, you may find it helpful to
read the Guide to Data Protection which is available from the website.
For help or advice on any data protection or freedom of information issues contact:
Meg Williams
Llangattock School Monmouth
Additional and Related Documents
ICO Registration Certificate
Data Breach Management Plan
Issue date: 8 May 2021 - Reviewed 27 May 2022 & 30 May 2023
Withdrawal date: Current
Next review by: 30 May 2024