Bournemouth School for Girls (the Data Controller) has been working through the ICO 12-point plan to ensure compliance in readiness for GDPR on 25 May 2018. However, guidelines from the ICO, and Department for Education are still being updated regularly and we still await final confirmation of various details from the Data Protection bill currently going through parliament. The actions we have taken under the 12 points are summarised below:
1. AWARENESS: Governors, Senior Leaders and all staff have been made aware of the forthcoming changes in regulations. GDPR has been an agenda item in Governing Board meetings and SLT meetings. Staff training plans have been put in place for INSET days and as part of the induction programme for any new members of staff.
2. INFORMATION YOU HOLD: A full data audit has been carried out by our Data Protection Officer. All areas of data processing by Governors, teaching staff, support staff, admin staff, peripatetic music teachers, the Parents Association have been covered to ensure that we have a complete picture involving all stakeholders. We have gathered as much information about how the data we hold is collected, stored (including IT security), processed and documented this. The report will be reviewed annually.
3. COMMUNICATING PRIVACY INFORMATION: Our privacy notice has been reviewed and updated to include the additional information required to evidence GDPR compliance. Other policies have also been reviewed and written. As guidance from the DfE is still expected we are regularly reviewing these documents. They will be published on the school website once approved by the governing board.
4. INDIVIDUAL'S RIGHTS: We have formalised procedures for deleting data that is no longer required and for providing data electronically. The wording of the new Privacy Notice(s) is much more explicit on how the data we hold is handled to cover the individuals' right to be informed. The school aims to be open and transparent about our data processing.
5. SUBJECT ACCESS REQUESTS: We have updated procedures and made plans on responding to Subject Access Requests in order to respond within the new timescales. Reference is made to our data audit report to identify all possible areas of data held in the school. Staff training will cover how to recognise a Subject Access Request should they receive such a request. Our website now publishes the procedure for completing a Subject Access Request.
6. LAWFUL BASIS FOR PROCESSING PERSONAL DATA: The school has not changed how we handle, store, process or delete data but under GDPR we need to update our Privacy notice to clearly identify the processing activity that comes under Lawful Basis. An interim updated privacy notice was sent as part of the admission forms in March but the final updated Privacy Notice will be published at the beginning of September for the new academic year, as we still await updated guidance from ICO and DfE.
7. CONSENT: We have reviewed how we seek and then record consent and put procedures in place for responding to any requests to withdraw consent. The majority of the school's data processing comes under the category of lawful basis but there will be some processing that will require consent to be asked for. Consent will be explicit and must be freely given so we will always ensure that this is the case.
8. CHILDREN: We are awaiting confirmation from the Data Protection Bill that pupils will now be able to give their own consent from the age of 13. We have drafted procedures for obtaining consent directly from pupils from this age should the bill be passed. However parental consent will still be sought for pupils starting at the school in year 7.
9. DATA BREACHES: Staff have been notified that they now need to report any data breach to the Data Protection Officer. We will keep a Data breach log with details of any action taken, and an impact assessment if necessary. Any serious data breaches will be reported to the ICO – the Data Protection Officer and Data Lead will make the decision on whether a breach needs to be reported to the ICO following their guidance. We have made plans to investigate and act on any data breaches reported. We also have plans in place on how to detect a data breach or potential data breach.<
10. DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS: Staff are aware of the Privacy by design concept and will involve the data protection officer when reviewing new processes. The Privacy Impact assessments have formed part of our extensive data audit and we follow guidelines from the ICO and the Article 29 working party.
11. DATA PROTECTION OFFICER (DPO): As a public authority the school is required to assign their own Data Protection Officer. Our Data Protection officer is Mrs Kathy Jackson and for any queries on GDPR and Data Protection please write in the first instance to our DPO or email:
12. INTERNATIONAL: At present we do not carry out any data processing overseas. Should the need arise in the future then we will follow Article 29 Working Party guidelines.
In addition and complimentary to these 12 points, Bournemouth School for Girls has been in contact with suppliers and data processors, (where personal data is involved and therefore the relationship comes under GDPR regulations), to ensure that they are also evidencing GDPR compliance. We have contacted many companies in advance but also as contracts come up for renewal during the year or a need arises for data processing (software support for example) then we are ensuring that a schedule is added to the contract to cover GDPR.
From September 2018 Bournemouth School for Girls will be using a different MIS system – SIMS. The communication with parents will change as a result of this and our data checking procedures for instance will change. The method of viewing your daughter's record will be different also. Once the system is live we will be able to document procedures on data recording, communication, etc .
Please be reassured that the introduction of GDPR does not change anything about the nature of data processing carried out by Bournemouth School for Girls. We still focus on Teaching and Learning and collect all the statutory data in exactly the same, secure, methods as before. Data Protection has always been at the forefront of the processes. The introduction of GDPR has provided an excellent opportunity to review processes, further enhance our procedures and create new policies and procedures.
|Subject Access Request Policy||25th May 2018||Download >|
|Subject Access Request Form||25th May 2018||Download >|