The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018 and covers all the countries in the EU and has been adopted by the UK. It is heavily based on the Data Protection Act 1998 but as a school, we have had to refine our approach to Data Protection, as it brings many enhancements to the rights of individuals in regards to their personal data. At its heart, the GDPR changes the importance of Data Protection and emphasises accountability. Making Data Protection important means that as a school we ensure that we are thinking about how we use data in everything we do. There is also an emphasis on accountability which means that as a school we have increased the amount of documentation we use to record procedures and issues.
The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. See the link to the ICO’s GDPR website for information about all aspects of GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
There are 6 key principles to the GDPR that the school is accountable for:
- There must be a lawful reason for collecting personal data and it must be done in a fair and transparent way.
- Data must only be used for the reason it is initially obtained.
- No more data than is necessary should be collected.
- Data has to be accurate and there must be mechanisms in place to keep it up to date.
- Data should not be retained for longer than is necessary.
- The protection of personal data must be upheld.
As a school, we have looked at what data we need to obtain consent for under the GDPR, so that any data we collect is appropriate. To comply with the Department for Education (DfE) and Census obligations we request on admission a range of personal information that complies with our statutory duties on the emergency contact form. When changes to any of this data occur and we are informed, this is updated as soon as possible within our Management Information System. For other types of data that we collect we seek consent through consent forms that provide parents with the opportunity to give or decline consent. Consent is only accepted if it is freely given and parents/cares are entitled to withdraw consent at any time by contacting the academy office, where the request will be put in place with immediate effect. Consent is requested for the types of data outlined below:
- The use of photographs/videos for different purposes.
- Non-essential communications.