Data Protection Policy

1. Legal framework
   1. This policy has due regard to legislation, including, but not limited to the following:
      1. The General Data Protection Regulation (GDPR);
      2. The Freedom of Information Act 2000;
      3. The Education (Pupil Information) (England) Regulations 2005 (as amended in 2016);
      4. The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004;
      5. The School Standards and Framework Act 1998.
   2. This policy will also have regard to the following guidance:
      1. Information Commissioner’s Office (2017) ‘Overview of the General Data Protection Regulation (GDPR)’
      2. Information Commissioner’s Office (2017) ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’
2. Applicable data
   1. For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier, such as an IP address. The GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data.
   2. Sensitive personal data is referred to in the GDPR as ‘special categories of personal data’, which are broadly the same as those in the Data Protection Act (DPA) 1998. These specifically include the processing of genetic data, biometric data and data concerning health matters.
3. Principles
   1. In accordance with the requirements outlined in the GDPR, personal data will be:
      1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
      2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
      3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
      4. Accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
      5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
      6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
      7. The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.
4. Accountability
   1. The Archbishop Lanfranc Academy will implement appropriate technical and organisational measures to demonstrate that data is processed in line with the principles set out in the GDPR.
5. Data protection officer (DPO)
   1. Mr Richard Ellis, Senior Vice Principal, has been appointed as DPO, and will inform and advise the Academy and its employees about their obligations to comply with the GDPR and other data protection laws.
   2. Mr Richard Ellis, Senior Vice Principal, has been appointed to the role of DPO and will perform these duties provided the duties of the DPO do not lead to a conflict of interests.
6. Lawful processing
   1. The legal basis for processing data will be identified and documented prior to data being processed.
   2. Under the GDPR, data will be lawfully processed under the following conditions:
      1. The consent of the data subject has been obtained;
      2. Appendix A. The Academy Fair Processing Notice
   3. Sensitive data will only be processed under the following conditions:
      1. Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law;
      2. Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent;
      3. Processing relates to personal data manifestly made public by the data subject;
      4. Processing is necessary for:
         • carrying out obligations under employment, social security or social protection law, or a collective agreement.
         • Protecting the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent.
         • The establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
         • Reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards.
         • The purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
         • Reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
         • Archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).
7. Consent
   1. Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre ticked boxes.
   2. Consent will only be accepted where it is freely given, specific, informed and an unambiguous indication of the individual’s wishes.
   3. Where consent is given, a record will be kept documenting how and when consent was given.
8. The right to be informed
   1. The privacy notice supplied to individuals in regard to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.
9. The right of access
   1. Individuals have the right to obtain confirmation that their data is being processed.
   2. Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.
   3. The Academy will verify the identity of the person making the request before any information is supplied.
   4. A copy of the information will be supplied to the individual free of charge; however, the Academy may impose a ‘reasonable fee’ to comply with requests for further copies of the same information.
   5. Where a SAR has been made electronically, the information will be provided in a commonly used electronic format.
   6. Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged.
   7. All fees will be based on the administrative cost of providing the information.
   8. All requests will be responded to without delay and at the latest, within one month of receipt.
   9. In the event of numerous or complex requests, the period of compliance will be extended by a further two months. The individual will be informed of this extension and will receive an explanation of why the extension is necessary, within one month of the receipt of the request.
   10. Where a request is manifestly unfounded or excessive, the Academy holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal.
   11. In the event that a large quantity of information is being processed about an individual, the school will ask the individual to specify the information the request is in relation to.
10. The right to rectification
    1. Individuals are entitled to have any inaccurate or incomplete personal data rectified.
    2. Where the personal data in question has been disclosed to third parties, the Academy will inform them of the rectification where possible.
    3. Where appropriate, the Academy will inform the individual about the third parties that the data has been disclosed to.
    4. Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex.
    5. Where no action is being taken in response to a request for rectification, the Academy will explain the reason for this to the individual and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
11. The right to be forgotten
    1. Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
    2. Individuals have the right to erasure in the following circumstances:
       1. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
       2. When the individual withdraws their consent
       3. When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
       4. The personal data was unlawfully processed
       5. The personal data is required to be erased in order to comply with a legal obligation
       6. The personal data is processed in relation to the offer of information society services to a child
    3. The Academy has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
       1. To exercise the right of freedom of expression and information
       2. To comply with a legal obligation for the performance of a public interest task or exercise of official authority
       3. For public health purposes in the public interest
       4. For archiving purposes in the public interest, scientific research, historical research or statistical purposes
       5. The exercise or defence of legal claims
    4. As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request.
    5. Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
    6. Where personal data has been made public within an online environment, the Academy will inform other organisations who process the personal data to erase links to and copies of the personal data in question.
12. The right to restrict processing
    1. Individuals have the right to block or suppress the Academy’s processing of personal data.
    2. In the event that processing is restricted, the school will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.
    3. The Academy will restrict the processing of personal data in the following circumstances:
       1. Where an individual contests the accuracy of the personal data, processing will be restricted until the Academy has verified the accuracy of the data
       2. Where an individual has objected to the processing and the Academy is considering whether their legitimate grounds override those of the individual
       3. Where processing is unlawful and the individual opposes erasure and requests restriction instead
       4. Where the Academy no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim
    4. If the personal data in question has been disclosed to third parties, the Academy will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
13. The right to data portability
    1. Individuals have the right to obtain and reuse their personal data for their own purposes across different services
    2. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability.
    3. The right to data portability only applies in the following cases:
       1. To personal data that an individual has provided to a controller
       2. Where the processing is based on the individual’s consent or for the performance of a contract
       3. When processing is carried out by automated means
    4. Personal data will be provided in a structured, commonly used and machine-readable form.
    5. The Academy will provide the information free of charge.
    6. Where feasible, data will be transmitted directly to another organisation at the request of the individual.
    7. The Academy is not required to adopt or maintain processing systems which are technically compatible with other organisations.
    8. In the event that the personal data concerns more than one individual, the Academy will consider whether providing the information would prejudice the rights of any other individual.
    9. The Academy will respond to any requests for portability within one month.
    10. Where the request is complex, or a number of requests have been received, the timeframe can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request.
    11. Where no action is being taken in response to a request, the Academy will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
14. The right to object
    1. The Academy will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information.
    2. Individuals have the right to object to the following:
       1. Processing based on legitimate interests or the performance of a task in the public interest
       2. Direct marketing
       3. Processing for purposes of scientific or historical research and statistics.
    3. Where personal data is processed for the performance of a legal task or legitimate interests:
       1. An individual’s grounds for objecting must relate to his or her particular situation;
       2. The Academy will stop processing the individual’s personal data unless the processing is for the establishment, exercise or defence of legal claims, or, where the Academy can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
    4. Where personal data is processed for direct marketing purposes:
       1. The Academy will stop processing personal data for direct marketing purposes as soon as an objection is received;
       2. The Academy cannot refuse an individual’s objection regarding data that is being processed for direct marketing purposes.
    5. Where personal data is processed for research purposes:
       1. The individual must have grounds relating to their particular situation in order to exercise their right to object;
       2. Where the processing of personal data is necessary for the performance of a public interest task, the Academy is not required to comply with an objection to the processing of the data.
    6. Where the processing activity is outlined above, but is carried out online, the Academy will offer a method for individuals to object online.
15. Data breaches/breach management
    1. The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
    2. The DPO will ensure that all staff members are made aware of, and understand, what constitutes as a data breach as part of their continuous development training.
    3. Where a breach is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed.
    4. All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of the Academy becoming aware of it.
    5. The risk of the breach having a detrimental effect on the individual, and the need to notify the relevant supervisory authority, will be assessed on a case-by-case basis.
    6. In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, the school will notify those concerned directly.
    7. A ‘high risk’ breach means that the threshold for notifying the individual is higher than that for notifying the relevant supervisory authority.
    8. In the event that a breach is sufficiently serious, the public will be notified without undue delay.
16. Data security
    1. Confidential paper records will be kept in a locked filing cabinet or drawer with restricted access.
    2. Confidential paper records will not be left unattended or in clear view anywhere with general access.
    3. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site.
    4. Any portable memory device (such as a USB or external hard drive) used for the storage of data will be encrypted and password protected. Non-encrypted devices will not be compatible with Academy computer systems.
    5. All electronic devices are password-protected to protect the information on the device in case of theft.
    6. Where possible, the Academy enables electronic devices to allow the remote blocking or deletion of data in case of theft.
    7. All necessary members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
    8. Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security, e.g. keeping devices under lock and key. The person taking the information from the Academy’s premises accepts full responsibility for the security of the data
    9. Before sharing data, all staff members will ensure;
       1. They are allowed to share it;
       2. That adequate security is in place to protect it.
    10. Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of the Academy containing sensitive information are supervised at all times.
    11. The Archbishop Lanfranc Academy takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action.
17. Publication of information
    1. The Archbishop Lanfranc Academy publishes on its website information that will be made routinely available, including:
       1. Policies and procedures
       2. Annual reports
       3. Financial information
18. CCTV and photography
    1. The Academy understands that recording images of identifiable individuals counts as processing personal information and therefore this is done in line with data protection principles.
    2. The Academy notifies all pupils, staff and visitors of the purpose for collecting CCTV images via notice boards.
    3. Cameras are only placed where they do not intrude on anyone’s privacy and are necessary to fulfil their purpose.
    4. All CCTV footage will be retained for up to ten days for security purposes; the DPO is responsible for keeping the records secure and allowing access. CCTV footage captured in relation to wrongdoing on the site will be kept for as long as necessary as to be of use to the Academy investigating officer or law enforcement agencies.
    5. Images captured by individuals for recreational/personal purposes, and videos made by parents for family use, are exempt from the GDPR.
19. Data retention
    1. Data will not be kept for longer than is necessary (See Appendix C- HR Records and Management protocol and Appendix D -Retention Register)
    2. Unrequired data will be deleted as soon as practicable.
    3. Some educational records relating to former pupils or employees of the school may be kept for an extended period for legal reasons, but also to enable the provision of references or academic transcripts.
    4. Paper documents will be shredded or pulped, and electronic memories scrubbed clean or destroyed, once the data should no longer be retained.
20. DBS data
    1. All data provided by the DBS will be handled in line with data protection legislation; this includes electronic communication.
    2. Any third parties who access DBS information will be made aware of the data protection legislation, as well as their responsibilities as a data handler.
21. Policy review
    • Effective from: 1st September 2021
    • Policy Last Reviewed: December 2024
    • Next Review date: December 2026

Appendix A - Privacy Notice (How we use pupil information)

The categories of pupil information that we collect, hold and share include:

• Personal information (such as name, unique pupil number and address)
• Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility)
• Attendance information (such as sessions attended, number of absences and absence reasons)
• Assessment information
• Relevant medical information
• SEN information
• Behaviour information, including information regarding exclusions
• CCTV footage

Why we collect and use this information

We use the pupil data:

• to support pupil learning
• to monitor and report on pupil progress
• to provide appropriate pastoral care and safeguarding
• to assess the quality of our services
• to comply with the law regarding data sharing

The lawful basis on which we use this information

We collect and use pupil information under Article 6.1e) of GDPR, and Article 9.2b) in the instance of special categories of information.

Collecting pupil information

Whilst the majority of pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.

Storing pupil data

We hold pupil data for 5 years after a pupil has left the school.

Who we share pupil information with

We routinely share pupil information with:

• schools that the pupil’s attend after leaving us
• our local authority
• the Department for Education (DfE)
• school nurse, and other relevant health professionals

Why we share pupil information

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so.

We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

We are required to share information about our pupils with the (DfE) under regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013.

Data collection requirements:

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.

Youth support services- Pupils aged 13+

Once our pupils reach the age of 13, we also pass pupil information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide services as follows:

• youth support services
• careers advisers

A parent or guardian can request that only their child’s name, address and date of birth is passed to their local authority or provider of youth support services by informing us. This right is transferred to the child / pupil once he/she reaches the age 16.

Pupils aged 16+

We will also share certain information about pupils aged 16+ with our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide services as follows:

• post-16 education and training providers
• youth support services
• careers advisers

For more information about services for young people, please visit our local authority website.

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our pupils to the DfE as part of statutory data collections such as the school census and early years’ census. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Pupils) (England) Regulations 2013.