Data Protection and GDPR

Carfield supplier letter GDPR compliance (1)

Please click on the link Carfield parent privacy notice

Please click on this link for the updated 2018 Policy Carfield GDPR Data Protection Policy

Explaining GDPR


What is GDPR?


The General Data Protection Regulation (GDPR) is a new EU law that will come into effect on 25 May 2018 to replace the current Data Protection Act (1998). It is the biggest overhaul of data protection legislation for over 25 years, and will introduce new requirements for how organisations process personal data.


It is focused on looking after the privacy and rights of the individual and based on the premise that consumers and data subjects should have knowledge of the lawful basis for processing their data, what data is being held about them, how it is held, how it will be used, why it will be used, how long it will be held for and whether or not this information will be exported elsewhere for use by another organisation.



What information does this relate to?


The data relates to any personal information that you could use to identify an individual directly or indirectly.



Identify who?

This includes any living person including pupils, parents, staff, governors, contractors, university students etc.



What are we doing?


As a school we will ensure that data we hold is accurate and kept up to date.


We will ensure that we only keep data for as long as is required. The length of time we keep documents can be found within our Data Retention Policy. We will ensure we inform the data subject of the length of time the information will be kept.


We will inform data subjects why we will use the data.


We will inform data subjects how we will use the data.


We will inform data subjects if their data will be used by a third party.


We will inform data subject what we will do with their data once we no longer require it.


We will identify the lawful basis for processing data (unless an exemption or derogation applies). This is within our Privacy Policy.


The lawful basis could fall into one of the following categories:

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:


(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.


(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.


(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).


(d) Vital interests: the processing is necessary to protect someone’s life.


(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.


(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)



What can go wrong?


As an organisation we are responsible for the data we hold. Much of this data is sensitive so we need to ensure that we take care of this data.


A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.



How can we reduce the risk of anything going wrong?


Ensure that we keep data safe on the schools site. This includes locking data away, locking computers, using passwords on documents etc.


Ensure data is being transported in a secure way when it is being removed off site.


Ensure that the intent with which any data is accessed and used is lawful, fair and transparent, and that it is for specified explicit and legitimate purposes.


Ensure that we protect the right of individuals. These include:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.


We need to protect data to ensure it is only seen by people with the correct permission and keeping data that needs to be kept as per schools Retention Policy.



What if I think there may have been a personal data breach?

As a school we have a Data Protection Breach Notification Form (DPNF). A copy of which can be found requested by contacting the school.


You should complete the DPNF with the schools Data Controllers.


Joint Data


They will then inform the Data Protection Officer (DPO). The DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.


The DPO will inform the Information Commissioner’s Office (ICO).



Contact Information


DPO Lorna Culloden 0114 2557534


ICO Telephone Number: 0303 123 1113

Data Protection Policy


  • To ensure the safety and security of any personal data belonging to either staff or students.
  • To ensure the safety of any data and information assets (data, stored in any manner, which is recognised as important or ‘valuable’ – not just in financial terms) that is important to the secure running of the school.
  • To ensure the minimisation of security risks and that any loss of data is appropriately logged and dealt with.

This policy complies with the terms of the 1998 Data Protection Act, and any subsequent relevant legislation, to ensure personal data is treated in a manner that is fair and lawful.

This policy is to be used in conjunction with the school’s Internet Use Policy.

1. Data Gathering

  • All personal data relating to staff, pupils or other people with whom we have contact, whether held on computer or in paper files, are covered by the Act.
  • Only relevant personal data may be collected and the person from whom it is collected should be informed of the data’s intended use and any possible disclosures of the information that may be made.

2. Data Storage

  • Personal data will be stored in a secure and safe manner.
  • All data on the server is password protected.
  • Electronic data will be protected by standard password and firewall systems operated by the school.
  • Computer workstations in administrative areas will be positioned so that they are not visible to casual observers waiting either in the office or at the reception hatch.
  • Manual data will be stored where it not accessible to anyone who does not have a legitimate reason to view or process that data.
  • Particular attention will be paid to the need for security of sensitive personal data.
  • Server back-up discs are kept securely in a locked filing cabinet.

3. Data encryption

  • Portable and mobile devices (including media) used to store and transmit data protected information, should be protected using approved encryption software.
  • When sensitive or personal data is required by an authorised user from outside the school’s premises (for example, by a member of staff to work from their home), they should have secure remote access to the management information system or learning platform
  • If secure remote access is not possible, users must only remove or copy personal or sensitive data from the organisation or authorised premises if the storage media, portable or mobile device (e.g. laptop, memory stick) is encrypted and is transported securely for storage in a secure location
  • Users must securely delete personal or sensitive data when it is no longer required.
  • The school will also encrypt personal data that is transmitted between systems, applications or locations (known as data in transit). Secure transmission of data relies on encryption, authorisation and authentication.

4. Potential security risks and logging of data loss

  • Only named staff have access to protected data
  • Class registers taken through SIMs – staff have limited access to data
  • SIMs and other data are backed up by the server
  • Computers in school will be kept up to date with the latest security software. Computers and systems at teachers’ homes also requires security software for them to use remote access or work or use encrypted information on mobile, media and portable devices.
  • Server password is protected – only named staff have access to it.
  • Security incidents will be logged

5. Data Checking

  • The school will issue regular reminders to staff and parents to ensure that personal data held is up-to-date and accurate.
  • Any errors discovered would be rectified and, if the incorrect information has been disclosed to a third party, any recipients informed of the corrected data.

6. Data Disclosures

  • Personal data will only be disclosed to organisations or individuals for whom consent has been given to receive the data, or organisations that have a legal right to receive the data without consent being given.

7. Responsibility for Data Protection

  • The Senior Information Risk Owner (SIRO) has the following responsibilities:They own the information risk policy and risk assessment; They appoint the Information Asset Owners (IAOs); They act as an advocate for information risk management.The named SIRO is Julie Petty.
  • The Information Asset Owner (IAO) has the following responsibilities: to know what information is held, and for what purposes; know how information will be amended or added to over time; know who has access to the data and why; know how information is retained and disposed off. The named IAO is Fiona Wilson.
  • When requests to disclose personal data are received by telephone it is the responsibility of the school to ensure the caller is entitled to receive the data and that they are who they say they are.  It is advisable to call them back, preferably via a switchboard, to ensure the possibility of fraud is minimised.
  • If a personal request is made for personal data to be disclosed it is again the responsibility of the school to ensure the caller is entitled to receive the data and that they are who they say they are.  If the person is not known personally, proof of identity should be requested.
  • Requests from parents or children for printed lists of the names of children in particular classes, which are occasionally sought at Christmas, should be politely refused as permission would be needed from all the data subjects contained in the list.  (Note: A suggestion that the child makes a list of names when all the pupils are present in class will resolve the problem.)
  • Personal data will not be used in newsletters, websites or other media without the consent of the data subject.
  • Routine consent issues will be incorporated into the school’s pupil data gathering sheets, to avoid the need for frequent, similar requests for consent being made by the school.
  • Personal data will only be disclosed to Police Officers if they are able to supply a WA170 form which notifies of a specific, legitimate need to have access to specific personal data.
  • A record should be kept of any personal data disclosed so that the recipient can be informed if the data is later found to be inaccurate.
  • Consent to take photos or display an individual’s likeness (inc. on the school’s web-site) is sought by the individual or parent if that individual is a student. These consent forms are collated and stored centrally.

 8. Subject Access Requests

  • If the school receives a written request from a data subject to see any or all personal data that the school holds about them this will be treated as a Subject Access Request and the school will respond within the 40 day deadline.
  • Informal requests to view or have copies or personal data will be dealt with wherever possible at a mutually convenient time but, in the event of any disagreement over this, the person requesting the data will be instructed to make their application in writing and the school will comply with its duty to respond within the 40 day time limit.

Comments are closed