Data Protection Policy

1.0 Introduction
1.1 The Academy’s Data Protection Policy has been produced to ensure compliance with the Data Protection Act 2018 (DPA), GDPR and associated legislation, and it incorporates guidance from the Information Commissioner’s Office (ICO).
1.2 The DPA gives individuals rights over their personal data and protects individuals from the erroneous use of their personal data.
1.3 The Academy is registered with the ICO as a Data Controller for the processing of living individuals’ personal information.

2.0 Purpose
2.1 The Academy Data Protection Policy has been produced to ensure its compliance with the DPA 2018.
2.2 The Policy incorporates guidance from the ICO, and outlines the Academy’s overall approach to its responsibilities and individuals’ rights under the DPA 2018.

3.0 Scope
3.1 This Policy applies to all employees (including temporary, casual or agency staff and contractors, consultants and suppliers working for, or on behalf of, the Academy), third parties and others who may process personal information on behalf of the Academy.
3.2 The Policy also covers any staff and students who may be involved in research or other activity that requires them to process or have access to personal data, for instance as part of a research project or as part of professional practice activities. If this occurs, it is the responsibility of the Academy to ensure the data is processed in accordance with the DPA 1998 and that students and staff are advised about their responsibilities. In addition, the activity should be referred to the Research Ethics Committee.

4.0 Data covered by the Policy
4.1 A detailed description of this definition is available from the ICO, however briefly, personal data is information relating to an individual where the structure of the data allows the information to be accessed i.e. as part of a relevant filing system. This includes data held manually and electronically and data compiled, stored or otherwise processed by the School/Academy, or by a third party on its behalf.
4.2 Sensitive personal data is personal data consisting of information relating to:
• Racial or ethnic origin
• Political opinions, Religious beliefs or other beliefs of a similar nature
• Membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
• Physical or mental health or condition
• Sexual life
• Biometric /genetic data

5.0 The Six Data Protection Principles
5.1 The DPA 2018 requires the Academy, its staff and others who process or use any personal information must comply with the eight data protection principles.
5.2 The principles require that personal data shall:
• Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
• Be adequate, relevant and not excessive for those purposes
• Be accurate and kept up to date
• Not be kept for longer than is necessary for those purpose
• Be kept safe from unauthorised or unlawful processing and against accidental loss, destruction or damage

6.0 Responsibilities
6.1 The Academy has an appointed Data Protection Officer to handle day-to-day issues which arise, and to provide members of the Academy with guidance on Data Protection issues to ensure they are aware of their obligations.
6.2 All new members of staff will be required to complete a mandatory information governance module as part of their induction and existing staff will be requested to undertake refresher training on a regular basis.
6.3 Employees of the Academy are expected to:
• Familiarise themselves and comply with the six data protection principles
• Ensure any possession of personal data is accurate and up to date
• Ensure their own personal information is accurate and up to date
• Keep personal data for no longer than is necessary
• Ensure that any personal data they process is secure and in compliance with the Academy’s information related policies and strategies
• Acknowledge data subjects’ rights (e.g. right of access to all their personal data held by the School/Academy) under the DPA 2018, and comply with access to records
• Ensure personal data is only used for those specified purposes and is not unlawfully used for any other business that does not concern the Academy
• Obtain consent with collecting, sharing or disclosing personal data
• Contact Emma Harrison for any concerns or doubt relating to data protection to avoid any infringements of the DPA 2018.
6.4 Students, of the Academy are expected to:
• Comply with the six data protection principles
• Comply with any security procedures implemented by the Academy.

7.0 Obtaining, Disclosing and Sharing
7.1 Only personal data that is necessary for a specific Academy related business reason should be obtained.
7.2 Students are informed about how their data will be processed when they agree to the Data Processing Consent Notice upon registration.
7.3 Upon acceptance of employment at the Academy, members of staff also consent to the processing and storage of their data.
7.4 Data must be collected and stored in a secure manner.
7.5 Personal information must not be disclosed to a third party organisation without prior consent of the individual concerned. This also includes information that would confirm whether or not an individual is or has been an applicant, student or employee of the Academy.
7.6 The Academy may have a duty to disclose personal information in order to comply with legal or statutory obligation. The DPA 2018 allows the disclosure of personal data to authorised bodies, such as the police and other organisations that have a crime prevention or law enforcement function. Any requests to disclose personal data for reasons relating to national security, crime and taxation should be directed to Emma Harrison.
7.7 Personal information that is shared with third parties on a more regular basis shall be carried out under written agreement to stipulate the purview and boundaries of sharing. For circumstances where personal information would need to be shared in the case of ad hoc arrangements, sharing shall be undertaken in compliance with the DPA 2018.

8.0 Retention, Security and Disposal
8.1 Recipients responsible for the processing and management of personal data need to ensure that the data is accurate and up-to-date. If an employee, student or applicant is dissatisfied with the accuracy of their personal data, then they must inform Emma Harrison.
8.2 Personal information held in paper and electronic format shall not be retained for longer than is necessary. In accordance with principle 2 and principle 4 of the DPA 2018, personal information shall be collected and retained only for business, regulatory or legal purposes.
8.3 In accordance with the provisions of the DPA 2018, all staff whose work involves processing personal data, whether in electronic or paper format, must take personal responsibility for its secure storage and ensure appropriate measures are in place to prevent accidental loss or destruction of, or damage to, personal data.
8.4 Staff working from home will be responsible for ensuring that personal data is stored securely and is not accessible to others.
8.5 All departments should ensure that data is destroyed in accordance with the Retention Schedule when it is no longer required.
8.6 Personal data in paper format must be shredded or placed in the confidential waste bins provided. Personal data in electronic format should be deleted, and CDs and pen drives that hold personal data passed to your IT provider for safe disposal. Hardware should be appropriately degaussed in compliance with your IT service provider contract and conforms with DPA and GDPR requirements.

9.0 Transferring Personal Data
9.1 Any transfer of personal data must be done securely in line with the Academy’s Staff ICT Acceptable Use Policy.
9.2 Email communication is not always secure and sending personal data via external email should be avoided unless it is encrypted with a password provided to the recipient by separate means such as via telephone.
9.3 Care should be taken to ensure emails containing personal data are not send to unintended recipients. It is important that emails are addressed correctly and care is taken when using reply all or forwarding or copying others in to emails. Use of the blind copy facility should be considered when sending an email to multiple recipients to avoid disclosing personal information to others.
9.4 Personal email accounts should not be used to send or receive personal data for work purpose.

10.0 Data Subjects Right of Access (Subject Access Requests)
10.1 Under the DPA 2018, individuals (both staff and students) have the right of access to their personal data held by the Academy. This applies to data held in both paper and electronic format, and within a relevant filing system.
10.2 The Academy shall use its discretion under the DPA 2018 to encourage informal access at a local level to a data subject’s personal information, but it will also have a formal procedure for the processing of Subject Access Requests.
10.3 Any individual who wishes to exercise this right should make the request through submitting a Subject Access Request Form. This is available on by contacting Emma Harrison.
10.4 The Academy may not charge fee. It will only release any information upon receipt of the completed Subject Access Request Form, along with proof of identity or proof of authorisation where requests are made on the behalf of a data subject by a third party. The requested information will be provided within the statutory timescale of 1 month from receipt of the completed form.

11.0 Reporting a Data Security Breach
11.1 It is important the Academy responds to a data security breach quickly and effectively. A breach may arise from a theft, a deliberate attack on Academy systems, unauthorised use of personal data, accidental loss or equipment failure. If it relates to an IT incident (including information security) this should also be reported. Any data breach should be reported to Emma Harrison via the GDPRdatabreach@st-wilfrids.org, the Data Protection Officer at Gateshead Council will then be informed.
11.2 Any breach will be investigated in line with the procedures within the Data Breach Policy. In accordance with that Policy, the Academy will treat any breach as a serious issue. Each incident will be investigated and judged on its individual circumstances and addressed accordingly.