Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
OUR LADY IMMACULATE CATHOLIC PRIMARY SCHOOL
DATA PROTECTION POLICY
1
2
3
Policy statement
1.1
1.2
1.3
1.4
1.5
Everyone has rights with regard to the way in which their personal data is handled and
as a Catholic School we place high value on the dignity of the individual in relation to
the handling of their personal data. During the course of our activities as a School we
will collect, store and process personal data about our pupils, workforce, parents and
others. This makes us a data controller in relation to that personal data.
We as a Catholic School are committed to the protection of all personal data and
special category personal data for which we are the data controller.
The School is committed to ensuring respect, objectivity, belief in the dignity of the
individual, consistency and fairness in relation to data protection within a Catholic
School.
The law imposes significant fines for failing to lawfully process and safeguard personal
data and failure to comply with this policy may result in those fines being applied.
All members of our workforce must comply with this policy when processing personal
data on our behalf. A deliberate or negligent breach of this policy may result in
disciplinary or other action.
About this policy
2.1
2.2
2.3
2.4
The types of personal data that we may be required to handle include information
about pupils, parents, our workforce, and others within and beyond our Catholic
community. The personal data which we hold is subject to certain legal safeguards
specified in the General Data Protection Regulation (‘GDPR’), the Data Protection Act
2018 and other regulations (together ‘Data Protection Legislation’).
This policy and any other documents referred to in it set out the basis on which we will
process any personal data we collect from data subjects, or that is provided to us by
data subjects or other sources.
This policy does not form part of any employee’s contract of employment and may be
amended at any time.
This policy sets out rules on data protection and the legal conditions that must be
satisfied when we process personal data.
Definition of data protection terms
3.1
All defined terms in this policy are indicated in bold text, and a list of definitions is
included in the Annex to this policy.
1 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
4
5
6
Data Protection Officer
4.1
4.2
4.3
As a School we are required to appoint a Data Protection Officer (“DPO”). Our DPO is
Marion Chute, and they can be contacted at Our Lady Immaculate Catholic Primary
School, Northumberland Terrace, Everton, Liverpool L5 3QF, Telephone Number 260
8957, Email address, m.chute@oliprimaryschool.co.uk.
The DPO is responsible for ensuring compliance with the Data Protection Legislation
and with this policy. Any questions about the operation of this policy or any concerns
that the policy has not been followed should be referred in the first instance to the
DPO.
The DPO is also the central point of contact for all data subjects and others in relation
to matters of data protection.
Data protection principles
5.1
5.2
5.3
Anyone processing personal data must comply with the data protection principles.
These provide that personal data must be:
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
Processed fairly and lawfully and transparently in relation to the data
subject;
Processed for specified, lawful purposes and in a way which is not
incompatible with those purposes;
Adequate, relevant and not excessive for the purpose;
Accurate and up to date;
Not kept for any longer than is necessary for the purpose; and
Processed securely using appropriate technical and organisational
measures.
Personal Data must also:
5.2.1
5.2.2
be processed in line with data subjects’ rights;
not be transferred to people or organisations situated in other countries
without adequate protection.
We will comply with these principles in relation to any processing of personal data by
the [Academy Trust Company/School].
Fair and lawful processing
6.1
Data Protection Legislation is not intended to prevent the processing of personal data,
but to ensure that it is done fairly and without adversely affecting the rights of the
data subject.
2 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
6.2
6.3
6.4
6.5
For personal data to be processed fairly, data subjects must be made aware:
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
that the personal data is being processed;
why the personal data is being processed;
what the lawful basis is for that processing (see below);
whether the personal data will be shared, and if so with whom;
the period for which the personal data will be held;
the existence of the data subject’s rights in relation to the processing of that
personal data; and
the right of the data subject to raise a complaint with the Information
Commissioner’s Office in relation to any processing.
We will only obtain such personal data as is necessary and relevant to the purpose for
which it was gathered, and will ensure that we have a lawful basis for any processing.
For personal data to be processed lawfully, it must be processed on the basis of one
of the legal grounds set out in the Data Protection Legislation. We will normally
process personal data under the following legal grounds:
6.4.1
6.4.2
6.4.3
where the processing is necessary for the performance of a contract
between us and the data subject, such as an employment contract;
where the processing is necessary to comply with a legal obligation that we
are subject to, (e.g. the Education Act 2011) or the school’s/academy’s
instrument of government or articles of association including the
requirements of canon law.
where the law otherwise allows us to process the personal data or we are
carrying out a task in the public interest; and
where we are not performing a public function and have a legitimate interest to
process the personal data.
6.4.4
6.4.5
where none of the above apply then we will seek the consent of the data
subject to the processing of their personal data.
where it is in anyone’s vital interests to process personal data.
When special category personal data is being processed then an additional legal
ground must apply to that processing. We will normally only process special category
personal data under following legal grounds:
6.5.1
where the processing is necessary for employment law purposes, for
example in relation to sickness absence;
3 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
6.5.2
6.5.3
6.5.4
6.5.5
6.6
where the processing is necessary for reasons of substantial public interest,
for example for the purposes of equality of opportunity and treatment;
where the processing is necessary for health or social care purposes, for
example in relation to pupils with medical conditions or disabilities;
where the purpose of the processing is for archiving, or historical research
and statistical purposes; and
where none of the above apply then we will seek the consent of the data
subject to the processing of their special category personal data.
We will inform data subjects of the above matters by way of all of our appropriate
privacy notices which shall be provided to them when we collect the data or as soon
as possible thereafter, unless we have already provided this information such as at the
time when a pupil joins us.
6.7
6.8
6.9
6.10
6.11
6.12
If any data user is in doubt as to whether they can use any personal data for any
purpose then they must contact the DPO before doing so.
Vital Interests
There may be circumstances where it is considered necessary to process personal data
or special category personal data in order to protect the vital interests of a data
subject. This might include medical emergencies where the data subject is not in a
position to give consent to the processing. We believe that this will only occur in very
specific and limited circumstances. In such circumstances we would usually seek to
consult with the DPO in advance, although there may be emergency situations where
this does not occur.
Consent
Where none of the other bases for processing set out above apply then the school
must seek the consent of the data subject before processing any personal data for any
purpose.
There are strict legal requirements in relation to the form of consent that must be
obtained from data subjects.
When pupils and or our Workforce join the [Academy Trust Company/School] a
consent form will be required to be completed in relation to them. This consent form
deals with the taking and use of photographs and videos of them, amongst other
things. Where appropriate third parties may also be required to complete a consent
form.
In relation to all pupils under the age of 12 years old we will seek consent from an
individual with parental responsibility for that pupil.
6.13 If consent is required for any other processing of personal data of any data subject then
the form of this consent must:
4 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
6.13.1
6.13.2
6.13.3
6.14
Inform the data subject of exactly what we intend to do with their personal
data;
Require them to positively confirm that they consent – we cannot ask them
to opt-out rather than opt-in; and
Inform the data subject of how they can withdraw their consent.
Any consent must be freely given, which means that we cannot make the provision of
any goods or services or other matter conditional on a data subject giving their
consent.
6.15
6.16
7
The DPO must always be consulted in relation to any consent form before consent is
obtained.
A record must always be kept of any consent, including how it was obtained and when.
Processing for limited purposes
7.1
7.2
8
In the course of our activities as a School, we may collect and process the personal
data set out in our Schedule of Processing Activities. This may include personal data
we receive directly from a data subject (for example, by completing forms or by
corresponding with us by mail, phone, email or otherwise) and personal data we
receive from other sources (including, for example, local authorities, Catholic parishes,
the diocese and the Trustees other schools, parents, other pupils or members of our
Catholic community and workforce).
We will only process personal data for the specific purposes set out in our Schedule of
Processing Activities or for any other purposes specifically permitted by Data
Protection Legislation or for which specific consent has been provided by the data
subject.
Notifying data subjects
8.1
If we collect personal data directly from data subjects, we will inform them about:
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
our identity and contact details as Data Controller and those of the DPO;
the purpose or purposes and legal basis for which we intend to process that
personal data;
the types of third parties, if any, with which we will share or to which we
will disclose that personal data;
whether the personal data will be transferred outside the European
Economic Area (‘EEA’) and if so the safeguards in place;
the period for which their personal data will be stored, by reference to our
Retention and Destruction Policy;
5 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
8.1.6
8.1.7
8.2
the existence of any automated decision making in the processing of the
personal data along with the significance and envisaged consequences of
the processing and the right to object to such decision making; and
the rights of the data subject to object to or limit processing, request
information, request deletion of information or lodge a complaint with the
Information Commissioner’s Office (ICO).
Unless we have already informed data subjects that we will be obtaining information
about them from third parties (for example in our privacy notices), then if we receive
personal data about a data subject from other sources, we will provide the data subject
with the above information as soon as possible thereafter, informing them of where
the personal data was obtained from.
9
10
11
12
Adequate, relevant and non-excessive processing
9.1
We will only collect personal data to the extent that it is required for the specific
purpose notified to the data subject, unless otherwise permitted by Data Protection
Legislation.
Accurate data
10.1
10.2
10.3
We will ensure that personal data we hold is accurate and kept up to date.
We will take reasonable steps to destroy or amend inaccurate or out-of-date data.
Data subjects have a right to have any inaccurate personal data rectified. See further
below in relation to the exercise of this right.
Timely processing
11.1
We will not keep personal data longer than is necessary for the purpose or purposes
for which they were collected. We will take all reasonable steps to destroy, or erase
from our systems, all personal data which is no longer required.
Processing in line with data subject’s rights
12.1
We will process all personal data in line with data subjects’ rights, in particular their
right to:
12.1.1
12.1.2
12.1.3
12.1.4
12.1.5
request access to any personal data we hold about them;
object to the processing of their personal data, including the right to object
to direct marketing;
have inaccurate or incomplete personal data about them rectified;
restrict processing of their personal data;
have personal data we hold about them erased
6 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
12.1.6
12.1.7
have their personal data transferred; and
object to the making of decisions about them by automated means.
The Right of Access to Personal Data
12.2
Data subjects may request access to all personal data we hold about them. Such
requests will be considered in line with the schools Subject Access Request Procedure.
A copy of this procedure is available on request
The Right to Object
12.3 In certain circumstances data subjects may object to us processing their personal data.
This right may be exercised in relation to processing that we are undertaking on the
basis of a legitimate interest or in pursuit of a statutory function or task carried out in
the public interest.
12.4
12.5
12.6
12.7
An objection to processing does not have to be complied with where the school can
demonstrate compelling legitimate grounds which override the rights of the data
subject.
Such considerations are complex and must always be referred to the DPO upon receipt
of the request to exercise this right.
In respect of direct marketing any objection to processing must be complied with.
The School is not however obliged to comply with a request where the personal data
is required in relation to any claim or legal proceedings.
The Right to Rectification
12.8
12.9
If a data subject informs the School that personal data held about them by the School
is inaccurate or incomplete then we will consider that request and provide a response
within one month.
If we consider the issue to be too complex to resolve within that period then we may
extend the response period by a further two months. If this is necessary then we will
inform the data subject within one month of their request that this is the case.
12.10 We may determine that any changes proposed by the data subject should not be made.
If this is the case then we will explain to the data subject why this is the case. In those
circumstances we will inform the data subject of their right to complain to the ICO at
the time that we inform them of our decision in relation to their request.
The Right to Restrict Processing
12.11 Data subjects have a right to “block” or suppress the processing of personal data. This
means that the School can continue to hold the personal data but not do anything else
with it.
12.12 The School must restrict the processing of personal data:
7 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
12.12.1 Where it is in the process of considering a request for personal data to be
rectified (see above);
12.12.2 Where the School is in the process of considering an objection to processing
by a data subject;
12.12.3 Where the processing is unlawful but the data subject has asked the School
not to delete the personal data; and
12.12.4 Where the School no longer needs the personal data but the data subject
has asked the School not to delete the personal data because they need it
in relation to a legal claim, including any potential claim against the School.
12.13 If the School has shared the relevant personal data with any other organisation then
we will contact those organisations to inform them of any restriction, unless this
proves impossible or involves a disproportionate effort.
12.14 The DPO must be consulted in relation to requests under this right.
The Right to Be Forgotten
12.15 Data subjects have a right to have personal data about them held by the School erased
only in the following circumstances:
12.15.1 Where the personal data is no longer necessary for the purpose for which it
was originally collected;
12.15.2 When a data subject withdraws consent – which will apply only where the
School is relying on the individuals consent to the processing in the first
place;
12.15.3 When a data subject objects to the processing and there is no overriding
legitimate interest to continue that processing – see above in relation to the
right to object;
12.15.4 Where the processing of the personal data is otherwise unlawful;
12.15.5 When it is necessary to erase the personal data to comply with a legal
obligation; and
12.16 The School is not required to comply with a request by a data subject to erase their
personal data if the processing is taking place:
12.16.1 To exercise the right of freedom of expression or information;
12.16.2 To comply with a legal obligation for the performance of a task in the public
interest or in accordance with the law;
12.16.3 For public health purposes in the public interest;
12.16.4 For archiving purposes in the public interest, research or statistical purposes;
or
8 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
12.16.5 In relation to a legal claim.
12.17 If the School has shared the relevant personal data with any other organisation then
we will contact those organisations to inform them of any erasure, unless this proves
impossible or involves a disproportionate effort.
12.18 The DPO must be consulted in relation to requests under this right.
Right to Data Portability
12.19 In limited circumstances a data subject has a right to receive their personal data in a
machine readable format, and to have this transferred to other organisations.
12.20 If such a request is made then the DPO must be consulted.
13
Data security
13.1
We will take appropriate security measures against unlawful or unauthorised
processing of personal data, and against the accidental loss of, or damage to, personal
data.
13.2 We will put in place procedures and technologies to maintain the security of all personal
data from the point of collection to the point of destruction.
13.3
Security procedures include:
13.3.1
13.3.2
13.3.3
13.3.4
Entry controls. Areas which store confidential data have access control
points fitted to all doors. Fob access is restricted to school staff and visitors
to these areas should not be left unaccompanied once in these areas.
Strangers seen in entry-controlled areas should be reported to Marion
Chute. Archived data stored under the school’s retention policy is kept in
locked cupboards and key are restricted to those personnel who require
access to this information.
Secure lockable desks and cupboards. Desks and cupboards should be kept
locked if they hold confidential information of any kind. (Personal
information is always considered confidential.)
Methods of disposal. Paper documents should be shredded. Digital storage
devices should be physically destroyed when they are no longer required.
IT assets must be disposed of in accordance with the Information
Commissioner’s Office guidance on the disposal of IT assets.
Equipment. Data users must ensure that individual monitors do not show
confidential information to passers-by and that they log off from their PC
when it is left unattended.
9 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
13.3.5
Working away from the school premises – paper documents. These should
not be removed from the school premises unless absolutely necessary to
the operation of the staff member’s duties eg attending a case
conference/LAC meeting and providing reports. Where they are removed
they should be held in GDPR compliant folders and all paperwork should be
returned to school without exception.
13.3.6 Working away from the school premises – electronic working. All staff should
use their one drive storage on their Office 365 account for the all
documents, this facilitates working from home. In the same way using
secure links to share information with colleagues should also be utilised.
Staff should not use portable data pens for the transportation of data.
13.3.7
13.3.8
13.4
Document printing. Documents containing personal data must be collected
immediately
from printers and not left on photocopiers.
Office 365. All staff are provided with an O365 password protected account
for their email, calendar and storage of documents. There is also a shared
calendar and one drive account across staff. These accounts should be
protected at all costs and not left logged in or passwords should not be
saved to pc’s as this could allow unauthorised access to the school’s
systems.
Any member of staff found to be in breach of the above security measures may be
subject to disciplinary action.
14
15
Data Protection Impact Assessments
14.1
14.2
14.3
The School takes data protection very seriously, and will consider and comply with the
requirements of Data Protection Legislation in relation to all of its activities whenever
these involve the use of personal data, in accordance with the principles of data
protection by design and default.
In certain circumstances the law requires us to carry out detailed assessments of
proposed processing. This includes where we intend to use new technologies which
might pose a high risk to the rights of data subjects because of the types of data we
will be processing or the way that we intend to do so.
The School will complete an assessment of any such proposed processing and has a
template document which ensures that all relevant matters are considered.
14.4 The DPO should always be consulted as to whether a data protection impact assessment
is required, and if so how to undertake that assessment.
Disclosure and sharing of personal information
10 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
15.1
We may share personal data that we hold about data subjects, and without their
consent, with other organisations. Such organisations include the Department for
Education, [and/or Education and Skills Funding Agency “ESFA”], Ofsted, health
authorities and professionals, the Local Authority, examination bodies, other schools,
The Diocese and the Trustees and other organisations where we have a lawful basis
for doing so.
15.2 The School will inform data subjects of any sharing of their personal data unless we are
not legally required to do so, for example where personal data is shared with the police
in the investigation of a criminal offence.
15.3
15.4
16
In some circumstances we will not share safeguarding information. Please refer to our
Child Protection Policy.
Further detail is provided in our Schedule of Processing Activities.
Data Processors
16.1
We contract with various organisations who provide services to the School, including:
16.1.1 School Improvement Liverpool – school support
Liverpool City Council – Various services including payroll provision
NHS – Health care and advise to pupils and families
Liverpool Social Service
Family Support Worker
More,,,,,
16.2
16.3
In order that these services can be provided effectively we are required to transfer
personal data of data subjects to these data processors.
Personal data will only be transferred to a data processor if they agree to comply with
our procedures and policies in relation to data security, or if they put in place adequate
measures themselves to the satisfaction of the School, the School will always
undertake due diligence of any data processor before transferring the personal data
of data subjects to them.
16.4 Contracts with data processors will comply with Data Protection Legislation and contain
explicit obligations on the data processor to ensure compliance with the Data
Protection Legislation, and compliance with the rights of Data Subjects.
17
Images and Videos
17.1 Parents and others attending School events are allowed to take photographs and videos
of those events for domestic purposes. For example, parents can take video
recordings of a school performance involving their child. The School does not prohibit
this as a matter of policy.
11 | P a g e
Approved by the Governing Body: October 2022
Review Date: Autumn Term 2024
17.2
The School does not however agree to any such photographs or videos being used for
any other purpose, but acknowledges that such matters are, for the most part, outside
of the ability of the School to prevent.
17.3 The School asks that parents and others do not post any images or videos which include
any child other than their own child on any social media or otherwise publish those
images or videos.
17.4 As a Catholic School]we want to celebrate the achievements of our pupils and therefore
may want to use images and videos of our pupils within promotional materials, or for
publication in the media such as local, or even national, newspapers covering school
events or achievements. We will seek the consent of pupils, and their parents where
appropriate, before allowing the use of images or videos of pupils for such purposes.
17.5
18
CCTV
Whenever a pupil begins their attendance at the School they, or their parent where
appropriate, will be asked to complete a consent form in relation to the use of images
and videos of that pupil. We will not use images or videos of pupils for any purpose
where we do not have consent.
18.1 The School operates a CCTV system. Please refer to the School CCTV Policy.
19
Changes to this policy
We may change this policy at any time. Where appropriate, we will notify data subjects of
those changes