data protection + information securitY policy

 

1. Introduction

This policy applies to all personal data held by the Day One Trust (DOT). It encompasses paper records; data held on computer and associated equipment, including CCTV, of whatever type and at whatever location, used by or on behalf of DOT. 

The governors have delegated the Finance & Operations Director as the person who has overall responsibility for compliance with the Data Protection Act 1998 (The Data Controller).

Under the 1998 Act, all organisations that process personal information are required to notify the Information Commissioner's Office.   DOT’s notification describes the various types of processing of personal information and defines the persons or bodies to which the information may be disclosed. Full details of the notification can be found at http://www.dpr.gov.uk/search.html.   Our registration number is ICO:  00041486841. 

The obligations outlined in this policy apply to all those who have access to personal data, whether they are employees, governors, employees of associated organisations, self-employed contractors or consultants or temporary staff. It includes those who work at home or from home, who must follow the same procedures as they would in an office environment. 

Any individual who knowingly or recklessly processes data for purposes other than those for which it is intended or makes an unauthorised disclosure is liable to prosecution. All individuals permitted to access personal data must agree to comply with this policy. 

This policy should be read in conjunction with DOT’s ICT Policy.

2. POLICY STATEMENT

2.1 COMPLIANCE

DOT will comply with the terms of the Data Protection Act 1998 and any subsequent relevant legislation, to ensure personal data is treated in a manner that is fair and lawful by following the  eight enforceable principles of good practice contained in the Data Protection Act 1998. These state that personal data must be:

  • Fairly and lawfully processed;  

  • Obtained only for one or more specified and lawful purposes;  

  • Adequate, relevant and not excessive in relation to the purpose for which it is processed;  Accurate and kept up to date;  

  • Not kept for longer than is necessary;  

  • Processed in accordance with the data subject’s rights;  

  • Adequately Safeguarded; 

  • Not transferred to a country outside the EEC unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

2.2 DATA SUBJECTS

The person/s about whom such data is held have the following rights:  

  • To make subject access requests regarding the nature of information held and to whom it has been disclosed;

  • To prevent processing likely to cause damage or distress; 

  • To prevent processing for purposes of direct marketing;

  • To be informed about mechanics of automated decision taking process that will significantly affect them;

  • Not to have significant decisions that will affect them taken solely by automated process;

  • To take action for compensation if they suffer damage by any contravention of the Act;

  • To take action to rectify, block, erase or destroy inaccurate data;

  • To request the Commissioner to assess whether any provision of the Act has been contravened.

It is an offence to process personal data except in strict accordance with the eight principles of data protection and the rights of data subjects. Further information on the Data Protection Act can be found at http://www.dataprotection.gov.uk/.

2.3 DATA GATHERING

Only relevant personal data may be collected and the person from whom it is collected will be informed why the data is being collected, of the data’s intended use and any possible disclosures of the information that may be made. Privacy notices will be issued to all persons from whom personal data is collected. Two versions will be used – one in respect of students’ personal data and the other in respect of all other personal data. These are appended to this policy.

2.4 PROCESSING

All processing of personal data will comply with the Data Protection Principles as defined in the Data Protection Act 1998. In the situation where data is processed by a third party, the third party will be required to act in a manner that ensures compliance with the Data Protection Act 1998. 

Data will only be processed for the purpose for which it was collected and will not be used for incompatible purposes without the consent of the data subject.

2.5 DATA STORAGE 

DOT will hold the minimum amount of personal data necessary to enable it to perform its functions. The data will be erased once the need to hold it has passed. 

DOT will store personal data in a secure and safe manner.

Electronic data will be protected by standard password and firewall systems operated by DOT. 

Personal data, the loss of which could cause damage or distress to individuals, which is used or stored on portable or mobile devices will be encrypted using encryption software which meets the current standard or equivalent. This applies to all laptop computers and portable memory devices (including memory sticks etc)

Computer workstations in administrative areas will be positioned so that they are not visible to casual observers. 

Manual data will be stored where it is not accessible to anyone who does not have a legitimate reason to view or process that data. 

Particular attention will be paid to the need for security of sensitive personal data.

2.6 DATA CHECKING

DOT will issue regular reminders to staff and parents/carers to ensure that personal data held is up-to-date and accurate. Any errors discovered will be rectified and, if the incorrect information has been disclosed to a third party, any recipients informed of the corrected data.

2.7 DATA DISCLOSURES

Personal data will only be disclosed to organisations or individuals for whom consent has been given to receive the data, or organisations that have a legal right to receive the data without consent being given. 

When requests to disclose personal data are received by telephone it is the responsibility of the member of staff taking the call to ensure the caller is entitled to receive the data and that they are who they say they are. It is advisable to call them back, preferably via a switchboard, to ensure the possibility of fraud is minimised. 

If a personal request is made for personal data to be disclosed it is again the responsibility of the member of staff to ensure the caller is entitled to receive the data and that they are who they say they are. If the person is not known personally, proof of identity should be requested. 

Requests from parents/carers or students for printed lists of the names of students in particular groups, should be politely refused as permission would be needed from all the data subjects contained in the list. 

Personal data will not be used in newsletters, websites or other media without the consent of the data subject. 

Routine consent issues will be incorporated into DOT’s student data gathering sheets, to avoid the need for frequent, similar requests for consent being made by DOT. 

Personal data will only be disclosed to Police Officers if they are able to supply a relevant document which notifies of a specific, legitimate need to have access to specific personal data. 

A record will be kept of any personal data disclosed so that the recipient can be informed if the data is later found to be inaccurate. 

2.8 SUBJECT ACCESS REQUESTS

If DOT receives a written request from a data subject to see any or all personal data that DOT holds about them this will be treated as a legitimate Subject Access Request and DOT will respond within the recommended 40 calendar day deadline. If the request is for access to Educational Records the deadline for responding is 15 School days. 

Informal requests to view or have copies of personal data will be dealt with wherever possible at a mutually convenient time but, in the event of any disagreement over this, the person requesting the data will be instructed to make their application in writing and DOT will comply with its duty to respond within the statutory time limit. 

Data Protection statements will be included in DOT prospectus and on all forms that are used to collect personal data. 

3. CONFIDENTIALITY + SECURITY

Personal data is confidential and confidentiality must be preserved in compliance with the Data Protection Principles as defined in the Data Protection Act 1998. 

Paper records will be managed so that access is restricted to those who need to use the information and stored in secure locations to prevent unauthorised access. 

Computer systems will be designed and computer files created with adequate security levels to preserve confidentiality. Those who use DOT’s computer equipment will have access only to the data that is both necessary for the work they are doing and held for carrying out that work.

4. OWNERSHIP OF DATA

Each DOT Academy is responsible for the personal data that it holds. This responsibility extends to any data that is processed by a third party. The department will hold a record of all data files that it owns containing personal data, whether on paper or electronic media, and will report this to the Finance & Operations Director to facilitate the notification of the data to the Information Commissioner.

5. TRAINING

All members of staff who work with personal data will receive appropriate training in the area of Data Protection.

6. POLICY REVIEW

This policy will be kept under review in order to keep it in line with relevant legislation and modifications, and reviewed and approved annually by the Governing Body.