Data Protection - GDPR
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. It will apply from 25 May 2018 to organisations that process or handle personal data, including schools.
It's similar to the Data Protection Act (DPA) 1998 in many ways. Most of the differences involve the GDPR building on or strengthening the principles of the DPA.
Article 5, in chapter 2 (page 117), sets out six principles of data processing. These say that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed
- Accurate and kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed
- Processed in a way that ensures appropriate security of personal data.
What is GDPR?
In the UK, GDPR replaced the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules. It also ensures data protection law is almost identical across the EU.
The Data Protection Act 1998 (‘DPA 1998’) applied to the way schools and trusts handled personal data. Most schools and trusts were familiar with the general requirements of the DPA 1998, for example, the circumstances when they could disclose personal data and what to do if a person submitted a subject access request.
In May 2018, the DPA 1998 was replaced by the General Data Protection Regulations which is often referred to as the ‘GDPR’. Although many of the principles remain the same as the DPA 1998, there are some important changes which affect the way we process data.
In general terms, the GDPR places more emphasis on transparency, accountability and record keeping.
Why do we need it?
The update to Data Protection legislation in many ways was long overdue as the 1998 Act pre-dates Facebook, Twitter and all social media. It is hard to remember, or believe, that in 1998 mobile phones were limited to making and receiving calls, and text messaging that was charged by each character. Email was being used, but not every organisation had email addresses and hard copy documents were the mainstay of storage and records.
iPhones, smart phones, tablets were yet to come. Access to the internet was limited and actually required a physical dial up. There was no 4G or wireless hotspots for casting communication and Google went live in 1998 - the same year as the DPA.
The Data Protection Act was fit for purpose then, but all of the changes in the last 19 years mean that a new framework was essential.
Compliance with the Data Protection Act principles in the UK is largely the responsibility of the Information
Commissioner. The Information Commissioner’s Office (ICO) is the regulatory and supervisory authority. The ICO has the ability to provide advice, undertake audits, access information, impose sanctions and penalties.
What does this mean for Schools?
Schools process a lot of personal data relating to pupils and staff in order to carry out its functions. They also acquire personal data relating to other people including, for example, parents / carers, local governors, trustees, members of the local community, suppliers, contractors and consultants. It is therefore important that all schools ensure they handle personal data carefully and legally.
Our Multi-Academy Trust’s View
The Orchard Learning Alliance and our schools are committed to protecting the privacy and security of personal information and being transparent about the way in which we use the information we hold. It is our responsibility to make sure we, and our schools, are handling and treating information carefully and legally.
The Orchard Learning Alliance has a dedicated page on the website that covers the Trust’s approach to GDPR and how, as a group of schools, we ensure compliance and develop a culture of data security and awareness. To access this information, please visit: www.orchardlearningalliance.com
Our School
Our school collects a lot of data and information about our pupils, staff parents and carers so that we can run effectively as a school. In our documentation, we explain how and why we collect certain data, what we do with it and what rights parents and pupils have.
Key Information
This School is a school within the Orchard Learning Alliance Multi-Academy Trust (OLA MAT). OLA MAT is a charitable company limited by guarantee (registration number 09620043) whose registered office is Waingels Road, Woodley, Reading, Berkshire, RG5 4RF.
OLA MAT is the Data Controller for all the schools within the Trust.
The Data Protection Officers for the OLA MAT are:
Tom Bartlett
Chief Executive Officer
dpo@orchardlearningalliance.com
The Data Protection Lead at South Lake Primary School is
NAME Leslie Vallance
ROLE School Business Manager
EMAIL admin@southlake.wokingham.sch.uk