Your responsibilities for Data Protection
Under the Data Protection Act 1998 (DPA), you have a responsibility to protect personal data. Any information you hold about a living individual that can be identified with that person must be considered as personal data. This includes information you have on pupils, employees and other workers in your school.
There are 8 principles set out in the Act you must follow i.e. that data must be:
- Obtained and processed fairly and lawfully
- Held only for specified purpose(s)
- Adequate, relevant and not excessive
- Accurate and kept up-to-date
- Held no longer than necessary
- Processed in accordance with the rights of the data subject
- Subject to appropriate security measures
- Only transferred to countries that have suitable data protection controls
Each school is a 'Data Controller' and must register the reasons for processing personal data with the Information Commissioner's Officer.
Our responsibilities
We also have a duty under the DPA to safeguard personal data that we hold on your employees and other workers. The particular measures we take to do this include:
- Holding all personnel files electronically with access limited to our staff
- Scanning documentation when received in our offices and allocating these electronically for processing. Scanned documents are securely destroyed after 3 months
- Not releasing personal information over the phone unless we can be certain of the identify of the caller and that they are entitled to the information
- Only responding to non-statutory requests for information from a third party (e.g. mortgage lender) once we have the individual's signed authorisation.
- Not transmitting personal information by fax or unsecured email unless the individual's identity can be protected.
- Adhering to KCC policy and procedures on data security including transportation of personal information and encryption of laptops.
- Using a secure system for Criminal Records Bureau (CRB) Disclosure applications and messaging service.
- Handling and storing all Disclosure information strictly in accordance with the CRB's code of practice and e-bulk requirements.
Privacy Notice
Formally known as a 'fair processing notice', individuals must be provided with a privacy notice to advise them what we will do with their data. New employees should be issued with a privacy notice, by the school, based on the Department for Children, Schools, and Families (DCSF) standard notice as available on Kent Trust Web. In addition, a privacy notice should be included on application for employment forms and we also include a notice with our contracts of employment for school staff and in our online CRB Disclosure application process.
Request for personal information
Individuals are entitled to ask for copies of information held on them and you may adopt an informal 'open access' approach where employees can ask to see their own files and computer records etc. This may not always be possible where certain data is held (e.g. information disclosed confidentially by a third party) and the employee will need to be asked to make a formal request. This is known as a Subject Access Request (SAR) under the DPA and must be responded to within 40 calendar days of receipt.
Once an SAR is received you must not process any further data on the individual's records (e.g. remove documents) until you have complied with the request. In principle, employees have a right to receive a copy of everything held on them but there are certain exceptions to this although these must be capable of withstanding a legal challenge.
A record of access provided to data needs to be kept for both formal and informal requests. A standard form can be used to record this, such as the one used by KCC.
Disclosure Summary
Where we receive SARs we sometimes respond to these without the need to contact you. If a case file is held by a Personnel Consultant on the employee then we may need to discuss with you the information that we are releasing and what needs to be redacted or withheld.
You need to take care in any communications that you do not state anything about the individual, yourself or others that you would not want to be revealed to them as we may not be able to redact this. This is particularly true of emails where an informal style is often adopted.
Requests from third parties
Information on individuals may be requested by certain Government Departments or Statutory Bodies. We are dealing with these requests all the time and, provided we are satisfied that the requestor has a statutory entitlement to the information, we will generally release this without reference to the school or the individual. In some cases this may be for the purposes of the prevention and detection of crime and it is best to involve as few people as possible to avoid the individual becoming aware they are under investigation.
On some occasions it's not possible for us to complete all the information required by a government department and we will complete as much as we are able before sending the request on to you. This is often the case with Benefits Agency forms where we are unable to authorise this on your behalf.
Further information
Further information on all aspects of the DPA and guidance for schools can be obtained from Kent Trust Web and the Information Commissioners websites.
For any queries about our Data Protection practices then please contact Karen Watson at karen.watson@kent.gov.uk. Other queries about Data Protection should be referred to the Access to Information Co-ordinator, Michelle Hunt, at michelle.hunt@kent.gov.uk or the Access to Records Officer, Debbie Percival, at Debbie.percival@kent.gov.uk.
Links to other sites