OUR LADY’S CATHOLIC PRIMARY SCHOOL
Data Protection Policy
Our Lady's School is founded on faith in Jesus Christ and the life of the school community is centred on His presence.
The Data Protection Act 1998 came into force on 1st March 2000. It sets out what can and what cannot be done with personal data that is information about living individuals. Our Lady’s Primary School is placed under a legal obligation to comply with the provisions of this Act. Our Lady’s Primary School needs to collect and use certain types of information about people with whom it deals in order to operate effectively. These include pupils, parents, guardians, staff, governors, suppliers and others with whom it communicates. In addition, it is required by law to collect and use certain types of information to comply with the requirements of government departments.
This personal information must be dealt with properly and securely regardless of what method is used for its collection, recording or use – whether this is paper, a computer system or any other material. There are safeguards to ensure that the processing of such information is carried out in a proper fashion and these are contained in the Act. This policy does not seek to convey the whole legislation to its readers, rather to acquaint them with the main provisions and to demonstrate that Our Lady’s Primary School has a commitment to those provisions. Further detailed information relating to data protection legislation can be obtained from the Kent Trust Web site: http://www.kenttrustweb.org.uk/Policy/dpfoi_data.cfm
Our Lady’s Primary School regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its functions and to maintaining confidence between those with whom we deal and ourselves. We ensure that our school treats personal information lawfully and fairly.
Data Protection Standards
Our Lady’s Primary School will, through appropriate management and adherence to agreed procedures.
Observe fully the conditions relating to the fair collection and lawful use of personal information.
Meet its legal obligations to specify the purposes for which the information is used.
Collect and process appropriate information but only that which is necessary to its operational needs or meet its legal requirements.
Ensure the quality of information used.
We will for help to achieve this by keeping us informed of any changes to the information we hold about them.
Apply strict checks to determine the length of time information is held and to ensure that it will be disposed of when no longer required with due regard for its sensitivity.
Our Lady’s Primary School will ensure that
the Head Teacher holds specific responsibility for data protection within the school
everyone managing and handling personal information understands that they are responsible for following good data protection practice
everyone managing and handling personal information is appropriately trained to do so
everyone managing and handling personal information is appropriately supervised
anyone wanting to make enquiries about handling personal information knows what to do
queries about handling personal information are dealt with promptly and courteously
methods of handling personal information are regularly assessed and evaluated
records of personal information will not be kept for longer than is necessary, and will follow the guidance on records retention issued by the local authority.
All staff are encouraged to become familiar with and refer to the Kent Data Protection for staff guidance document for further information. Appendix 1 of this policy contains guidance for protecting data when working at home.
Homeworking - Data Protection Guidance, December 2004
The Data Protection Act 1998 is a law which governs the use of information that can identify individuals. This does not only apply to particularly sensitive information, and can be as little as name and address. The Act requires data controllers to have in place adequate security precautions to prevent unauthorised access, alteration or disclosure of personal information and to guard against its deliberate or accidental loss or destruction. The responsibility for individuals’ data held by KCC extends to all work undertaken on behalf of the organisation by employees whether office based, mobile or home-based.
An increasing number of staff work at home either as part of their agreed working arrangements or on an ad-hoc basis according to work demands and individual preference.
This guidance has been produced to ensure those employees who work at home are aware of the security precautions required to protect the sensitive data they handle. All managers must ensure that staff for whom they are responsible who process personal data receive education and training in data protection issues and have up to date knowledge in this area.
Employees must ensure that to the best of their knowledge the personal data held on their equipment or in paper files is as accurate as possible, relevant, up to date and not kept longer than is necessary. Individual’s from whom data is collected must be informed as to the purposes for which the data will be retained and used, including how it will be held and shared. They must be made aware of their rights to have access to their records and to comment on or correct inaccuracies. They must be informed of how to complain if they are unhappy with the way in which their information or their requests for access are handled.
Information that can identify individuals must be
HELD - securely and confidentially
OBTAINED - fairly and efficiently
RECORDED - accurately and reliably
USED - fairly and ethically
SHARED - appropriately and lawfully.
All employees are responsible for reporting any breaches of security to their line manager.
Employees using KCC computers at home should ensure that normal security measures are followed to protect data and that up-to-date virus checking software is installed. PCs and laptops should be sited away from prying eyes and secured where possible. They should not be left where visitors to the house can easily access them. Back-ups of the data should be taken at regular intervals and not stored with the computer. If there are no back-ups and the equipment was to be stolen the information would be lost. When employees leave and their equipment is re-assigned elsewhere the information should be uploaded as necessary and deleted from the PC so as not to breach confidentiality.
KCC computers are password protected to ensure that only those with authorisation can gain access to the system. To further minimise security risk passwords should not be shared with colleagues, other members of the household or anyone else and should also be changed frequently to protect the system and its data.
It is not recommended that home computers are used for the production of KCC documents, particularly when individuals can be identified and the data about them may be sensitive. Personal PCs should only be used if they have up to date virus protection software installed on them, and only if no other members of the household have access to the PC. Any documents produced on home computers should be stored only on disk or USB devices such as memory sticks and not on the hard drive. If any information has been stored on the hard drive employees must ensure that the hard disk is reformatted, cleared using a suitable programme or destroyed prior to selling the equipment. Disks or memory sticks used to produce documents at home may be brought into work and used on KCC computers provided they have been virus checked first.
Personal Email Facilities
Using a personal internet service provider to send documents to or from KCC is strongly discouraged although it is recognised that this is a practice that may be necessary in some circumstances. Personal or sensitive information should not be sent by email using personal email facilities to or from home as the security of the data cannot be guaranteed. The only exception to this is if it is necessary for the purpose of protecting a vulnerable person.
Employees must ensure that no other members of the household have access to their emails. The employee will be held personally responsible (under the Misuse of Computers Act) for any loss of confidential data from their PC or across the network.
Home Work Area Security
Incidental access to KCC data can be avoided by using appropriate precautions in the work area at home. PCs should be shut down when the work area is left unattended to ensure the system is secure at all times. When a PC or information is left unattended, doors/windows must be secured.
Manual information stored at home that identifies individuals must be kept in a locked facility if left unattended and should, under no circumstances be made available to or shared with anyone other than appropriate KCC employees. Manual information includes all paper files, printouts, correspondence, bank statements, etc., which identify individuals.
When transporting client data between home and client premises, or between home and other locations, employees should take all reasonable steps to ensure that data security is maintained. For example, data should be transported in such a way as to minimise the opportunity of destruction or loss by ensuring vehicles used to transport the data are locked if left unattended and any passengers do not have access to it. Ideally information (including laptop computers that contain sensitive data) should always be transported in the boot of the vehicle and should not be left in unattended vehicles.
Disposal of Personal Information
Personal data should not be retained at home for longer than is necessary. Care should be taken when disposing of documents containing personal data at home. Such documents must be shredded or disposed of in such a way that prevents access by others. Placing data in a waste bin is not a secure means of disposal and is unacceptable. If shredding facilities are not available at home then this should be done in a KCC office.
Privacy and Confidentiality
The Data Protection legislation requires those who record and use personal information to be open about that use and to follow sound and proper practices. All employees must be discreet with personal data at all times. This includes being aware that they have a responsibility to protect the privacy of individuals when holding conversations in public places, making telephone calls, sending faxes, etc. Any uses of personal information must be justified - therefore personal information must not be divulged to anyone who doesn’t have a legitimate need to know and it must only be disclosed for authorised purposes.
Compliance with this guidance is essential for KCC employees who work at home as individuals can be held accountable for breaches of the Data Protection Act. Failure to ensure appropriate security of the data could place the organisation and the individual at risk of prosecution under the Data Protection Act 1998.