Data Protection Policy

Adopted with effect from: 25 May 2018

Review date: September 2019

Contents

1 Policy statement 2
2 About this policy 2
3 Definition of data protection terms 2
4 Data Protection Officer 2
5 Data protection principles 2
6 Fair and lawful processing 3
7 Processing for limited purposes 5
8 Notifying data subjects 5
9 Adequate, relevant and non-excessive processing 6
10 Accurate data 6
11 Timely processing 6
12 Processing in line with data subject’s rights 6
13 Information/data security 8
14 Data Protection Impact Assessments 8
15 Disclosure and sharing of personal information 9
16 Data processors 9
17 Images and videos 10
18 CCTV 10
19 Changes to this policy 10

1 Policy statement

1.1 Everyone has legal rights regarding the way in which their personal data is handled. Aurora Academies Trust will collect, store and process personal data about our pupils, workforce, parents and others. This makes us a data controller in relation to that personal data.
1.2 We are committed to the protection of all personal data and special category personal data for which we are the data controller.
1.3 The law imposes significant fines for failing to lawfully process and safeguard personal data and failure to comply with this policy may result in those fines being applied.
1.4 All members of our workforce must comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary or other action.

2 About this policy

2.1 The personal data which we hold is subject to certain legal safeguards specified in the General Data Protection Regulation (‘GDPR’), the Data Protection Act 1998 (expected to be amended in 2018), and other regulations (together ‘Data Protection Legislation’).
2.2 This policy and any other documents referred to in it set out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources. This policy sets out rules on data protection and the legal conditions that must be satisfied when we process personal data.
2.3 This policy does not form part of any employee’s contract of employment and may be amended at any time.

3 Definition of data protection terms

3.1 In this policy, Aurora Academies Trust is referred to as “we” or “us”. This includes all schools within Aurora Academies Trust.
3.2 All defined terms in this policy are indicated in bold text, and a list of definitions is included in the Annex to this policy.

4 Data Protection Officer

4.1 Aurora’s Data Protection Officer (DPO) is Martha Burnige and she can be contacted at dataprotectionofficer@auroraacademies.org.
4.2 The DPO is responsible for ensuring compliance with the Data Protection Legislation and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.
4.3 The DPO is also the central point of contact for all data subjects and others in relation to matters of data protection.

5 Data protection principles

5.1 Anyone processing personal data must comply with the data protection principles. These provide that personal data must be:
5.1.1 processed fairly and lawfully and transparently in relation to the data subject
5.1.2 processed for specified, lawful purposes and in a way which is not incompatible with those purposes
5.1.3 adequate, relevant and not excessive for the purpose
5.1.4 accurate and up to date
5.1.5 not kept for any longer than is necessary for the purpose
5.1.6 processed securely using appropriate technical and organisational measures.
5.2 Personal data must also:
5.2.1 be processed in line with data subjects’ rights
5.2.2 not be transferred to people or organisations situated in other countries without adequate protection.
5.3 We will comply with these principles in relation to any processing of personal data.

6 Fair and lawful processing

6.1 Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
6.2 For personal data to be processed fairly, data subjects must be made aware:
6.2.1 that the personal data is being processed
6.2.2 why the personal data is being processed
6.2.3 what the lawful basis is for that processing (see below)
6.2.4 whether the personal data will be shared, and if so with whom
6.2.5 the period for which the personal data will be held
6.2.6 the existence of the data subject’s rights in relation to the processing of that personal data
6.2.7 the right of the data subject to raise a complaint with the Information Commissioner’s Office in relation to any processing.
6.3 We will only obtain such personal data as is necessary and relevant to the purpose for which it was gathered, and will ensure that we have a lawful basis for any processing.
6.4 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation. We will normally process personal data under the following legal grounds:
6.4.1 where the processing is necessary for the performance of a contract between us and the data subject, such as an employment contract or our funding agreement
6.4.2 where the processing is necessary to comply with a legal obligation that we are subject to, such as our legal obligation to provide education to, and safeguard, our pupils
6.4.3 where the law allows us to process the personal data or we are carrying out a task in the public interest
6.5 Where none of the above apply, we will seek the consent of the data subject to the processing of their personal data (see below).
6.6 When special category personal data is being processed then an additional legal ground must apply to that processing. We will normally only process special category personal data under following legal grounds:
6.6.1 where the processing is necessary for employment law purposes, for example in relation to sickness absence
6.6.2 where the processing is necessary for reasons of substantial public interest, for example for the purposes of equality of opportunity and treatment
6.6.3 where the processing is necessary for health or social care purposes, for example in relation to pupils with medical conditions or disabilities.
6.7 Where none of the above apply then we will seek the consent of the data subject to the processing of their special category personal data.
6.8 We will inform data subjects of the above matters by way of appropriate privacy notices which shall be provided to them when we collect the data or as soon as possible thereafter, unless we have already provided this information such as at the time when a pupil joins us.
6.9 If any data user is in doubt as to whether they can use any personal data for any purpose then they must contact the DPO before doing so.

Vital Interests

6.10 There may be circumstances where it is considered necessary to process personal data or special category personal data in order to protect the vital interests of a data subject. This might include medical emergencies where the data subject is not in a position to give consent to the processing. We believe that this will only occur in very specific and limited circumstances. In such circumstances we would usually seek to consult with the DPO in advance, although there may be emergency situations where this does not occur.

Consent

6.11 Where none of the other bases for processing set out above apply we must seek the consent of the data subject before processing any personal data for any purpose.
6.12 There are strict legal requirements in relation to the form of consent that must be obtained from data subjects.
6.13 When pupils join us a consent form will be required. This consent form deals with the taking and use of photographs and videos of them, among other things. Where appropriate third parties may also be required to complete a consent form. Consent forms must be in a format approved by the DPO.
6.14 In relation to all pupils under the age of 12 years old we will seek consent from an individual with parental responsibility for that pupil.
6.15 We will generally seek consent directly from a pupil who has reached the age of 12, however we recognise that this may not be appropriate in certain circumstances and therefore may be required to seek consent from an individual with parental responsibility.
6.16 If consent is required for any other processing of personal data of any data subject then the form of this consent must:
6.16.1 inform the data subject of exactly what we intend to do with their personal data
6.16.2 require them to positively confirm that they consent – we cannot ask them to opt-out rather than opt-in
6.16.3 inform the data subject of how they can withdraw their consent.
6.17 Any consent must be freely given, which means that we cannot make the provision of any goods or services or other matter conditional on a data subject giving their consent.
6.18 A record must always be kept of any consent, including how it was obtained and when.
6.19 Any queries relating to the giving of consent or the consent form must be referred to the DPO.

7 Processing for limited purposes

7.1 We may collect and process the personal data from our workforce, pupils and parents. This may include personal data we receive directly from a data subject (for example, via a completed consent form or by corresponding with us by mail, phone, email or otherwise) and personal data we receive from other sources (including, for example, local authorities, other schools, parents, other pupils or members of our workforce).
7.2 We will only process personal data for the specific purposes permitted by Data Protection Legislation or for which specific consent has been provided by the data subject.

8 Notifying data subjects

8.1 If we collect personal data directly from data subjects, we will inform them about:
8.1.1 our identity and contact details as data controller and those of the DPO
8.1.2 the purpose or purposes and legal basis for which we intend to process that personal data
8.1.3 the types of third parties, if any, with which we will share or to which we will disclose that personal data
8.1.4 whether the personal data will be transferred outside the European Economic Area (EEA) and if so the safeguards in place
8.1.5 the period for which their personal data will be stored, by reference to our Data Destruction Policy
8.1.6 the existence of any automated decision making in the processing of the personal data along with the significance and envisaged consequences of the processing and the right to object to such decision making
8.1.7 the rights of the data subject to object to or limit processing, request information, request deletion of information or lodge a complaint with the Information Commissioner’s Office.
8.2 Unless we have already informed data subjects that we will be obtaining information about them from third parties (for example in our privacy notices), then if we receive personal data about a data subject from other sources, we will provide the data subject with the above information as soon as possible thereafter, informing them of where the personal data was obtained from.

9 Adequate, relevant and non-excessive processing

9.1 We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject, unless otherwise permitted by Data Protection Legislation.

10 Accurate data

10.1 We will ensure that personal data we hold is accurate and kept up to date.
10.2 We will take reasonable steps to destroy or amend inaccurate or out-of-date data.
10.3 Data subjects have a right to have any inaccurate personal data rectified. See below in relation to the exercise of this right.

11 Timely processing

11.1 We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all personal data which is no longer required.

12 Processing in line with data subject’s rights

12.1 We will process all personal data in line with data subjects’ rights, in particular their right to:
12.1.1 request access to any personal data we hold about them
12.1.2 object to the processing of their personal data, including the right to object to direct marketing
12.1.3 have inaccurate or incomplete personal data about them rectified
12.1.4 restrict processing of their personal data
12.1.5 have personal data we hold about them erased
12.1.6 have their personal data transferred
12.1.7 object to the making of decisions about them by automated means.
The Right of Access to Personal Data
12.2 Data subjects may request access to all personal data we hold about them. Such requests are known as subject access requests and can be made verbally or in writing. When a subject access request, or any request for personal data, is received, the DPO must be informed immediately. A response to a subject access request must be provided within one month of receipt.

The Right to Object

12.3 In certain circumstances data subjects may object to us processing their personal data. This right may be exercised in relation to processing that we are undertaking on the basis of a legitimate interest or in pursuit of a statutory function or task carried out in the public interest.
12.4 An objection to processing does not have to be complied with where we can demonstrate compelling legitimate grounds which override the rights of the data subject. Such considerations are complex and must always be referred to the DPO upon receipt of the request to exercise this right.
12.5 In respect of direct marketing any objection to processing must be complied with.
12.6 We are not obliged to comply with an objection where the personal data is required to be processed in relation to any claim or legal proceedings.

The Right to Rectification

12.7 If a data subject informs us that personal data held about them is inaccurate or incomplete then we will consider that request and provide a response within one month.
12.8 If we consider the issue to be too complex to resolve within that period then we may extend the response period by a further two months. If this is necessary then we will inform the data subject within one month of their request that this is the case.
12.9 We may determine that any changes proposed by the data subject should not be made. If this is the case then we will explain to the data subject why this is the case. In those circumstances we will inform the data subject of their right to complain to the Information Commissioner’s Office at the time that we inform them of our decision in relation to their request.
The Right to Restrict Processing
12.10 Data subjects have a right to ‘block’ or suppress the processing of personal data. This means that we can continue to hold the personal data but not do anything else with it.
12.11 We must restrict the processing of personal data:
12.11.1 where it is in the process of considering a request for personal data to be rectified (see above)
12.11.2 where we are in the process of considering an objection to processing by a data subject
12.11.3 where the processing is unlawful but the data subject has asked us not to delete the personal data
12.11.4 where we no longer need the personal data but the data subject has asked us not to delete the personal data because they need it in relation to a legal claim, including any potential claim against us.
12.12 If we have shared the relevant personal data with any other organisation then we will contact those organisations to inform them of any restriction, unless this proves impossible or involves a disproportionate effort.
12.13 The DPO must be consulted in relation to requests under this right.

The Right to Be Forgotten

12.14 Data subjects have the right to have personal data we hold about them erased only in the following circumstances:
12.14.1 where the personal data is no longer necessary for the purpose for which it was originally collected
12.14.2 when a data subject withdraws consent – which will apply only where we are relying on the individuals consent to the processing in the first place
12.14.3 when a data subject objects to the processing and there is no overriding legitimate interest to continue that processing – see above in relation to the right to object
12.14.4 where the processing of the personal data is otherwise unlawful
12.14.5 when it is necessary to erase the personal data to comply with a legal obligation.

We are not required to comply with a request by a data subject to erase their personal data if the processing is taking place:

12.14.6 to exercise the right of freedom of expression or information
12.14.7 to comply with a legal obligation for the performance of a task in the public interest or in accordance with the law
12.14.8 for public health purposes in the public interest
12.14.9 for archiving purposes in the public interest, research or statistical purposes
12.14.10 in relation to a legal claim.
12.15 If we have shared relevant personal data with any other organisation then we will contact those organisations to inform them of any erasure, unless this proves impossible or involves a disproportionate effort.
12.16 The DPO must be consulted in relation to requests under this right.
Right to Data Portability
12.17 In limited circumstances a data subject has a right to receive their personal data in a machine readable format, and to have this transferred to other organisation.
12.18 If such a request is made then the DPO must be consulted.

13 Information/data security

13.1 We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Further information is contained in our Information Security Policy.

14 Data Protection Impact Assessments

14.1 We take data protection very seriously, and will consider and comply with the requirements of Data Protection Legislation in relation to all of its activities whenever these involve the use of personal data, in accordance with the principles of data protection by design and default.
14.2 In certain circumstances the law requires us to carry out detailed assessments of proposed processing. This includes where we intend to use new technologies which might pose a high risk to the rights of data subjects because of the types of data we will be processing or the way that we intend to do so.
14.3 We will complete an assessment of any such proposed processing to ensure that all relevant matters are considered.
14.4 The DPO should always be consulted as to whether a data protection impact assessment is required, and if so how to undertake that assessment.

15 Disclosure and sharing of personal information

15.1 We may share personal data that we hold about data subjects, and without their consent, with other organisations. Such organisations include the Department for Education, the Education and Skills Funding Agency, Ofsted, health authorities and professionals, local authorities, examination bodies, other schools and other organisations where we have a lawful basis for doing so.
15.2 We will inform data subjects of any sharing of their personal data unless we are not legally required to do so, for example where personal data is shared with the police in the investigation of a criminal offence.
15.3 In some circumstances we will not share information relating to safeguarding or child protection matters. Please refer to our Child Protection Policy.

16 Data processors

16.1 We contract with various organisations who provide services to us, including:
16.1.1 human resources and payroll
16.1.2 catering
16.1.3 sports coaching and music lessons
16.1.4 IT support
16.1.5 after school clubs
16.1.6 curriculum and assessment
16.1.7 online payments
16.1.8 home school communications
16.1.9 educational visits.
16.2 In order that these services can be provided effectively we are required to transfer personal data of data subjects to these data processors.
16.3 Personal data will only be transferred to a data processor if they agree to comply with our procedures and policies in relation to data security, or if they put in place adequate measures themselves to our satisfaction. We will always undertake due diligence of any data processor before transferring the personal data of data subjects to them.
16.4 Contracts with data processors will comply with Data Protection Legislation and contain explicit obligations on the data processor to ensure compliance with the Data Protection Legislation, and compliance with the rights of Data Subjects.

17 Images and videos

17.1 Parents and others attending school events may take photographs and videos of those events for domestic purposes. For example, parents can take video recordings of a school performance involving their child.
17.2 We do not allow any such photographs or videos being used for any other purpose, but acknowledge that sometimes such use may be beyond our control.
17.3 We ask that parents and others do not post any images or videos which include any child other than their own child online or on any social media or otherwise publish those images or videos.
17.4 We want to celebrate the achievements of our pupils and our schools and therefore may want to use images and videos of our pupils within promotional materials, or for publication in the media such as local, or even national, newspapers covering school events or achievements. We will seek the consent of parents, and pupils where appropriate, before allowing the use of images or videos of pupils for such purposes.
17.5 When a pupil joins one of our schools their parent, of the pupil where appropriate, will be asked to complete a consent form in relation to the use of images and videos of that pupil. We will not use images or videos of pupils for any purpose where we do not have consent.

18 CCTV

18.1 We operate a CCTV system at our schools. Please refer to our CCTV Policy.

19 Changes to this policy

We may change this policy at any time. Where appropriate, we will notify data subjects of those changes.

ANNEX

DEFINITIONS

Term
Definition
Data
Information which is stored electronically, on a computer, or in certain paper-based filing systems.
Data Subjects
For the purpose of this policy include all living individuals about whom we hold personal data. This includes pupils, our workforce, staff, and other individuals. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
Personal Data
Any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controllers
The people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with Data Protection Legislation. We are the data controller of all personal data used in our business for our own commercial purposes.
Data Users
Those of our workforce and our volunteers (including trustees and members of our Local Academy Boards) whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
Data Processors
Any person or organisation that is not a data user that processes personal data on our behalf and on our instructions.
Processing
Any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring personal data to third parties.
Special Category Personal Data
Information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or genetic or biometric data.
Workforce
Includes any individual employed by Aurora Academies Trust such as staff, contractors and those who volunteer in any capacity including trustees, members, members of our Local Academy Boards, reading volunteers and parent helpers.