Data Protection and the GDPR
As the UK transitional arrangements expired on 31 December 2020, there are some practical changes for Data Protection and the GDPR.
To comply with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) regulations 2019 please note that every policy, notice and procedural guide that refers to “GDPR”.
General Data Protection Regulation (GDPR)
Data Protection governs how information about living people (such as pupils and staff) is collected and used.
GDPR is about personal data. This means data which relates to an individual who can be identified from that information. It does not affect all the records the school or Trust holds because much of it will not contain personal data.
GDPR became law on 25th May 2018. It has a number of changes from the previous Data Protection Act. The main new feature of data protection under the GDPR is an accountability principle, meaning that the organisation does not only have to comply, but it has to be able to demonstrate that it complies.
The Information Commissioner’s Office (ICO) is the national regulator of data protection legislation. If there is something that we, as an Trust, are doing that is not quite as it should be a complaint can be made to the ICO.
N.B. the ICO website is a key place to find further information on GDPR. Here is the link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Nene Education Trust is the Data Controller and responsible for compliance under GDPR.
Privacy Notices are what we use to explain to people why we collect information and what we are going to do with it, such as if we are going to share it with anyone else.
Data Protection Officer (DPO)
Procedures for individuals to exercise their rights
The GDPR gives individuals various rights around their data. The main one is being able to request a copy of the information held about them, but it also gives them the right to do things like request that information is corrected (if inaccurate).
Policies NET has prepared the following policies and procedures for GDPR:
- Data Protection and Freedom of Information Policy
- Records Retention Policy
- Acceptable use policy
- Data breach procedure
- Subject access request procedure
These policies and procedures are contained in the GDPR area of each school website:
Individuals have the following rights:
- Right of access (to receive copies of their personal data);
- Right to rectification (correcting data if inaccurate);
- Right to erasure (to request that data is deleted);
- Right to restrict processing (to request you do not use their data in a certain way);
- Right to data portability;
- Right to object;
- Right to have explained if there will be any automated decision-making, including profiling, based on the data and that they have the right to meaningful information about the logic behind this.
Subject Access Requests (SARs)
Individuals have the right to request access to the information we hold about them. Further details can be found in our Data Protection and FOI policy.
Subject Access Requests can be made verbally or in writing by any of the following means (list is not exhaustive):
As part of our GDPR obligations we will:
- Provide the information free of charge
- Comply within 1 month of the request.
- Provide the information in a commonly used electronic format where possible