General Data Protection Regulation
Our Commitment
Notification
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
Breaches of personal or sensitive data shall be notified within 72 hours to the individual(s) concerned and the ICO.
Personal and Sensitive Data
All data within FSBL control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The definitions of personal and sensitive data shall be as those published by the ICO for guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/keydefinitions/
The principles of the Data Protection Act shall be applied to all data processed:
- ensure that data is fairly and lawfully processed
- process data only for limited purposes
- ensure that all data processed is adequate, relevant and not excessive
- ensure that data processed is accurate
- not keep data longer than is necessary
- process the data in accordance with the data subject’s rights
- ensure that data is secure
- ensure that data is not transferred to other countries without adequate protection.
Data Security
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.
Risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
- https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
- https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
- https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2014/02/privacyimpact-assessments-code-published/
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.
The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data.
Data Access Requests (Subject Access Requests)
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing. No charge will be applied to process the request.
Personal data about students will not be disclosed to third parties without the consent of the student , unless it is obliged by law.
Location of information and data
Hard copy data, records, and personal information are stored out of sight and in a locked cupboard. Sensitive or personal information and data should not be removed from the FSBL site, however FSBL acknowledges that some staff may need to transport data between the office and their home in order to access it for work in the evenings and at weekends. This may also apply in cases where staff have offsite meetings, or are on centre visits .
The following guidelines are in place for staff in order to reduce the risk of personal data being compromised:
- Paper copies of data or personal information should not be taken off the school site. If these are misplaced they are easily accessed. If there is no way to avoid taking a paper copy of data off the FSBL site, the information should not be on view in public places, or left unattended under any circumstances.
- Unwanted paper copies of data, sensitive information or student files should be shredded. This also applies to handwritten notes if the notes reference any other staff member or student by name.
- Care must be taken to ensure that printouts of any personal or sensitive information are not left in printer trays or photocopiers.
- If information is being viewed on a PC, staff must ensure that the window and documents are properly shut down before leaving the computer unattended. Sensitive information should not be viewed on public computers.
- If it is necessary to transport data away from the site, it should be accessed via the Cloud. Work should be edited from the Cloud, and saved onto this only.
These guidelines are clearly communicated to all FSBL staff, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.
Data Disposal
FSBL recognizes that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services.
All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process. Disposal of IT assets holding data shall be in compliance with ICO guidance: https://ico.org.uk/media/fororganisations/documents/1570/it_asset_disposal_for_organisations.pdf