Data Protection Practices of our School
Data protection in schools is a must. Schools work with an incredible amount of personal data. This includes information such as pupil names, addresses, medical information, images, and more. Additionally, information related to job applicants, management, staff and volunteers is often stored within a school database.
The Data Protection Policy is designed to protect the privacy of individuals, as
schools handles data detailing pupil information such as ethnicity, race, biometric data, health, etc.. This data is subject to strict controls, and therefore schools need to protect this information efficiently.
The policy’s importance is to establish and maintain the fundamental principles and security measures that must be applied by data controllers..
What is data protection?
Data protection refers to safeguarding private and important information from compromise, corruption and loss. Data protection is becoming ever more important in today’s data-driven society, as the amount of information created and stored expands year-on-year.
In India, the Information Technology Act, 2000was established to decipher the process of data collection, however, the consent of children is not specified like other countries. Hence, hereby, for all data given by students is with parental consent.
The processing of personal data stored on school websites, paper, servers and databases is all covered as per the guidelines of GDPR, in our school Critically, it is tried to undertake stringent data protection impact assessments when the softwares are upgraded, IT infrastructure is changed, or new technology is introduced; that deals with personal data.
Personal information
Personal information can be defined as anything relating to an individual that identifies them. This applies to both physical and digital records.
Examples of personal information that a school may store include:
- Names and dates of birth for both staff and pupils.
- Images of staff and pupils that confirm their identity and can be linked to additional personal information.
- Addresses of staff and pupils.
- Recruitment information.
- Financial records, such as tax information and bank details.
- Information relating to pupil behaviour and school attendance.
- Medical records, including medical conditions, wherever necessary.
- Exam results and class grades.
- Staff development reviews.
- School assessments and marks.
- Safeguarding information..
With such a myriad of personal information held by schools, the importance of protecting such data is paramount.
Privacy notice
When information is collected, concerning a parent, child or member of staff,transparency is offered about how this information will be used. An explanation of precisely how the personal informationof all staff and pupils is processed.
Examples include how to arrange school trips, facilitate education, or store grades and exam results.
To ensure transparency, clear privacy notices are displayed. The purpose of a privacy notice is to present and summarise what information the school requires, why this information is being collected, and which third parties are privy to such data. The individual whom the information relates to must give full consent to the school in order to store it. Primary and secondary schools have different data requirements. For this reason, our school has its privacy policy covering the processing activities that are specific to their school.
Our School privacy notice covers these key areas:
- Information relating to how the personal data is collected.
- Any purposes relating to our intentions to process information.
- Information on how data will be kept up-to-date.
- Details on confidential waste procedures.
- Precise information on guidelines and expectations of staff working with personal data.
- Information relating to all ‘trusted’ third parties involved with accessing or disseminating personal data, need to sign confidentiality before information is passed on.
- Procedures put in place in case personal data is stolen or lost.
- Guidelines for transferring or sharing data outside of the school.
- All additional information for individuals regarding fair data processing.
It is triedtomake people aware, and publish the privacy notice on all enrolment documentation and on forms used to collect any personal information.A digital copy of the privacy notice is shared in the website and to any stakeholder who wants to an in-depth knowledge.
Key principles:
Compliance of Data Protection Policy in our school is essential, not only because it helps prevent security incidents but also because it ensures that data processing practices are responsible and efficient.
- Lawfulness, fairness and transparency
All data must be obtained on a lawful basis, leaving individuals fully informed. This includes data storing, processing and collection..
Fairness relates to our actions. Whether we control or process data, the processes must follow procedures described to the data subject. This means that the promises outlined in the school privacy statement must be followed as the subject data is collected. Additionally, all data must be used only for pre-stated purposes and time periods.
Transparency refers to the privacy notice. All staff, pupils and parents must be informed of the purposes, means and time period of data processing. It is needed to let all individuals affected know precisely what will be done with their data and who can gain access to this information.
- Purpose limitation
When it comes to the privacy notice, it’s paramount that all subjects are informed about the purpose of the school’s data collection, and made accessible to the data subject who has consented.
- Data minimisation
Only the necessary data is collected.All personal data collected must be ‘adequate, relevant and limited to what is necessary concerning the purposes for which they are processed’.
- Accuracy
Any personal data has to be ‘accurate and, where necessary, kept up to date’. Therefore, all old and outdated records, contracts and personal data must be erased as soon as this information is no longer essential.
- Storage limitations
This principle relates to the process of data minimalisation and clearly states that personal data has to be ‘kept in a form which permits identification of data subjects for no longer than necessary.As always, the information has to be documented in case of an investigation.
- Integrity and confidentiality
This principle states that personal data must be handled ‘in a manner [ensuring] appropriate security’, which includes ‘protection against unlawful processing or accidental loss, destruction or damage’. This means that anonymisation and pseudonymisation systems must be applied where necessary to protect the identity of staff and students..
- Accountability
Each step of the school’s data management policy is justified and formulated by way of official documentation. These documents are available to prove compliance should the relevant policies request access.
Security measures
Once personal information relating to staff, parents and pupils is acquired, it is kept secure. Loss of information or unauthorised access can cause severe damage to individual. All manual and digital records must be protected with a level of security that directly reflects the potential harm that could come from data loss or misuse. Additionally, robust procedures are put in place to respond to such security breaches, including legal complaints and termination.
Potential security measures for school data protection include:
- The use of strong passwords.
- Shredding of all physical copies of confidential waste.
- Installation of virus-checking software and firewalls on school computers.
- Turning off all ‘auto-complete’ settings.
- Limiting access to personal information wherever necessary.
- Holding telephone calls in designated private areas.
- Ensuring that all storage systems are secure.
- Keeping digital devices locked away securely when not in use.
- Making sure that all papers and devices containing sensitive information are stored securely.
Small electronic storage devices such as memory sticks and SD cards require serious consideration as they can be easily misplaced, hence they are strictly banned inside the school. Only school recommended memory sticks are used in the premises which cannot be taken outside the campus, ensuring that they are fully encrypted and password protected.
Additionally, hard drives are to be securely erased if they are being discarded. This is done by a professional who is technically capable of completely formatting the drive to eliminate all data.
Personal information that can be shared:
Occasionally, sometimes personal data needs to be shared with other schools, different departments, local authorities and social services. On these occasions, it may be the case that actions cannot be completed or verified without sharing such data. For example, if a school trip is being organised in conjunction with another school, data must be shared to confirm attendance and ensure the safety of all participants. Before sharing this data, all legal implications are considered and consent is taken.
Questions asked from School to third party for better transparency:
- Who requires this data?
- Which data is required, and for what purposes will the information be used?
- What is the intention behind sharing this information?
Receiving consent from any said individual before their personal information is shared.
Note that this even applies to sharing images on the school’s Facebook page, in the school prospectus, or in any other marketing materials both online and offline. Any literature sent from schools to parents requires a printed data protection statement where applicable, including if a reply slip is included requiring personal data related to the pupil or their parents. If the school plans to transfer data to other countries, this information can only be shared if there are equivalent or suitable security measures in place in the recipient’s organisation.
Taking photos in school
Rules around consent for school include:
- Images for personal use – Parents photographing and/or recording the school play. Consent is not necessary.
- Official school use – Images or videos taken for use on the school website and inside the prospectus or as part of official marketing materials. Consent is required from the person being videoed or photographed.
- Media use – Photos taken for a blog, press release, or newspaper article. Consent is needed from the person being videoed or photographed.
For all images of pupils that are published, their names must not be accredited unless this is pertinent and the pupils/their parents have given consent.
For example, data received relating to pupils’ assessments should never be published on the school’s website until it has been asked by the CBSE , The Education department of Karnataka, or Ministry of Education, Govt of India. Any additional information marked as excessive and should not be collected.