Unity Schools Trust Data Protection & Freedom of Rights Policy
Unity Schools Trust is committed to data protection and supports the data protection rights of all those with whom it works, including, but not limited to, staff, students, parents, governors and visitors. This Data Protection & Freedom of Rights Policy sets out the accountability and responsibilities of the Trust, its staff and its students to comply fully with the provisions of the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.
The Trust has appointed a Data Protection Officer (DPO) to monitor and advise on compliance with the GDPR. Information can be obtained from the DPO and from the Business Director and Chief Financial Officer who can be contacted via firstname.lastname@example.org.
Purpose of Policy
The Data Protection & Freedom of Rights Policy sets out the responsibilities of the School, its staff and its students to comply with the provisions of the GDPR. The policy forms the framework for which everybody processing personal data should follow to ensure compliance with the data protection legislation.
The Data Protection & Freedom of Rights Policy applies to all staff and students in all cases where the Trust is the data controller or the Trust is a data processor of personal data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the equipment used.
Status of Policy
This policy does not form part of the formal contract between Unity Schools Trust and staff or students, but compliance with it is a condition of employment and expectations of students to abide by the Trusts rules and policies. Any failure to follow the policy can therefore result in disciplinary proceedings.
Others such as visitors are expected to comply with the policy insofar as they are processing data for and on behalf of the Trust.
Responsibilities under the Policy
Unity Schools Trust is the data controller and has the responsibility to implement and comply with data protection legislation. In determining the purposes for which, and the manner in which, personal data is processed, the Trust must adhere to the Data Protection Principles as set out in the legislation. Details of the principles and main requirements for compliance can be found in the Data Protection & Freedom of Rights Policy.
All users of personal data within the Trust must ensure that personal data is always held securely and not disclosed to any unauthorised third party either accidentally, negligently or intentionally.
The Trust provides data subjects with a “Privacy Notice” to let them know how and for what purpose their personal data is processed.
Responsibilities of Data users
Heads of Schools, Senior Leadership Team, Heads of Department, Managers of Administrative and Support Services have a responsibility to ensure compliance with the Data Protection & Freedom of Rights Policy, and to develop and encourage good information handling practices within their areas of responsibility. All data users of personal data within the Trust have a responsibility to ensure that they process the data in accordance with the Principles and the other conditions set down in the legislation. The policy provides detailed guidance to assist with fulfilling these obligations.
The DPO will perform periodic audits to ensure compliance with this policy and the legislation.
Data Subject Rights
The GDPR contains data subject rights the Trust must comply with – the rights to information, subject access, to rectification, to object, to erasure, to portability, to restrict processing and in relation to automated decision-making and profiling. These rights can be restricted for personal data used in research.
Subject Access Requests and the right to data portability
Individuals have the right to request to see or receive copies of any information the Trust holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine readable format so it can be forwarded to another data controller. The Trust will respond to these requests within one calendar month. It is a personal criminal offence to delete relevant personal data after a subject access has been received.
Subject access requests should be submitted in writing, either by letter or email to the DPO. They should include:
- Name of individual
- Correspondence address
- Contact number and email address
- Details of the information requested
Right to erasure, to restrict processing, to rectification and to object
In certain circumstances data subjects have the right to have their data erased. This only applies
- Where the data is no longer required for the purpose for which it was originally collected, or
- Where the data subject withdraws consent, or
- Where the data is being processed unlawfully
In some circumstances, data subjects may not wish to have their data erased but rather have any further processing restricted.
If personal data is inaccurate, data subjects have the right to require the Trust to rectify inaccuracies. In some circumstances, if personal data is incomplete, the data subject can also require the controller to complete the data, or to record a supplementary statement.
Rights in relation to automated decision making and profiling
In the case of automated decision making and profiling that may have significant effects on data subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to the DPO immediately.
Data Protection Breaches
Unity Schools Trust is responsible for ensuring appropriate and proportionate security for the personal data that it holds. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. The Trust makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples of personal data incidents might occur through:
- Loss or theft of data or equipment on which data is stored
- Ineffective access controls allowing unauthorised use
- Equipment failure
- Unauthorised disclosure (e.g. email sent to incorrect recipient
- Human error
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- “Blagging” offences where information is obtained by deceiving the organisation that holds it
Any data protection incident must be bought to the attention of the Trust’s DPO who will investigate and decide if the incident constitutes a data protection breach. If a reportable data protection breach occurs, the Trust is required to notify the Information Commissioner’s Office as soon as possible, and not later than 72 hours after becoming aware of it.
When reporting a breach, you will be required to provide information about the nature of the breach, i.e. what happened, and whether any personal data was involved. Once the DPO has determined whether the incident constitutes an actual data protection breach, actions will be taken accordingly to help contain the incident and, where necessary, assist with notifying the affected subjects. The DPO will also, where required, notify the Head of School, School or Department, Chief Executive Officer & Executive Headteacher, Business Director and Chief Financial Officer and the Information Commissioner’s Office. A record will be kept of all data protection incidents and breaches including the actions taken to mitigate the breach.
Unity Schools Trust takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. For more information on how the Trust manages these responsibilities please see our Data Protection & Freedom of Rights Policy on our website.
Freedom of Rights
The Trust is subject to the Freedom of Information Act 2000 as a public authority, and as such, must comply with any requests for information in accordance with the principles laid out in the Act.
Anyone can make a freedom of information request – they do not have to be UK citizens, or resident in the UK. Requesters should direct their requests for information to the Business Director and Chief Financial Officer, who may allocate another individual to deal with the request.
The Trust will respond as soon as possible, and in any event, within twenty working days of the date of receipt of the request. For the Trust, a “working day” is one in which students are in attendance, subject to an absolute maximum of sixty calendar days to respond.