What is GDPR The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which determines how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. It has been in place since 25 May 2018 and applies to organisations that process or handle personal data, including schools.

It's similar to the Data Protection Act (DPA) 1998 in many ways. Most of the differences involve the GDPR building on or strengthening the principles of the DPA.

Summary of the regulation

Here are the key points that the regulation covers. (This summary is not intended to be exhaustive and does not cover the full contents of the regulation.)

GUIDANCE

Updated: Aug 2020

2

Chapter 1 | General Provisions

Chapter 1 of the regulation, beginning on page 32 of the document, explains: This regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

“Natural persons” means individuals, as opposed to "legal persons" which would mean organisations.

The chapter includes details about:

• Subject matter and objectives • The scope of the regulation • Key terms that appear in the regulation

Chapter 2 | Principles

Article 5, in chapter 2 (page 35), sets out 6 principles of data processing. These say that personal data must be:

• Processed lawfully, fairly and in a transparent manner • Collected for specified, explicit and legitimate purposes • Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed • Accurate and kept up to date • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data

is processed • Processed in a way that ensures appropriate security of personal data

The chapter also explains the 6 conditions that mean the processing of personal data is lawful. You only need to meet one of them. It says you can process data as long as:

• It helps you fulfil a contract with the person (e.g. to fulfil your obligations to staff under an employment contract) • You need to do it to comply with the law (e.g. the law requires schools to pass certain information to the Department for

Education) • It will protect someone's 'vital interests' (e.g. to save someone's life) • It helps you to carry out your official functions or a task in the public interest (e.g. schools must process most of their data in

order to function as a school) • You have the express consent of the person (e.g. they have said they want to receive fundraising communications from your

school's alumni network) • You have legitimate interests in the data (e.g. if you are a private-sector organisation with a genuine and legitimate reason for

using someone's data, unless it's outweighed by harm to the person's rights - schools are unlikely to use this one)

Chapter 3 | Individuals' Rights

Chapter 3 (starting on page 39) covers the rights of data subjects. It explains that, regarding their personal data, individuals will have the right to:

• Be informed about how their data is used, typically through privacy notices • Have access to their data, such as through subject access requests • Have inaccurate or incomplete information about them corrected • Have their data deleted where there is no compelling reason for its continued use • Block or restrict processing of their data • Obtain and reuse their data for their own reasons across different services ('data portability') • Object to the processing of their data for particular purposes • Not be subject to an automated decision made through the use of data, which has a legal or significant effect on the person

3

Contents

What is GDPR ........................................................................................................................................ 1

Summary of the regulation ........................................................................................................................... 1

.................................................................................................................................................................. 2

Evolve GDPR Website ................................................................................................................................... 3

Roles and responsibilities ............................................................................................................................. 4

Trustee / Governor Board ......................................................................................................................... 4

Data Protection Officer ............................................................................................................................. 4

Headteacher .............................................................................................................................................. 4

All staff ...................................................................................................................................................... 4

Consent ......................................................................................................................................................... 5

Data Breaches ............................................................................................................................................... 6

Data protection impact assessments ............................................................................................................ 7

Subject Access Requests ............................................................................................................................... 8

Data protection officers ................................................................................................................................ 9

Working From Home Guidance .................................................................................................................. 10

Suspected Data Breach ............................................................................................................................... 11

GDPR Training ............................................................................................................................................. 12

FORM FOR REPORTING A SUSPECTED DATA BREACH ................................................................................ 13

DATA PROTECTION IMPACT ASSESSMENT TEMPLATE ............................................................................... 15

Evolve GDPR Website

An online hub has been produced to allow staff across the trust to access important information, documents and resources.

http://www.evolvetrust.org/gdpr, This site can be accessed from anywhere and on any device.

4

Roles and responsibil i ties

This extract from the Evolve Trust’s GDPR policy outlines the roles and responsibilities with regards to GDPR. GDPR is everyone's responsibility and it should be stressed that staff who do not comply with this policy may face disciplinary action.

Trustee / Governor Board The trustee Board has overall responsibility for ensuring that the trust complies with all relevant data protection obligations.

Data Protection Officer The Data Protection Officer (DPO) is responsible for overseeing the implementation of the GDPR policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable.

They will provide an annual report of their activities directly to the trustee board and, where relevant, report to the board their advice and recommendations on data protection issues.

The DPO is also the first point of contact for individuals whose data the trust processes, and for the ICO.

Headteacher The headteacher acts as the representative of the data controller on a day-to-day basis.

All staff (including Trustees, Governors, Individuals on Work Experience)

Staff are responsible for:

• Collecting, storing and processing any personal data in accordance with the GDPR policy • Informing the school of any changes to their personal data, such as a change of address • Contacting the DPO in the following circumstances:

o With any questions about the operation of the GDPR policy, data protection law, retaining personal data or keeping personal data secure o If they have any concerns that this policy is not being followed

o If they are unsure whether or not they have a lawful basis to use personal data in a particular way

o If they need to rely on or capture consent, draft a privacy notice, deal with data protection rights invoked by an individual, or transfer personal data outside the European Economic Area

o If there has been a data breach o Whenever they are engaging in a new activity that may affect the privacy rights of

individuals o If they need help with any contracts or sharing personal data with third parties

5

Consent

The GDPR brings in stricter rules around consent. Consent for processing someone’s personal data must be freely given, specific, informed, unambiguous, and a positive affirmation of the individual’s agreement.

For the first time, the GDPR brings in special protection for children’s personal data, though only in the context of commercial internet services such as social networking.

You need to consider whether parental/guardian consent is required for the data processing you carry out with regards to things such as using apps in the classroom.

Evolve Consent

Consent isn’t required for processing data that is related to our public task, however, how contact is made with parents, how photographs and videos taken in school are used may rely on consent.

Parental consent is acquired as part of the year 7 intake process, and this is then recorded in Sims. This consent is recaptured in year 9 when students are at the age of consent.

In both instances the parent/carers’ views are considered as part of the trust’s responsibility to ensure consent is valid and that the person giving the consent is capable of understanding the implications of their decision to give/withdraw consent.

If you are planning an activity outside the scope of the generic photographic consent form, you will need to discuss this with your Principal and/or the DPO who will offer advice on a case by case basis, which may result in additional consent being recorded.

These is a possibility however that your activity could fall under one of the other lawful bases for processing.

6

Data Breaches

The ICO must now be notified within 72 hours of data breaches where an individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.

Evolve Data Breaches

When a breach is discovered, it is important that it is reported immediately. With the time limit imposed by the ICO an investigation must be initiated as soon as possible.

If you are unsure if what you have discovered would be classed as a breach, it is recommended that you submit a report anyway to allow the Data Breach Committee to review it.

In most cases potential breaches can be dealt with internally, but this is most effective if the report is received in good time.

The data breach form can be downloaded from www.evolvetrust.org/gdpr/report or is attached to this document (appendix 2)

One you have completed the form, including all of the necessary information, it should then be sent to databreach@evolvetrust.org where its receipt will be acknowledged by a member of the GDPR Committee.

It will then be actioned as illustrated below

7

Data protection impact assessments

It was previously good practice to carry out a privacy impact assessment when your school was considering using data in new and innovative ways, or implementing new technology to monitor pupils in some way.

This is now a legal requirement in some circumstances under the GDPR. The ICO suggests, for example, that you might do this where you've considered implementing a new web monitoring system in the classroom or sharing data with a local initiative.

Evolve Data protection impact assessments

Before any new system, incentive, app or service is set up, it is important to consider whether it will have an impact on data protection.

If the system requires staff, student or parent information, it is likely that a Data Protection Impact Assessment (DPIA), will need to be carried out and approved by Senior Managers and the Data Protection Officer.

This must be done before ordering/implementing the system and must be complete through the correct channels to ensure the trust has a clear and complete picture of where it’s data is being used and how it is secured.

Anyone can carry out a DPIA but the appropriate Directors of Learning/Senior Management should be made aware before submitting the assessment to the DPO.

The DPIA template can be found www.evolvetrust.org/gdpr or attached to this document (Appendix 3)

Once the DPIA has been processed and approved, the DPIA must be kept under review by the relevant Director of learning/Senior manager and any changes or amendments must be recorded and reported to the DPO.

Information about the new processing activity needs to be added the trust’s Record of Processing Activity Document, which would also need updating/amending if any changes are made. This can be done by completing THIS ONLINE FORM

8

Subject Access Requests

Every data subject has the 'right of access', which forms a fundamental part of data protection law across the world. This gives each data subject the right to know whether an organisation is storing or processing their personal data, a right that is usually exercised through a subject access request.

Using an SAR, an individual can request to see a copy of their data, as well as details on why that data is being processed, what type of data it is, the recipients of that data, how long it's stored, how the data was collected, and evidence to show that the data is being appropriately safeguarded.

Evolve Subject Access Requests

A subject access request (SAR) is a request made by or on behalf of an individual for the information which he or she is entitled to ask for under General Data Protection Regulations. The request does not have to be in a particular format.

If staff receive a subject access request they must immediately forward it to the DPO, it will then be actioned as below:

9

Data protection off icers

Under the GDPR, all public authorities must designate a data protection officer (DPO) to take responsibility for data protection compliance. This means that many schools will need to put this in place for the first time, as previously this was optional. The DPO will be the first point of contact for the ICO and in many cases for employees that has questions and concerns regarding GDPR.

Evolve Data protection officer

The Evolve Trust has appointed a DPO who is responsible for overseeing compliance throughout the trust and it’s Academies.

The Data protection can be contacted with questions and/or concerns relating to data protection and the GDPR.

Alex Walker Data Protection Officer for The Evolve Trust

Awalker@evolvetrust.org DPO@evolvetrust.org

(01623) 348100

10

Working From Home Guidance

When working from home, please refer to Trust Policies to ensure you are working in compliance with these, to protect yourself, the trust, our students and our data. Relevant Policies included but not limited to:

- GDPR Policy - Staff ICT Acceptable Use Policy

| Relevant information from policies | Remember to lock your computer if you are to leave it and do not want to shut it down as this makes sure that no one can gain access to your personal information or the information of others through your account whilst your away from your computer (Please feel free to see any member of the Systems Team if you are not sure how to do this) When remotely accessing any of the trust’s systems never leave a device connected to our systems unsupervised, only use devices that you are sure are virus free, never provide access to our systems to anyone else and remember that once you are connected to / using our systems remotely that you need to abide by this policy and any and all relevant Trust policies. Where you take a copy of data outside the trust, ensure that this is secured on a laptop or memory stick which is encrypted and kept secured at all times. You should only take a hard copy of data outside the trust if absolutely necessary, and with authorisation from the Data Protection Officer.

The trust is committed to safeguarding its ICT infrastructure to ensure it can be used in the most effective manner to support teaching and learning. As a result, all members of staff are expected to take reasonable measures to prevent ICT equipment from being damaged or stolen, the following are basic guidelines to follow:

- Keep liquids away from ICT equipment - Do not place / drop heavy objects on ICT equipment - Securely lock ICT equipment away when not in use - Do not leave ICT equipment unattended or on view in a public place

Chat services are available as part of Office 365, and is integrated into Teams, no other chat service outside of this should be used

The trust provides a private cloud service via Office 365 therefore no other cloud services are necessary and are not permitted. This includes but is not limited to iCloud, Google Apps and services, SkyDrive, Dropbox. Furthermore storing Trust data of any kind on other cloud services is considered a breach of the General Data Protection Regulation and serious breaches may result in prosecution.

11

Privacy impact assessments must be carried out and approved where the academy’s processing of personal data presents a high risk to rights and freedoms of individuals, and when introducing new technologies (the DPO will advise on this process)

We all need to protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage. In particular:

• Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are kept under lock and key when not in use

• Papers containing confidential personal data must not be left on office and classroom desks, on staffroom tables, pinned to notice/display boards, or left anywhere else where there is general access

• Staff, pupils or governors who store personal information on their personal devices are expected to follow the same security procedures as for academy-owned equipment (see our ICT Acceptable Use policy.

• Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected

Suspected Data Breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The academy will make all reasonable endeavours to ensure that there are no personal data breaches however in the unlikely event of a suspected data breach, we will follow the procedure set out in the trust.

If you suspect that there may have been a data breach, you should report this as soon as possible so that it can be investigated further and when appropriate, we will report the data breach to the ICO and this needs to be done within 72 hours.

12

GDPR Training

All members of staff are expected to carry out annual refresher training on GDPR, which is completed as part of the Smart Log online training platform.

Regular spot checks will be carried out to ensure all staff have completed annual refresher training.

Additional information, useful website, documents and articles can be found on the GDPR Hub on www.evolvetrust.org/gdpr

If you feel like you need additional information, support or training in a certain area of GDPR, contact the Data Protection Officer.

13

FORM FOR REPORTING A SUSPECTED DATA BREACH

Appendix 2:

14

15

DATA PROTECTION IMPACT ASSESSMENT TEMPLATE

Data Protection Impact Assessment (DPIA) should be completed for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. It is good practice to do a DPIA for any other major project which requires the processing of personal data.

Step 1: Identify the need for a DPIA

Explain broadly what the system / project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.

Step 2: Describe the processing

Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or another way of describing data flows. What types of processing identified as likely high risk are involved?

Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?

Appendix 3:

16

Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing for you, and more broadly?

Step 3: Consultation process

Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?

17

Step 4: Assess necessity and proportionality

Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?

Step 5: Identify and assess risks

Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Likelihood of harm Severity of harm Overall risk

Remote, possible or probable

Minimal, significant or severe

Low, medium or high

18

Step 6: Identify measures to reduce risk

Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5

Risk Options to reduce or eliminate risk Effect on risk (Eliminated, reduced or accepted)

Residual risk (Low, medium or high)

Measure approved

Step 7: Sign off and record outcomes

Item Name/date Notes

Measures approved by: Integrate actions back into project plan, with date and responsibility for completion

Residual risks approved by: If accepting any residual high risk, consult the ICO before going ahead

DPO advice provided: DPO should advise on compliance, step 6 measures and whether processing can proceed

Summary of DPO advice:

DPO advice accepted or overruled by: If overruled, you must explain your reasons Comments:

Consultation responses reviewed by: If your decision departs from individuals’ views, you must explain your reasons

Comments:

This DPIA will be kept under review by: The DPO should also review ongoing compliance with DPIA