Data Protection Policy
Data Protection Policy
Introductory Statement
This policy was devised in conjunction with relevant stakeholders including Board of Management, Parents Association and Staff.
Scope
The policy applies to the keeping and processing of personal data, both in manual form and on computer, including personal data held on both school staff and students.
Data: means information in a form which can be processed. It includes automated data (information on computer or information recorded with the intention of putting it on computer) and manual data (information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system).
Relevant filing system: means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible.
Personal data: means data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
Data Controller: A data controller is the individual or legal entity which controls the contents and use of personal data. The school can be considered to be the data controller, with the principal acting for the board of management in exercising the functions involved.
To whom will the policy apply? The policy applies to all school staff, the board of management, parents/guardians, students and others insofar as the measures under the policy relate to them.
Rationale
Why is it necessary to devise a data protection policy at this time? e.g.
- Schools are obliged to comply with the Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003 (henceforth referred to as the Data Protection Acts)
- Under Section 9(g) of the Education Act, 1998, the parents of a student, or a student who has reached the age of 18 years, must be given access to records kept by the school relating to the progress of the student in his or her education.
- Under Section 20 of the Education (Welfare) Act, 2000, the school must maintain a register of all students attending the school.
- Under Section 21 of the Education (Welfare) Act, 2000, the school must record the attendance or non-attendance of students registered at the school on each school day.
- Under Section 28 of the Education (Welfare) Act, 2000, the data controller may supply personal data kept by him or her, or information extracted from such data, to the data controller of another prescribed body if he or she is satisfied that it will be used for a “relevant purpose” only. See Section B.3 under Key Measures below.
Relationship to characteristic spirit of the school (school’s mission/vision/aims)
Laragh 2 Muff National seeks to enable each student to develop his/her full potential.
To do this the school endeavours to provide a safe and secure environment for learning.
We promote respect for the diversity of values, beliefs, traditions, languages and ways of life in society.
Goals/Objectives
- To ensure that the school complies with the Data Protection Acts.
- To ensure compliance by the school with the eight rules of data protection as set down by the Data Protection Commissioner based on the Acts (see below).
- To ensure that the data protection rights of students, staff and other members of the school community are safeguarded.
Key measures (content of policy)
- Details of all personal data which will be held, the format in which it will be held and the purpose(s) for collecting the data in each case.
- Details of the arrangements in place to ensure compliance with the eight rules of data protection.
Prompts are provided in each section to assist in identifying the key issues and actions to be implemented.
- The personal data records held by the school may include:
Staff records: These may include:
- Name, address and contact details, PPS number
- Original records of application and appointment
- Record of appointments to promotion posts
- Details of approved absences (career breaks, parental leave, study leave etc.)
- Details of work record (qualifications, classes taught, subjects etc)
- Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.
Note: a record of grievances may be maintained which is distinct from and separate to individual personnel files.
These records are kept in files and online eg. POD & Aladdin.
Purpose for keeping staff records may include: to facilitate the payment of staff, to facilitate pension payments in the future, a record of promotions made etc.
Student records: These may include:
- Information which may be sought and recorded at enrolment, including:
- name, address and contact details, PPS number
- names and addresses of parents/guardians and their contact details
- religious belief
- membership of the Traveller community, where relevant
- any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply
- Information on previous academic record
- Psychological assessments
- Attendance Records
- Academic record – subjects studied, class assignments, examination results as recorded on official school reports
- Records of significant achievements
- Records of disciplinary issues and/or sanctions imposed
- Other records e.g. records of any serious injuries/accidents etc.
These records are kept on paper, and online in POD and Aladdin.
Purpose for keeping student records may include: to enable each student to develop his/her full potential, to comply with legislative or administrative requirements, to ensure that eligible students can benefit from the relevant additional teaching or financial supports, to support the provision of religious instruction, to enable parent/guardians to be contacted in the case of emergency etc.
Board of Management records: These may include:
- Name, address and contact details of each member of the board of management
- Records in relation to appointments to the board
- Minutes of board of management meetings and correspondence to the board which may include references to particular individuals.
These are kept in the form of written records. .
Purpose for keeping board of management records may include: a record of board appointments, documenting decisions made by the board etc.
- Details of arrangements in place to ensure compliance with the
eight rules of data protection
Laragh 2 Muff NS follows the following procedures to ensure compliance:
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purposes
- Give a copy of his/her personal data to that individual on request.
The minimum age at which consent can be legitimately obtained for processing and disclosure of personal data under rules 1 and 3 above is not defined in the Data Protection Acts. However, guidance material published on the Data Protection Commissioner’s website states the following:
“As a general rule in the area of education, a student aged eighteen or older may give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice.”
See Appendix 1 for a sample statement which could be included on relevant forms when personal information is being requested.
The following prompt questions should be regarded as a checklist in proofing the arrangements for adherence to each of the eight rules:
- Obtain and process information fairly: prompt questions
- Are procedures in place to ensure that staff members, parents/guardians and students are made fully aware when they provide personal information of the identity of the persons who are collecting it, the purpose in collecting the data, the persons or categories of persons to whom the data may be disclosed and any other information which is necessary so that processing may be fair (as stated above, the sample statement in Appendix 1 could be included on relevant forms where personal information is being requested).
⃞
- Is personal information processed fairly in accordance with the Data Protection Acts, with consent being obtained from staff members, parents/guardians or students, where required? See A Guide for Data Controllers (pg. 7 and 8) for a list of exemptions from obtaining consent.
⃞
- Is sensitive personal information processed fairly in accordance with the Data Protection Acts, with explicit consent being obtained from staff members, parents/guardians or students, where required? See A Guide for Data Controllers (pg. 8) for a list of exemptions from obtaining consent.
⃞
- Keep it only for one or more specified, explicit and lawful purposes: prompt questions
- Do the persons whose data is collected know the reason/s why it is collected and kept?
- Is the purpose for which the data is collected and kept a lawful one?
- Is school management aware of the different sets of data which are kept and the specific purpose of each?
- Use and disclose it only in ways compatible with these purposes: prompt questions
- Is data used only in ways consistent with the purpose/s for which it was obtained?
- Is data disclosed only in ways consistent with that purpose?
- Is there a procedure in place, which is in accordance with the Data Protection Acts to facilitate the transfer of information to another school when a student transfers?
Note: Under Section 20 of the Education (Welfare) Act, 2000, each school principal must maintain a register with the names of all children attending that school. When a child is transferring from the school, the principal must notify the principal of the new school of any problems relating to school attendance that the child concerned had and of any other matters relating to the child’s educational progress that he or she considers appropriate. Under Section 28 of the Act, schools may supply personal data, or information extracted from such data, to other schools or another prescribed body if they are satisfied that it will be used in recording the student’s educational history, monitoring the student’s educational progress or developing the student’s full educational potential. - The Minister for Education and Science (which includes the Inspectorate and the National Educational Psychological Service (NEPS)
- The National Council for Special Education (NCSE)
- The National Educational Welfare Board (NEWB)
- Each school recognised in accordance with section 10 of the Education Act, 1998
- Each place designated by the Minister under section 10 of the Education Act, 1998 to be a centre for education.
- Data will only be discussed to 3rd parties, ie Tusla, DES, HSE where lawful and appropriate following correct Data Protection Procedures.
- Is there a procedure in place, which is in accordance with the Data Protection Acts to facilitate the transfer of personal data abroad? See A Guide for Data Controllers (pg. 17).
Exceptions to disclosure rule:
- Data can be disclosed when required by law
- Data can generally be disclosed to an individual himself/herself or with his/her consent (see 8 below).
- Keep it safe and secure: prompt questions
- Is access to the information (including authority to add/amend/delete records) restricted to authorised staff on a “need to know” basis?
⃞
- Who has access to what information based on this “need to know” policy?
⃞
- Are computer systems password protected? ⃞
- Is information on computer screens and manual files kept out of view of callers to the school/office? ⃞
- Are back-up procedures in operation for computer held data, including off-site back-up? ⃞
- Are all reasonable measure taken to ensure that staff are made aware of the security measures, and comply with them? ⃞
- Are all waste papers, printouts etc. disposed of carefully?
⃞
- Are steps taken to ensure that no unauthorised person can access data from computers which are no longer in use or subject to change of use?
⃞
- Is there a designated person responsible for security?
⃞
- Are there periodic reviews of the measures and practices in place?
⃞
- Are premises secure when unoccupied?
⃞
- Is there a contract in place with any data processor which imposes an equivalent security obligation on the data processor?
⃞
- Keep it accurate, complete and up-to-date: prompt questions
- Are clerical and computer procedures adequate to ensure high levels of data accuracy?
- Are appropriate procedures in place, including periodic review and audit, to ensure that each data item is kept up-to-date?
Note: While this rule applies to all computer held data and any new manual records created from July 2003, it will only apply to existing manual records from October 2007.
- Ensure that it is adequate, relevant and not excessive: prompt questions
- Is the information held adequate in relation to the purpose/s for which it is kept?
- Is the information held relevant in relation to the purpose/s for which it is kept?
- Is the information held not excessive in relation to the purpose/s for which it is kept?
Note: While this rule applies to all computer held data and any new manual records created from July 2003, it will only apply to existing manual records from October 2007.
- Retain it for no longer than is necessary for the purpose or purposes
While this rule applies to all computer held data and any new manual records created from July 2003, it will only apply to existing manual records from October 2007.
In general, personal data should not be kept for any longer than is necessary to fulfil the function for which it was first recorded. Retention times cannot be rigidly prescribed to cover every possible situation and schools need to exercise their individual judgement in this regard in relation to each category of records held. However, the following particular requirements should be met:
- Laragh 2 Muff School registers and roll books are required to be kept indefinitely within the school. Consideration is being given to amending the Data Protection Acts to allow schools to deposit completed school registers and roll books which are no longer required for administrative purposes with the Local Authority Archive Service. The Department will notify schools of any changes to the Acts in this regard.
- Pay, taxation and related school personnel service records should be retained indefinitely within the school.
- Where litigation may potentially arise in the future (e.g. in relation to accidents/personal injuries involving school personnel/students or accidents occurring on school property), the relevant records should be retained until the possibility of litigation ceases.
Note: The statute of limitations in relation to personal injuries is currently two years. The limitation period for other causes of action varies, but in most cases is not greater than six years. A limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim. In the case of minors, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge post dates their 18th birthday. While schools may wish to draw up their own policies as to how long to retain such records, it would appear prudent not to destroy records likely to be relevant in litigation at least until the six year limitation period has expired.
In line with the above, it is suggested that the information on student files might, as a general rule, be retained for a period of six years after the student has completed the Senior Cycle and/or reached the age of 18.
- Give a copy of his/her personal data to that individual on request
On making an access request any individual (subject to the restrictions in Notes A and B below) about whom you keep personal data, is entitled to:
- a copy of the data which is kept about him/her
- know the purpose/s for processing his/her data
- know the identity of those to whom the data is disclosed
- know the source of the data, unless it is contrary to public interest
- know the logic involved in automated decisions
- a copy of any data held in the form of opinions, except where such opinions were given in confidence.
To make an access request, an individual must:
- apply in writing
- give any details which might be needed to help identify him/her and locate all the information you may keep about him/her
- pay an access fee if the school wishes to charge one. The school need not do so, but if it does it cannot exceed the prescribed amount of €6.35.
There are a number of exceptions to the general rule of Right of Access, including those specified in Notes A and B below.
Handling access requests: prompt questions
- Is a named person responsible for handling access requests? ⃞
- Are there procedures in place to provide applicants with access to personal data about themselves in accordance with the Data Protection Acts as detailed above?
⃞ - Have criteria been set down on what is sufficient to prove identity in order to access personal data?
⃞ - Is there a procedure in place to record the outcome of any legal proceedings which may limit the right of one or both parents to access information about their child?
Note: If spouses are separated and one of them has obtained an order for custody but both of them remain guardians, then both of them are entitled to be involved in important decisions which affect the child.
⃞ - Are clear co-ordinated procedures in place to ensure that all relevant manual files and computers are checked for the data in respect of which the access request is made?
⃞ - Is there a procedure in place to rectify or erase any inaccurate information as identified by the individual on whom the data is kept, within 40 days of the request being made?
⃞ - Is information supplied promptly and within 40 days of receiving the request or, in respect of examinations data, within 60 days of receiving the request or 60 days of first publication of the results (whichever is the later)?
⃞ - Is the information provided in a form which is clear to the ordinary person?
⃞ - Is the individual informed within 40 days of the request if no information is held on them?
⃞ - Is the fee charged (if any) refunded to the individual if the request is not complied with or if it is necessary to rectify, supplement or erase the personal data concerned?
⃞
Note A: Access requests by students
- Students aged 18 and over are entitled to access their personal information in accordance with the Data Protection Acts.
- Students under 18 years of age can be given access to their personal information, depending on the age of the student and the nature of the record i.e. it is suggested that:
- if the information is ordinary, routine or non-controversial (e.g. a record of a test result) the student could readily be given access
- if the record is of a sensitive nature, it would be prudent to seek parental/guardian consent
- if a student has some disability or medical condition that would impair his or her ability to understand the information, or if disclosure would be likely to be harmful to the individual concerned, parental/guardian consent should be sought.
Note B: Exceptions to note:
- Schools should note that data protection regulations prohibit the supply of:
- health data to a patient in response to a request for access if that would cause serious harm to his or her physical or mental health. The regulations also provide that such data is to be communicated only by, or after consultation with, an appropriate “health professional”, normally the patient’s own doctor
- personal data obtained in the course of carrying on social work if that would cause serious harm to the health or emotional condition of the data subject concerned. The regulations apply to social work carried on by Ministers, local authorities, the HSE or any other such bodies receiving financial assistance from public funds.
Links to Other Policies and to Curriculum Delivery |
The following policies are linked with Data Protection:
- Child Protection Policy
- Guidance Plan
- Anti-Bullying Policy
- Substance Use Policy
- Code of Behaviour.
Identify any links to curriculum delivery
- CSPE, TYO etc.
Implementation Arrangements, Roles and Responsibilities
The Principal Aonghus Byrne is responsible for the implementation of the policy and for ensuring that staff who handle or have access to personal data are familiarised with their data protection responsibilities.
.
.
Ratification & Communication
This draft will be ratified by the Board of Management
Implementation Date
06/03/2018
Monitoring the implementation of the policy
The implementation of the policy should be monitored.
- Who will do what and when to confirm that the actions/measures set down under the policy are being implemented?
Reviewing and evaluating the policy
The policy should be reviewed and evaluated at certain pre-determined times and, as necessary. Ongoing review and evaluation should take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Science or the NEWB), legislation and feedback from parents/guardians, students, school staff and others. The policy should be revised as necessary in the light of such review and evaluation and within the framework of school planning.
Appendix 1
Sample Data Protection Statement for inclusion on relevant forms when personal information is being requested
The information collected on this form will be held by X school in manual and in electronic format. The information will be processed in accordance with the Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003.
The purpose of holding this information is ….. (School should insert the relevant information eg. for administration, to facilitate the school in meeting the student’s educational needs etc. ).
Disclosure of any of this information to statutory bodies such as the Department of Education and Science or its agencies will take place only in accordance with legislation or regulatory requirements. Explicit consent will be sought from Parents/Guardians or students aged 18 or over if the school wishes to disclose this information to a third party for any other reason.
Parents/Guardians of students and students aged 18 or over have a right to access the personal data held on them by the school and to correct it if necessary.
I consent to the use of the information supplied as described.
Signed Parent/Guardian: _________________________
Signed Student: _________________________