GDPR - Data Protection Policy

Policy no: 12
Version: 1.1 Date: November 2023
Date of review: November 2025

Rationale

At Holywood Steiner School, we believe privacy is important please see the Schools Clear Desk and Screen Procedure - Appendix one.

We are committed to complying with our data protection obligations and to being concise, clear, and transparent about how we obtain and use Personal Information and how (and when) we delete that information once it is no longer required.

We will review and update this data protection policy regularly in accordance with our data protection obligations.

Any queries in relation to this Policy or any of the matters referred to in it should be submitted in writing to the Head Teacher.

The following policies, procedures and documents are also relevant to this Policy:

  • Data Breach Management Procedure

  • Subject Access Request Procedure

  • Document Disposal Schedule

This Policy gives important information about:

  • the data protection principles with which Holywood Steiner School must comply.

  • what is meant by Personal Information and Special Category Data?

  • how we gather, use and (ultimately) delete Personal Information and Special Category Data in accordance with the data protection principles.

  • where more detailed Privacy Information can be found, e.g., about the Personal Information we gather and use about you, how it is used, stored, and transferred, for what purposes, the steps taken to keep that information secure and for how long it is kept.

  • your rights and obligations in relation to data protection; and the consequences of our failure to comply with this Policy.

Definitions

“consent” is any freely given, specific and transparently, well-informed indication of the will of the individual, whereby the individual agrees that his or her Personal Information may be processed. Requirements, about consent can arise from the respective national laws.

"Personal Information" (sometimes known as “personal data”) means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly — in particular, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity.

“processing” means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with Personal Information.

"Special Category Data" (sometimes known as “sensitive personal data”) means Personal Information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and the processing of data concerning health or sex life

Principles

The School is subject to the Data Protection Act 2018 (the Act) and other regulations including GDPR (“Applicable data protection law”) which are imposing obligations on the School as a data controller in relation to the protection, use, retention, and disposal of Personal Information. This Policy sets out the procedures that are to be followed when dealing with Personal Information and applies to all Personal Information processed by or on behalf of Holywood Steiner School.

 Applicable data protection law sets out the following principles with which any party handling Personal Information must comply.

All Personal Information must be:

  • processed lawfully, fairly and in a transparent manner.

  • collected for specified, explicit and legitimate purposes only, and will not be further processed in a manner that is incompatible with those purposes.

  • further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes.

  • adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

  • accurate and, where necessary, kept up to date and take reasonable steps to ensure that inaccurate Personal Information are deleted or corrected without delay.

  • kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the information is processed.

Personal Information may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes subject to implementation of the appropriate technical and organisational measures required by the Applicable data protection law in order to safeguard the rights and freedoms of the individual and processed in a manner than ensures appropriate security of the Personal Information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful, Fair and Transparent Processing

The School will, before any processing of Personal Information starts for the first time, and then regularly while it continues to process the Personal Information on at least one of the following bases: Consent:

The individual has given their express agreement to the processing of their Personal Information for one or more specific purposes; parental consent will be obtained for any child aged under 13 years old or for children aged over 13 who are not considered capable of giving consent themselves.

Contractual: the processing is necessary for the performance of a contract to which the individual is party or to take steps at the request of the individual prior to entering a contract.

Legal Obligation: the processing is necessary for compliance with a legal obligation to which the School is subject.

Vital Interests: the processing is necessary for the protection of the vital interests of the individual or another natural person.

Public Interest: the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority.

Legitimate Interests:

  • the processing is necessary for the purposes of legitimate interests of the School or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the individual, where the individual is a child.

  • except where the processing is based on consent, satisfy us that the processing is necessary for the purpose of the relevant lawful basis (i.e., that there is no other reasonable way to achieve that purpose).

  • document our decision as to which lawful basis applies to help demonstrate our compliance with the data protection principles.

  • where Special Category Data is processed, identify a lawful special condition for processing that information and document it.

  • where criminal offence information is processed, identify a lawful condition for processing that information and document it

Rights of the Individual

The Applicable data protection law states that individuals have the following rights in respect of the processing of their Personal Information:

The right to be informed:

The School will keep individuals informed of its processing activities through its privacy notices.

The right of access:

An individual may make a subject access request Access to Personal files & medical reports NI 1991 at any time to find out more about the Personal Information which the School holds on them. All requests must be made in writing to the Head Teacher.

The School is required to respond to a request within one month of receipt, but this can be extended by up to two months in the case of complex and/or numerous requests and, in such cases, the individual will be informed of the need for such extension.

The right to rectification:

If an individual informs the School that Personal Information held by the School is inaccurate or incomplete, the individual can request that it is rectified.

The right to erasure:

An individual is entitled to request that the School ceases to hold Personal Information it holds about them. The School is required to comply with a request for erasure unless the School has reasonable grounds to refuse.

The right to restrict processing:

An individual is entitled to request that the School stops processing the Personal Information it holds about them in certain circumstances.

The right to data portability:

An individual has the right to receive a copy of their Personal Information and use it for other purposes.

The right to object:

An individual is entitled to object to the School’s processing of their Personal Information.

Rights in relation to automated decision making and profiling:

An individual has the right to challenge any decision that is made about them on an automated basis (subject to certain exceptions).

The School is also required to comply with certain conditions if it uses Personal Information for profiling purposes.

Data Protection Officer – Julie Morrow (Business Manager)

The Data Protection Officer (DPO) will monitor adherence to this policy. The DPO will have the appropriate level of knowledge.

Privacy by Design

The School has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process Personal Information will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.

The data protection impact assessment will include:

  • Consideration of how Personal Information will be processed and for what purposes.

  • Assessment of whether the proposed processing of Personal Information is both necessary and proportionate to the purpose(s).

  • Assessment of the risks to individuals in processing the Personal Information.

  • What controls are necessary to address the identified risks and demonstrate compliance with legislation.

A data protection impact assessment is conducted by the Headteacher, on every business process periodically, at least once a year and more frequently where the amount and/or sensitivity of Personal Information processed, dictates so. As part of the project calendar admission requirements, at every high-impact change, and/or at the request of the Data Protection Officer.

Data Retention & Disposal

The longer that Personal Information is retained, the higher the likelihood is accidental disclosure, loss, theft and/or information growing stale. Any Personal Information kept by the School is managed in accordance with Holywood Steiner Schools’ Disposal of Records Policy.

Data Breach

A data breach is any (potential) unintended loss of control over or loss of Personal Information within the School’s environment. Preventing a data breach is the responsibility of all the School staff and its workforce, the School’s Data Breach Management Procedure will be referred to in this case.

Third-Party Services and Subcontracting

The School may decide to contract with a third party for the collection, storage, or processing of data, including Personal Information, any such third parties are identified in the Schools’ information asset register.

If the School decides to appoint a third party for the processing of Personal Information, this must be regulated in a written agreement in which the rights and duties of the School and of the subcontractor are specified.

A subcontractor shall be selected that will guarantee the technological and organisational security measures required in this Policy and provide sufficient guarantees with respect to the protection of the personal rights and the exercise of those rights.

The subcontractor is contractually obligated to process Personal Information only within the scope of the contract and the directions issued by the School.

Complaints

Complaints will be dealt with in line with the School’s complaints policy.

 You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

The ICO’s details are as follows:
The Information Commissioner’s Office – Northern Ireland 3rd Floor
14 Cromac Place, Belfast BT7 2JB


Appendix one

Clear desk and screen Procedure

Rationale

At Holywood Steiner School, we believe privacy is important.

The purpose of this Clear Desk and Screen Procedure is to ensure that all staff at are maintaining relevant security controls whilst using ICT in the workplace.

Procedure

 Clear Desk Procedure

All staff must ensure that:

  • All school sensitive documents are locked away when not being used.

  • School offices must remain locked when not in use.

  • All removable media must remain locked away when not in use.

  • All laptops must be locked away when not in use.

  • All printers and photocopiers must be cleared of material immediately after use.

Clear Screen Procedure All staff must ensure that:

  • All School computers require a log in authentication.

  • All School computer screens must be angled away from the view of unauthorised personnel.

  • All users must ensure that information sensitive to the School is not overseen without a need to be known.

  • Screens shall be cleared or locked when not in use- auto screen saver should be set to activate after 5 minutes of inactivity.

  • At the end of working, staff will shut down and switch off all School computers.

  • For computers accessed by pupils during session time, a pupil log on is used giving only access the pupil appropriate interface not the staff desktop area.

 

DATA PROTECTION Policy Review History

Version 1.0
Revision Author:
Peter Chambers
Summary of Changes: N/A
Date Approved: January 2021

Version 1.1
Revision Author:
Peter Chambers
Summary of Changes:
‘GDPR’ changed to ‘Applicable data protection law’.
DPO changed from Sonia Devenney to Julie Morrow.

Date Approved: November 2023