RICKMANSWORTH SCHOOL ENTERPRISES LIMITED
Data Protection Policy 2024-25
|
Version: |
2 |
|
Version Author: |
Emma Gritten |
|
Version Ratified By: |
Directors |
|
Date Version Ratified: |
11 December 2024 |
|
SLT’s Lead |
Emma Gritten |
|
Date this version issued: |
December 2024 |
|
Last Review Date: |
November 2023 |
|
Next Review Date: |
December 2025 |
|
Target Audience: |
Directors, Seconded Staff, Hirers, Gym members |
Data Protection Policy - Rickmansworth School Enterprises
Limited
Table of Contents
OVERVIEW 3 Purpose 3 Review Process 3
1. Policy Statement and Objectives 4 2. Status of the
Policy 4 3. Data Protection Officer 4 4. Definition of Terms 5 5. Data
Protection Principles 6 6. Specified, Explicit and Legitimate Purposes 9 7.
Adequate, Relevant and Limited to What is Necessary 9 8. Accurate and, Where
Necessary, Kept up to Date 10 9. Data to be Kept for no Longer than is
Necessary for the Purposes for Which the
Personal Data are Processed 11 10. Data to be Processed
in a Manner that Ensures Appropriate Security of the Personal Data 11 Appendix
1 – UK GDPR Clauses 19 Appendix 2 – Privacy Notices 20
Why do we collect and use hirer and gym member information?
20 Collecting hirer and gym member information 21 Storing hirer and gym member
data 21 Who do we share hirer and gym member information with? 22 Requesting
access to your personal data 22 No fee usually required 23 What we may need
from you 23
RIGHT TO WITHDRAW CONSENT 23 DATA PROTECTION OFFICER 23
CHANGES TO THIS PRIVACY NOTICE 24
Data Protection Policy - Rickmansworth School Enterprises
Limited
OVERVIEW
Purpose
The objectives of this Data Protection Policy are to ensure
that Rickmansworth School Enterprises Limited (RSEL) and its directors and
seconded staff are informed about, and comply with, their obligations under the
UK General Data Protection Regulation (‘UK GDPR’), the Data Protection
Act 2018 (‘DPA’), and other regulations (together ‘the UK Data
Protection Legislation’).
A reference copy of this document is kept on the shared
drive and it will be brought to the attention of all members of staff.
Review Process
This document will be reviewed in accordance with our policy
review process on a yearly basis or on the introduction of new or amended
relevant legislation.
Tony Walker DIRECTOR
Matt Fletcher DIRECTOR
Data Protection Policy - Rickmansworth School Enterprises
Limited
1. Policy Statement and Objectives
1.1 The objectives of this Data Protection Policy are to
ensure that Rickmansworth School Enterprises Limited (RSEL) and its directors
and seconded staff are informed about, and comply with, their obligations under
the UK General Data Protection Regulation (“the UK GDPR”) and other data
protection legislation.
1.2 RSEL is a trading subsidiary of Rickmansworth School and
is the Data Controller for all the Personal Data processed by RSEL.
1.3 Everyone has rights with regard to how their personal
information is handled. During the course of our activities we will process
personal information about a number of different groups of people and we
recognise that we need to treat it in an appropriate and lawful manner.
1.4 The type of information that we may be required to
handle include hirers’ and gym members’ information and other individuals that
we communicate with. The information, which may be held on paper or on a
computer or other media, is subject to certain legal safeguards specified in
the UK GDPR and other legislation. The UK GDPR imposes restrictions on how we
may use that information.
1.5 This policy does not form part of any employee’s
contract of employment and it may be amended at any time. Any breach of this
policy by members of seconded staff will be taken seriously and may result in
disciplinary action and serious breaches may result in dismissal. Breach of the
UK GDPR may expose RSEL to enforcement action by the Information Commissioner’s
Office (ICO), including the risk of fines. Furthermore, certain breaches of the
Act can give rise to personal criminal liability for RSEL’s seconded employees.
At the very least, a breach of the UK GDPR could damage our reputation and have
serious consequences for RSEL, its controlling shareholder Rickmansworth School
and for our stakeholders.
2. Status of the Policy
2.1 This policy has been approved by the Directors of RSEL.
It sets out our rules on data protection and the legal conditions that must be
satisfied in relation to the obtaining, handling, processing, storage,
transportation and destruction of personal information.
3. Data Protection Officer
3.1 The Data Protection Officer (the “DPO”) is responsible
for ensuring that RSEL is compliant with the UK data protection legislation and
with this policy. This post is held by Mr Matthew Lantos,
DPO@rickmansworth.herts.sch.uk. Any questions or concerns about the operation
of this policy should be referred in the first instance to the DPO.
3.2 The DPO will play a major role in embedding essential
aspects of the UK GDPR into RSEL’s culture, from ensuring the data protection
principles are respected to
Data Protection Policy - Rickmansworth School Enterprises
Limited
preserving data subject rights, recording data processing
activities and ensuring the security of processing.
3.3 The DPO should be involved, in a timely manner, in all
issues relating to the protection of personal data. To do this, the UK GDPR
requires that DPOs are provided with the necessary support and resources to
enable the DPO to effectively carry out their tasks. Factors that should be
considered include the following:
3.3.1 senior management support;
3.3.2 time for DPOs to fulfil their duties;
3.3.3 adequate financial resources, infrastructure
(premises, facilities and equipment) and seconded staff where
appropriate;
3.3.4 official communication of the designation of the DPO
to make known existence and function within the organisation;
3.3.5 access to other services, such as HR, IT and security,
who should provide support to the DPO;
3.3.6 continuous training so that DPOs can stay up to date
with regard to data protection developments;
3.3.7 where a DPO team is deemed necessary, a clear
infrastructure detailing roles and responsibilities of each team member;
3.3.8 whether RSEL should give the DPO access to external
legal advice to advise the DPO on their responsibilities under this Data
Protection Policy. 3.4 The DPO is responsible for ensuring that RSEL’s
Processing operations adequately safeguard Personal Data, in line with legal
requirements. This means that the governance structure within RSEL must ensure
the independence of the DPO.
3.5 RSEL will ensure that the DPO does not receive
instructions in respect of the carrying out of their tasks, which means that
the DPO must not be instructed how to deal with a matter, such as how to
investigate a complaint or what result should be achieved. Further, the DPO
should report directly to the highest management level, i.e. the
Directors.
3.6 The requirement that the DPO reports directly to the
directors ensures that the directors are made aware of the pertinent data
protection issues. In the event that RSEL decides to take a certain course of
action despite the DPO's advice to the contrary, the DPO should be given the
opportunity to make their dissenting opinion clear to the Directors and to any
other decision makers.
3.7 If you consider that the policy has not been followed in
respect of Personal Data about yourself or others, you should raise the matter
with the DPO.
4. Definition of Terms
4.1 Biometric Data means Personal Data resulting from
specific technical processing relating to the physical, physiological or
behavioural characteristics of a natural person, which allow or confirm the
unique identification of that natural person, such as facial images;
4.2 Consent of the Data Subject means any freely given,
specific, informed and unambiguous indication of the Data Subject’s wishes by
which he or she, by a
Data Protection Policy - Rickmansworth School Enterprises
Limited
statement or by a clear affirmative action, signifies
agreement to the processing of Personal Data relating to him or her;
4.3 Data is information which is stored electronically, on a
computer, or in certain paper-based filing systems or other media such as
CCTV;
4.4 Data Subjects for the purpose of this policy include all
living individuals about whom we hold Personal Data. A Data Subject need not be
a UK national or resident. All Data Subjects have legal rights in relation to
their Personal Data.
4.5 Data Controllers means the natural or legal person,
public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of Personal Data.
4.6 Data Users include employees, hirers, gym members or
others whose work involves using Personal Data. Data Users have a duty to
protect the information they handle by following our data protection and
security policies at all times;
4.7 Data Processors means a natural or legal person, public
authority, agency or other body which processes Personal Data on behalf of the
Data Controller; 4.8 Personal Data means any information relating to an
identified or identifiable natural person (‘Data Subject’); an identifiable
natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;
4.9 Personal Data Breach means a breach of security leading
to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, Personal Data transmitted, stored or otherwise
processed;
4.10 Privacy by Design means implementing appropriate
technical and organisational measures in an effective manner to ensure
compliance with the UK GDPR; 4.11 Processing means any operation or set of
operations which is performed on
Personal Data or on sets of Personal Data, whether or not by
automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction;
4.12 Special Category Data means Personal Data revealing
racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual
orientation.
5. Data Protection Principles
5.1 Anyone processing Personal Data must comply with the
enforceable principles of good practice. These provide that Personal Data must
be:
5.1.1 processed lawfully, fairly and in a transparent manner
in relation to individuals;
5.1.2 collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those
purposes; further
Data Protection Policy - Rickmansworth School Enterprises
Limited
processing for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes shall not be
considered to be incompatible with the initial purposes;
5.1.3 adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed;
5.1.4 accurate and, where necessary, kept up to date; every
reasonable step must be taken to ensure that Personal Data that are inaccurate,
having regard to the purposes for which they are processed, are erased or
rectified without delay;
5.1.5 kept in a form which permits identification of Data
Subjects for no longer than is necessary for the purposes for which the
Personal Data are processed; Personal Data may be stored for longer periods
insofar as the Personal Data will be processed solely for archiving purposes in
the public interest, scientific or historical research purposes or statistical
purposes subject to implementation of the appropriate technical and
organisational measures required by the UK GDPR in order to safeguard the rights
and freedoms of individuals; and
5.1.6 Processed in a manner that ensures appropriate
security of the Personal Data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures.
5.2 Processed lawfully, fairly and in a transparent
manner
5.2.1 The UK GDPR is intended not to prevent the processing
of Personal Data, but to ensure that it is done fairly and without adversely
affecting the rights of the Data Subject. The Data Subject must be told who the
Data Controller is (in this case RSEL), who the Data Controller’s
representative is (in this case the DPO), the purpose for which the data is to
be Processed by us, and the identities of anyone to whom the Data may be
disclosed or transferred.
5.2.2 For Personal Data to be processed lawfully, certain
conditions have to be met. These may include:
5.2.2.1 where we have the Consent of the Data Subject;
5.2.2.2 where it is necessary for compliance with a legal
obligation; 5.2.2.3 where processing is necessary to protect the vital
interests of the Data Subject or another person;
5.2.2.4 where it is necessary for the performance of a task
carried out in the public interest or in the exercise of official authority
vested in the controller.
5.2.3 Personal data may only be processed for the specific
purposes notified to the Data Subject when the data was first collected, or for
any other purposes specifically permitted by the Act. This means that Personal
Data must not be collected for one purpose and then used for another. If it
becomes necessary to change the purpose for which the data is processed, the
Data Subject must be informed of the new purpose before any processing
occurs.
5.3 Special Category Data
Data Protection Policy - Rickmansworth School Enterprises
Limited
5.3.1 On occasions RSEL will be processing Special Category
Data about our stakeholders. We recognise that the law states that this type of
Data needs more protection. Therefore, Data Users must be more careful with the
way in which we process Special Category Data.
5.3.2 When Special Category Data is being processed, as well
as establishing a lawful basis (as outlined in paragraph 5.1 above), a separate
condition for processing it must be met. In most cases the relevant conditions
are likely to be that:
5.3.2.1 the Data Subject’s explicit consent to the
processing of such data has been obtained
5.3.2.2 processing is necessary for reasons of substantial
public interest, on the basis of UK law which shall be proportionate to the aim
pursued, where we respect the essence of the right to data protection and
provide for suitable and specific measures to safeguard the fundamental rights
and the interests of the Data Subject;
5.3.2.3 processing is necessary to protect the vital
interests of the Data Subject or of another natural person where the Data
Subject is physically or legally incapable of giving consent;
5.3.2.4 processing is necessary for the purposes of carrying
out the obligations and exercising specific rights of the Data Controller or of
the Data Subject in the field of employment law in so far as it is authorised
by UK law or a collective agreement providing for appropriate safeguards for
the fundamental rights and the interests of the Data Subject.
5.6 Transparency
5.6.1 One of the key requirements of the UK GDPR relates to
transparency. This means that RSEL must keep Data Subjects informed about how
their Personal Data will be processed when it is collected.
5.6.2 One of the ways we provide this information to
individuals is through a privacy notice which sets out important information
about what we do with their Personal Data. RSEL has developed privacy notices
for the following categories of people:
5.6.2.1 Hirers and gym members
5.6.3 RSEL wishes to adopt a layered approach to keeping
people informed about how we process their Personal Data. This means that the
privacy notice is just one of the tools we will use to communicate this
information. Employees are expected to use other appropriate and proportionate
methods to tell individuals how their Personal Data is being processed if
Personal Data is being processed in a way that is not envisaged by our privacy
notices and / or at the point when individuals are asked to provide their
Personal Data, for example, where Personal Data is collected about visitors to
the premises or if we ask people to complete forms requiring them to provide
their Personal Data.
Data Protection Policy - Rickmansworth School Enterprises
Limited
5.6.4 We will ensure that privacy notices are concise,
transparent, intelligible and easily accessible; written in clear and plain
language; and free of charge.
5.7 Consent
5.7.1 RSEL must only process Personal Data on the basis of
one or more of the lawful bases set out in the UK GDPR, which include Consent.
Consent is not the only lawful basis and there are likely to be many
circumstances when we process Personal Data and our justification for doing so
is based on a lawful basis other than Consent.
5.7.2 A Data Subject consents to Processing of their
Personal Data if they indicate agreement clearly either by a statement or
positive action to the Processing. Consent requires affirmative action so
silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If
Consent is given in a document which deals with other matters, then the Consent
must be kept separate from those other matters.
5.7.3 Data Subjects must be easily able to withdraw Consent
to Processing at any time and withdrawal must be promptly honoured. Consent may
need to be refreshed if we intend to Process Personal Data for a different and
incompatible purpose which was not disclosed when the Data Subject first
consented.
5.7.4 Unless we can rely on another legal basis of
Processing, Explicit Consent is usually required for Processing Special
Category Data. Often we will be relying on another legal basis (and not require
Explicit Consent) to Process most types of Sensitive Data.
5.7.5 Evidence and records of Consent must be maintained so
that RSEL can demonstrate compliance with Consent requirements.
6. Specified, Explicit and Legitimate Purposes
6.1 Personal data should only be collected to the extent
that it is required for the specific purpose notified to the Data Subject, for
example, in the Privacy Notice or at the point of collecting the Personal Data.
Any data which is not necessary for that purpose should not be collected in the
first place.
6.2 RSEL will be clear with Data Subjects about why their
Personal Data is being collected and how it will be processed. We cannot use
Personal Data for new, different or incompatible purposes from that disclosed
when it was first obtained unless we have informed the Data Subject of the new
purposes and they have Consented where necessary.
7. Adequate, Relevant and Limited to What is
Necessary
7.1 RSEL will ensure that the Personal Data collected is
adequate to enable us to perform our functions and that the information is
relevant and limited to what is necessary.
7.2 In order to ensure compliance with this principle, RSEL
will check records at appropriate intervals for missing, irrelevant or
seemingly excessive information and may contact Data Subjects to verify certain
items of data.
Data Protection Policy - Rickmansworth School Enterprises
Limited
7.3 Seconded employees must also give due consideration to
any forms stakeholders are asked to complete and consider whether all the
information is required. We may only collect Personal Data that is needed to
operate and we should not collect excessive data. We should ensure that any
Personal Data collected is adequate and relevant for the intended
purposes.
7.4 RSEL will implement measures to ensure that Personal
Data is processed on a ‘Need to Know’ basis. This means that the only members
of seconded staff or directors who need to know Personal Data about a Data
Subject will be given access to it and no more information than is necessary
for the relevant purpose will be shared. In practice, this means that RSEL may
adopt a layered approach in some circumstances, for example, members of
seconded staff or directors may be given access to basic information about a
hirer or gym member if they need to know it for a particular purpose but other
information about a Data Subject may be restricted to certain members of
seconded staff who need to know it, for example, where the information is
Special Category Data, relates to criminal convictions or offences or is
confidential in nature (for example, child protection or safeguarding
records).
7.5 When Personal Data is no longer needed for specified
purposes, it must be deleted or anonymised in accordance with RSEL’s data
retention guidelines.
8. Accurate and, Where Necessary, Kept up to Date
8.1 Personal data must be accurate and kept up to date.
Information which is incorrect or misleading is not accurate and steps should
therefore be taken to check the accuracy of any Personal Data at the point of
collection and at regular intervals afterwards. Inaccurate or out-of-date data
should be destroyed.
8.2 If a Data Subject informs RSEL of a change of
circumstances their records will be updated as soon as is practicable.
8.3 Where a Data Subject challenges the accuracy of their
data, RSEL will immediately mark the record as potentially inaccurate, or
‘challenged’. In the case of any dispute, we shall try to resolve the issue
informally, but if this proves impossible, disputes will be referred to the
Data Protection for their judgement. If the problem cannot be resolved at this
stage, the Data Subject should refer their complaint to the Information
Commissioner’s Office. Until resolved the ‘challenged’ marker will remain and
all disclosures of the affected information will contain both versions of the
information.
8.4 Notwithstanding paragraph 8.3, a Data Subject continues
to have rights under the UK GDPR and may refer a complaint to the Information
Commissioner’s Office regardless of whether the procedure set out in paragraph
8.3 has been followed.
Data Protection Policy - Rickmansworth School Enterprises
Limited
9. Data to be Kept for no Longer than is Necessary for
the Purposes for Which the Personal Data are Processed
9.1 Personal data should not be kept longer than is
necessary for the purpose for which it is held. This means that data should be
destroyed or erased from our systems when it is no longer required.
9.2 It is the duty of the DPO, after taking appropriate
guidance for legal considerations, to ensure that obsolete data are properly
erased. RSEL follows the School’s data retention policy.
10. Data to be Processed in a Manner that Ensures
Appropriate Security of the Personal Data
10.1 RSEL has taken steps to ensure that appropriate
security measures are taken against unlawful or unauthorised processing of
Personal Data, and against the accidental loss of, or damage to, Personal Data.
Data Subjects may apply to the courts for compensation if they have suffered
damage from such a loss.
10.2 The UK GDPR requires us to put in place procedures and
technologies to maintain the security of all Personal Data from the point of
collection to the point of destruction.
10.3 We will develop, implement and maintain safeguards
appropriate to our size, scope, our available resources, the amount of Personal
Data that we own or maintain on behalf of others and identified risks
(including use of encryption and Pseudonymisation where applicable). We will
regularly evaluate and test the effectiveness of those safeguards to ensure
security of our Processing of Personal Data.
10.4 Data Users are responsible for protecting the Personal
Data we hold. Data Users must implement reasonable and appropriate security
measures against unlawful or unauthorised Processing of Personal Data and
against the accidental loss of, or damage to, Personal Data. Data Users must
exercise particular care in protecting Special Category Data from loss and
unauthorised access, use or disclosure.
10.5 Data Users must follow all procedures and technologies
we put in place to maintain the security of all Personal Data from the point of
collection to the point of destruction. Data Users must comply with all
applicable aspects of our Data Protection Policy and e-Safety Policy and not
attempt to circumvent the administrative, physical and technical safeguards we
implement and maintain in accordance with the UK GDPR and relevant standards to
protect Personal Data.
10.6 Maintaining data security means guaranteeing the
confidentiality, integrity and availability of the Personal Data, defined as
follows:
10.6.1 Confidentiality means that only people who are
authorised to use the data can access it.
10.6.2 Integrity means that Personal Data should be accurate
and suitable for the purpose for which it is processed.
Data Protection Policy - Rickmansworth School Enterprises
Limited
10.6.3 Availability means that authorised users should be
able to access the data if they need it for authorised purposes.
10.7 It is the responsibility of all members of seconded
staff and directors to work together to ensure that the Personal Data we hold
is kept secure. We rely on our colleagues to identify and report any practices
that do not meet these standards so that we can take steps to address any
weaknesses in our systems. Anyone who has any comments or concerns about
security should notify the Lettings Administrator or the DPO.
10.8 Please see our Data Security Policy for details for the
arrangements in place to keep Personal Data secure:
10.9 Directors
10.9.1 Directors are likely to process Personal Data when
they are performing their duties. Directors should be trained on RSEL’s data
protection processes as part of their induction and should be informed about
their responsibilities to keep Personal Data secure. This includes:
10.9.1.1 Ensure that Personal Data which comes into their
possession as a result of their duties is kept secure from third parties,
including family members and friends;
10.9.1.2Ensure they are provided with a copy of
Rickmansworth School’s Data Security Policy.
10.9.1.3Using a work email account for any work-related
communications; 10.9.1.4Ensuring that any work-related communications or
information stored or saved on an electronic device or computer is password
protected and where required encrypted;
10.9.1.5Taking appropriate measures to keep Personal Data
secure, which includes ensuring that hard copy documents are securely locked
away so that they cannot be accessed by third parties.
10.9.2 Directors will be asked to read and sign an
Acceptable Use Agreement for Rickmansworth School.
11. Processing in line with Data Subjects’ rights
11.1 Data Subjects have rights when it comes to how we
handle their Personal Data. These include rights to:
11.1.1 withdraw Consent to Processing at any time;
11.1.2 receive certain information about the Data
Controller’s Processing activities;
11.1.3 request access to their Personal Data that we
hold;
11.1.4 prevent our use of their Personal Data for direct
marketing purposes; 11.1.5 ask us to erase Personal Data if it is no longer
necessary in relation to the purposes for which it was collected or Processed
or to rectify inaccurate data or to complete incomplete data;
11.1.6 restrict Processing in specific circumstances;
11.1.7 challenge Processing which has been justified on the
basis of our legitimate interests or in the public interest;
11.1.8 request a copy of an agreement under which Personal
Data is transferred outside of the UK;
Data Protection Policy - Rickmansworth School Enterprises
Limited
11.1.9 object to decisions based solely on Automated
Processing, including profiling (Automated Decision Making);
11.1.10 prevent Processing that is likely to cause damage or
distress to the Data Subject or anyone else;
11.1.11 be notified of a Personal Data Breach which is
likely to result in high risk to their rights and freedoms;
11.1.12 make a complaint to the supervisory authority (the
ICO); and 11.1.13 in limited circumstances, receive or ask for their Personal
Data to be transferred to a third party in a structured, commonly used and
machine readable format.
11.2 We are required to verify the identity of an individual
requesting data under any of the rights listed above. Members of seconded staff
should not allow third parties to persuade them into disclosing Personal Data
without proper authorisation.
12. Dealing with subject access requests
12.1 The UK GDPR extends to all Data Subjects a right of
access to their own Personal Data. A formal request from a Data Subject for
information that we hold about them must be made in writing. RSEL can invite a
Data Subject to complete a form but we may not insist that they do so.
12.2 It is important that all members of seconded staff are
able to recognise that a written request made by a person for their own
information is likely to be a valid Subject Access Request, even if the Data
Subject does not specifically use this phrase in their request or refer to the
UK GDPR. In some cases, a Data Subject may mistakenly refer to the “Freedom of
Information Act” but this should not prevent RSEL from responding to the
request as being made under the UK GDPR, if appropriate. Some requests may
contain a combination of a Subject Access Request for Personal Data under the
UK GDPR and a request for information under the Freedom of Information Act 2000
(“FOIA”). Requests for information under the FOIA must be dealt with promptly
and in any event within 20 working days.
12.3 Any member of seconded staff who receives a written
request of this nature must immediately forward it to the DPO as the statutory
time limit for responding is one calendar month.
12.4 As the time for responding to a request does not stop
during the periods when RSEL is closed for the holidays, we will attempt to
mitigate any impact this may have on the rights of data subjects to request
access to their data by implementing the following measures:
12.5 Utilising a general Data Protection email address that
will be monitored and if required has an out of office auto reply with
appropriate statements. 12.6 A fee may not be charged to the individual for
provision of this information. 12.7 RSEL may ask the Data Subject for
reasonable identification so that they can satisfy themselves about the
person’s identity before disclosing the information. 12.8 In order to ensure
that people receive only information about themselves it is essential that a
formal system of requests is in place.
12.9 Following receipt of a subject access request, and
provided that there is sufficient information to process the request, an entry
should be made in RSEL’s
Data Protection Policy - Rickmansworth School Enterprises
Limited
Subject Access log book, showing the date of receipt, the
Data Subject’s name, the name and address of requester (if different), the type
of data required, and the planned date for supplying the information (not more
than one calendar month from the request date). Should more information be
required to establish either the identity of the Data Subject (or agent) or the
type of data requested, the date of entry in the log will be the date on which
sufficient information has been provided.
12.10 Where requests are “manifestly unfounded or
excessive”, in particular because they are repetitive, RSEL can:
12.10.1 charge a reasonable fee taking into account the
administrative costs of providing the information; or
12.10.2 refuse to respond.
12.11 Where we refuse to respond to a request, the response
must explain why to the individual, informing them of their right to complain
to the supervisory authority and to a judicial remedy without undue delay and
at the latest within one month. Members of seconded staff should refer to any
guidance issued by the ICO on Subject Access Requests and consult the DPO
before refusing a request.
12.12 Certain information may be exempt from disclosure, so
members of seconded staff will need to consider what exemptions (if any) apply
and decide whether you can rely on them. For example, information about third
parties may be exempt from disclosure. In practice, this means that you may be
entitled to withhold some documents entirely or you may need to redact parts of
them. Care should be taken to ensure that documents are redacted properly.
Please seek further advice or support from the DPO if you are unsure which
exemptions apply.
13. Providing information over the telephone
13.1 Any member of seconded staff dealing with telephone
enquiries should be careful about disclosing any Personal Data held by RSEL
whilst also applying common sense to the particular circumstances. In
particular, they should: 13.1.1 Check the caller’s identity to make sure that
information is only given to a person who is entitled to it.
13.1.2 Suggest that the caller put their request in writing
if they are not sure about the caller’s identity and where their identity
cannot be checked. 13.1.3 Refer to their line manager or the DPO for assistance
in difficult situations. No-one should feel pressurised into disclosing
personal information.
14. Authorised disclosures
14.1 RSEL will only disclose data about individuals if one
of the lawful bases apply. 14.2 Only authorised and trained seconded staff are
allowed to make external disclosures of Personal Data. RSEL will regularly
share Personal Data with third parties where it is lawful and appropriate to do
so including, but not limited to, the following:
14.2.1 the Police or other law enforcement agencies
14.2.2 our legal advisors and other consultants
14.2.3 insurance providers
14.2.4 Courts, if ordered to do so;
Data Protection Policy - Rickmansworth School Enterprises
Limited
14.2.5 prevent teams in accordance with the Prevent Duty on
schools; 14.2.6 some of the organisations we share Personal Data with may also
be Data Controllers in their own right in which case we will be jointly
controllers of Personal Data and may be jointly liable in the event of any data
breaches
14.3 Data Sharing Agreements should be completed when
setting up ‘on-going’ or ‘routine’ information sharing arrangements with third
parties who are Data Controllers in their own right. However, they are not
needed when information is shared in one-off circumstances but a record of the
decision and the reasons for sharing information should be kept.
14.4 All Data Sharing Agreements must be signed off by the
Data Protection Officer who will keep a register of all Data Sharing
Agreements.
14.5 The UK GDPR requires Data Controllers to have a written
contract in place with Data Processors which must include specific clauses
relating to the way in which the data is Processed (“GDPR clauses”). A summary
of the UK GDPR requirements for contracts with Data Processors is set out in
Appendix 1. It will be the responsibility of RSEL to ensure that the UK GDPR
clauses have been added to the contract with the Data Processor. Personal data
may only be transferred to a third-party Data Processor if they agree to put in
place adequate technical, organisational and security measures
themselves.
14.6 In some cases, Data Processors may attempt to include
additional wording when negotiating contracts which attempts to allocate some
of the risk relating to compliance with the UK GDPR, including responsibility
for any Personal Data Breaches, onto RSEL. In these circumstances, the member
of seconded staff dealing with the contract should contact the DPO for further
advice before agreeing to include such wording in the contract.
15. Reporting a Personal Data Breach
15.1 The UK GDPR requires Data Controllers to notify any
Personal Data Breach to the ICO and, in certain instances, the Data Subject,
unless the data breach is unlikely to result in a risk to the
individuals.
15.2 A notifiable Personal Data Breach must be reported to
the ICO without undue delay and where feasible within 72 hours.
15.3 If the breach is likely to result in high risk to
affected Data Subjects, the UK GDPR, requires organisations to inform them
without undue delay. 15.4 It is the responsibility of the DPO, or the nominated
deputy, to decide whether to report a Personal Data Breach to the ICO.
15.5 We have put in place procedures to deal with any
suspected Personal Data Breach and will notify Data Subjects or any applicable
regulator where we are legally required to do so.
15.6 As RSEL is closed or has limited staff available during
school holidays, there will be times when our ability to respond to a Personal
Data Breach promptly and within the relevant timescales will be affected. We
will consider any proportionate measures that we can implement to mitigate the
impact this may have on Data Subjects when we develop our SECURITY INCIDENT
RESPONSE PLAN.
Data Protection Policy - Rickmansworth School Enterprises
Limited
15.7 If a member of seconded staff or director knows or
suspects that a Personal Data Breach has occurred, our SECURITY INCIDENT
RESPONSE PLAN must be followed. In particular, the DPO or such other person
identified in our Security Incident Response Plan must be notified immediately.
You should preserve all evidence relating to the potential Personal Data
Breach.
16. Accountability
16.1 RSEL must implement appropriate technical and
organisational measures in an effective manner, to ensure compliance with data
protection principles. RSEL is responsible for, and must be able to
demonstrate, compliance with the data protection principles.
16.2 RSEL must have adequate resources and controls in place
to ensure and to document UK GDPR compliance including:
16.2.1 appointing a suitably qualified DPO (where necessary)
and an executive team accountable for data privacy;
16.2.2 implementing Privacy by Design when Processing
Personal Data and completing Data Protection Impact Assessments (DPIAs) where
Processing presents a high risk to rights and freedoms of Data Subjects;
16.2.3 integrating data protection into internal documents
including this Data Protection Policy, related policies and Privacy
Notices;
16.2.4 regularly training seconded employees and directors
on the UK GDPR, this Data Protection Policy, related policies and data
protection matters including, for example, Data Subject’s rights, Consent,
legal bases, DPIA and Personal Data Breaches. RSEL must maintain a record of
training attendance by seconded personnel; and
16.2.5 regularly testing the privacy measures implemented
and conducting periodic reviews and audits to assess compliance, including
using results of testing to demonstrate compliance improvement effort.
17. Record keeping
17.1 The UK GDPR requires us to keep full and accurate
records of all our Data Processing activities.
17.2 We must keep and maintain accurate records reflecting
our Processing including records of Data Subjects’ Consents and procedures for
obtaining Consents. 17.3 These records should include, at a minimum, the name
and contact details of the
Data Controller and the DPO, clear descriptions of the
Personal Data types, Data Subject types, Processing activities, Processing
purposes, third-party recipients of the Personal Data, Personal Data storage
locations, Personal Data transfers, the Personal Data’s retention period and a
description of the security measures in place. In order to create such records,
data maps should be created which should include the detail set out above
together with appropriate data flows.
18. Training and audit
18.1 We are required to ensure all seconded personnel have
undergone adequate training to enable us to comply with data privacy laws. We
must also regularly test our systems and processes to assess compliance.
18.2 Members of seconded staff must attend all mandatory
data privacy related training.
19. Privacy by Design and Data Protection Impact Assessment
(DPIA)
Data Protection Policy - Rickmansworth School Enterprises
Limited
19.1 We are required to implement Privacy by Design measures
when Processing Personal Data by implementing appropriate technical and
organisational measures (like Pseudonymisation) in an effective manner, to
ensure compliance with data privacy principles.
19.2 This means that we must assess what Privacy by Design
measures can be implemented on all programs/systems/processes that Process
Personal Data by taking into account the following:
19.2.1 the state of the art;
19.2.2 the cost of implementation;
19.2.3 the nature, scope, context and purposes of
Processing; and
19.2.4 the risks of varying likelihood and severity for
rights and freedoms of Data Subjects posed by the Processing.
19.3 We are also required to conduct DPIAs in respect to
high risk processing. 19.3.1 RSEL should conduct a DPIA and discuss the
findings with the DPO when implementing major system or business change
programs involving the processing of personal data including:
19.3.1.1 use of new technologies (programs, systems or
processes), or changing technologies (programs, systems or processes);
19.3.1.2 automated processing including profiling and
ADM;
19.3.1.3large scale processing of sensitive data; and
19.3.1.4 large scale, systematic monitoring of a publicly
accessible area. 19.4 A DPIA must include:
19.5.1 a description of the Processing, its purposes and
RSEL’s legitimate interests if appropriate;
19.5.2 an assessment of the necessity and proportionality of
the Processing in relation to its purpose;
19.5.3 an assessment of the risk to individuals; and
19.5.4 the risk mitigation measures in place and
demonstration of compliance. 20. CCTV
21. Rickmansworth School uses CCTV in locations around the
school site. This is to: 21.1.1 protect school buildings and their
assets;
21.1.2 increase personal safety and reduce the fear of
crime;
21.1.3 support the Police in a bid to deter and detect
crime;
21.1.4 assist in identifying, apprehending and prosecuting
offenders; 21.1.5 provide evidence for RSEL to use in its internal
investigations and / or disciplinary processes in the event of behaviour by
seconded staff, hirers, gym members or other visitors on the site which
breaches or is alleged to breach RSEL’s policies;
21.1.6 protect members of RSEL community, public and private
property; and 21.1.7 assist in managing RSEL.
21.2 Please refer to Rickmansworth School’s CCTV Policy for
more information. 22. Policy Review
22.1 It is the responsibility of the School’s Governing Body
to facilitate the review of this policy on a regular basis. Recommendations for
any amendments should be reported to the DPO.
Data Protection Policy - Rickmansworth School Enterprises
Limited
22.2 We will continue to review the effectiveness of this
policy to ensure it is achieving its stated objectives.
23. Enquiries
23.1 Further information about RSEL’s Data Protection Policy
is available from the DPO.
23.2 General information about the Act can be obtained from
the Information Commissioner’s Office: www.ico.gov.uk
Document Control
|
Date modified |
Description of Modified by modification |
Data Protection Policy - Rickmansworth School Enterprises
Limited
Appendix 1 – UK GDPR Clauses
The UK GDPR requires the following matters to be addressed
in contracts with Data Processors. The wording below is a summary of the
requirements in the UK GDPR and is not intended to be used as the drafting to
include in contracts with Data Processors. 1. The Processor may only process
Personal Data on the documented instructions
of the controller, including as regards international
transfers. (Art. 28(3)(a)) 2. Personnel used by the Processor must be subject
to a duty of confidence. (Art. 28(3)(b))
3. The Processor must keep Personal Data secure. (Art.
28(3)(c) Art. 32) 4. The Processor may only use a sub-processor with the
consent of the Data Controller. That consent may be specific to a particular
sub-processor or general. Where the consent is general, the processor must
inform the controller of changes and give them a chance to object. (Art. 28(2)
Art. 28(3)(d)) 5. The Processor must ensure it flows down the UK GDPR
obligations to any sub-processor. The Processor remains responsible for any processing
by the sub-processor. (Art. 28(4))
6. The Processor must assist the controller to comply with
requests from individuals exercising their rights to access, rectify, erase or
object to the processing of their Personal Data. (Art. 28(3)(e))
7. The Processor must assist the Data Controller with their
security and data breach obligations, including notifying the Data Controller
of any Personal Data breach. (Art. 28(3)(f)) (Art. 33(2))
8. The Processor must assist the Data Controller should the
Data Controller need to carry out a privacy impact assessment. (Art.
28(3)(f))
9. The Processor must return or delete Personal Data at the
end of the agreement, save to the extent the Processor must keep a copy of the
Personal Data under UK law. (Art. 28(3)(g))
10. The Processor must demonstrate its compliance with these
obligations and submit to audits by the Data Controller (or by a third party
mandated by the controller). (Art. 28(3)(h))
11. The Processor must inform the Data Controller if, in its
opinion, the Data Controller’s instructions would breach UK law. (Art. 28(3))
Data Protection Policy - Rickmansworth School Enterprises
Limited
Appendix 2 – Privacy Notices
PRIVACY NOTICE FOR HIRERS AND GYM MEMBERS
Why do we collect and use hirer and gym member
information?
Our Data Protection Officer is Matthew Lantos and his email
address is DPO@rickmansworth.herts.sch.uk
We collect and use hirer and gym member information under
the following lawful bases: a. where we have the consent of the data subject
(Article 6 (a));
b. where it is necessary for compliance with a legal
obligation (Article 6 (c));
c. where processing is necessary to protect the vital
interests of the data subject or another person (Article 6(d));
d. where processing is necessary for the purposes of the
legitimate interests of RSEL (Article 6 (1)(f)]
Where the personal data we collect about hirers and gym
members is Special Category data, we will only process it where:
a. we have explicit consent;
b. processing is necessary to protect the vital interests of
the data subject or of another natural person where the data subject is
physically or legally incapable of giving consent; and / or
c. processing is necessary for reasons of substantial public
interest, on the basis of UK law which shall be proportionate to the aim
pursued, where we respect the essence of the right to data protection and
provide for suitable and specific measures to safeguard the fundamental rights
and the interests of the data subject.
Please see our Data Protection Policy for a definition of
Special Category data.
We use hirer and gym member data to support our functions of
running a lettings business, in particular:
a. to comply with the law regarding data sharing;
b. for the safe and orderly running of RSEL;
c. to promote RSEL;
d. to send you communications about your hire or gym
membership; e. in connection with any legal proceedings threatened or commenced
against RSEL.
The categories of hirer and gym member information that we
collect, hold and share include:
Data Protection Policy - Rickmansworth School Enterprises
Limited
a. Personal information (such as name, address, telephone
number and email address);
b. Bank details are held on our School Hire site and by RSEL
or ClubRight for gym members;
c. DBS and safeguarding information may be held where hirers
run activities for children or vulnerable adults
d. Qualifications and training information
From time to time and in certain circumstances, we might
also process personal data about hirers, some of which might be Special
Category data, information about criminal proceedings / convictions or
information about child protection / safeguarding. Where appropriate, such
information may be shared with external agencies such as the child protection
team at the Local Authority, the Local Authority Designated Officer and / or
the Police. Such information will only be processed to the extent that it is lawful
to do so and appropriate measures will be taken to keep the data secure.
We collect information about hirers and gym members before a
new letting or gym membership is accepted and update it when new information is
acquired.
Collecting hirer and gym member information
Whilst the majority of information about hirers and gym
members provided to us is required and provided for compliance with a legal
obligation, some of it is provided to us on a voluntary basis. In order to
comply with the General Data Protection Regulation, we will inform you whether
you are required to provide certain information to us or if you have a choice
in this. Where appropriate, we will ask hirers and gym members for consent to
process personal data where there is no other lawful basis for processing it,
for example where we wish to ask your permission to use your information for
marketing purposes. Hirers and gym members may withdraw consent given in these
circumstances at any time.
In addition, Rickmansworth School also uses CCTV cameras
around the school site for security purposes and for the protection of staff
and students. CCTV footage may be referred to during the course of disciplinary
procedures or investigate other issues. CCTV footage involving hirers and gym
members will only be processed to the extent that it is lawful to do so. Please
see Rickmansworth School’s CCTV policy for more details.
Storing hirer and gym member data
A significant amount of personal data is stored
electronically, for example, on our School Hire database for hirers or
ClubRight database for gym members. Some information may also be stored in hard
copy format.
Data Protection Policy - Rickmansworth School Enterprises
Limited
Data stored electronically may be saved on a cloud based
system which may be hosted in a different country.
We will only retain your personal information for as long as
necessary to fulfil the purposes we collected it for, including for the
purposes of satisfying any legal, accounting, insurance or reporting
requirements. To determine the appropriate retention period for personal data,
we consider the amount, nature, and sensitivity of the personal data, the
potential risk of harm from unauthorised use or disclosure of your personal
data, the purposes for which we process your personal data and whether we can
achieve those purposes through other means, and the applicable legal
requirements.
In some circumstances we may anonymise your personal
information so that it can no longer be associated with you, in which case we
may use such information without further notice to you. Once you are no longer
a hirer or gym member we will retain and securely destroy your personal
information in accordance with our data retention policy.
Who do we share hirer and gym member information
with?
From time to time, we may share hirer and gym member
information other third parties including the following:
· School Hire system for hirers and ClubRight system for gym
members · our local authority Hertfordshire County Council;
· directors;
· the Police and law enforcement agencies;
· Courts, if ordered to do so;
· Prevent teams in accordance with the Prevent Duty on
schools; · our legal advisors;
· our insurance providers / the Risk Protection
Arrangement;
Some of the organisations referred to above are joint data
controllers. This means we are all responsible to you for how we process your
data.
In the event that we share personal data about hirers and
gym members with third parties, we will provide the minimum amount of personal
data necessary to fulfil the purpose for which we are required to share the
data.
Requesting access to your personal data
Under data protection legislation, hirers and gym members
have the right to request access to information about them that we hold. To
make a request for your personal data, contact dpo@rickmansworth.herts.sch.uk
although any written request for personal data will be treated as a Subject
Access Request.
The legal timescales for RSEL to respond to a Subject Access
Request is one calendar month. As RSEL has limited staff resources outside of
term time, we encourage hirers
Data Protection Policy - Rickmansworth School Enterprises
Limited
and gym members to submit Subject Access Requests during
term time and to avoid sending a request during periods when RSEL is closed or
is about to close for the holidays where possible. This will assist us in
responding to your request as promptly as possible.
No fee usually required
You will not have to pay a fee to access your personal
information (or to exercise any of the other rights). However, we may charge a
reasonable fee if your request for access is manifestly unfounded or excessive.
Alternatively, we may refuse to comply with the request in such
circumstances.
What we may need from you
We may need to request specific information from you to help
us confirm your identity and ensure your right to access the information (or to
exercise any of your other rights). This is another appropriate security
measure to ensure that personal information is not disclosed to any person who
has no right to receive it.
You also have the right to:
· object to processing of personal data that is likely to
cause, or is causing, damage or distress;
· prevent processing for the purpose of direct
marketing;
· object to decisions being taken by automated means;
· in certain circumstances, have inaccurate personal data
rectified, blocked, erased or destroyed; and
· claim compensation for damages caused by a breach of our
data protection responsibilities.
RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided
your consent to the collection, processing and transfer of your personal
information for a specific purpose, you have the right to withdraw your consent
for that specific processing at any time. To withdraw your consent, please
contact the Lettings Administrator. Once we have received notification that you
have withdrawn your consent, we will no longer process your information for the
purpose or purposes you originally agreed to, unless we have another legitimate
basis for doing so in law.
DATA PROTECTION OFFICER
We have appointed a data protection officer (DPO) to oversee
compliance with this privacy notice. If you have any questions about this
privacy notice or how we handle your personal information, please contact the
DPO Mr Matthew Lantos, DPO@rickmansworth.herts.sch.uk. You have the right to
make a complaint at any time to the Information Commissioner’s Office (ICO),
the UK supervisory authority for data protection issues.
Data Protection Policy - Rickmansworth School Enterprises
Limited
You can contact the Information Commissioner's Office on
0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/
or at the Information Commissioner's Office, Wycliffe House, Water Lane,
Wilmslow, Cheshire. SK9 5AF.
CHANGES TO THIS PRIVACY NOTICE
We reserve the right to update this privacy notice at any
time, and we will provide you with a new privacy notice when we make any
substantial updates. We may also notify you in other ways from time to time
about the processing of your personal information.