A Guide to Essential Policies and Notices

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 5th of July, with our Data Protection Consultant Falguni Bhatt. This session focused on: why having policies in place matters, the policies we recommend, the detail required, and our suggestions on how to make your policies and notices accessible to all.

Why does having policies in place matter?

Policies and procedures provide clarity and consistency, by communicating what people need to do and why.

A key element of the Data Protection Act 2018 and UK General Data Protection Regulation is a school’s need to provide accessible information to individuals about the use of personal data.

Although you may feel frustrated by the number of policies you need to have in place, it’s important to remember they are for the benefit of your school or Trust.

Your policies and procedures provide your staff with enough direction to understand their roles and responsibilities regarding data protection and information governance. They can also communicate goals to staff, e.g., your Data Breach policy instils confidence in parents or suppliers that you have a plan of action in place.

The requirement for every data controller to have a written policy is not explicitly stated in the UK GDPR. However, in most cases, it would be a good idea to have one as it helps you to meet your obligations under the law.

A written document helps demonstrate the framework on how your school or Trust is taking technical and organisational measures to ensure compliance as well as good practice. This is an important part of achieving the UK GDPR's Accountability principle.

We recommend having your key policies like the Data Protection policy and Privacy Notices signed off by your Governing Body.

Poll 1

Recommended policies 

Judicium can provide templates to our data protection clients and will work with clients to tailor policies specifically to the needs of your school or Trust.

Data Protection Policy

A Data Protection Policy is a statement that sets out how your organisation protects personal data. It is a set of principles, rules and guidelines that informs how you will ensure ongoing compliance with data protection laws.

It should:

• Recognise the data protection principles.
• Recognise the rights of individuals set out by the UK GDPR
• Explain how guidelines are put in to practice in relation to your processing.
• Address how your organisation makes decisions about the management of personal data.
  • For example, it might refer to governance and oversight, including who undertakes the task of reviewing practices and ensuring the policies are being followed.

NB: You don't need to describe every procedure in great detail. For example, for the data minimisation principle you can use phrases such as, “We will not collect excessive data and ensure any personal data collected is adequate and relevant for the intended purposes.”

It might be more appropriate to set out detailed procedures in a separate document such as a separate document outlining your procedure for dealing with Subject Access Requests which would be informed, and referred to, by your Data Protection Policy.

Subject Access Request (SAR) Policy

It outlines the right of access to an individual’s personal data NB: It could be a separate policy or included as part of an appendix detailing the SAR procedure.

The SAR policy/procedure provides guidance to all individuals on how to make a SAR and for staff members on how SARs should be handled.

Data Breach Policy

Your school or Trust is obliged under Data Protection legislation to have an organisational framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility. If a breach occurs, then the UK GDPR places the obligation on staff to report actual or suspected data breaches.

The policy sets out the procedure to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the school or Trust.

The objective of this policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.

Data Retention Policy (Record Management)

Only keeping data for as long as it is necessary is one of the UK GDPR's principles. This area can easily be overlooked, especially when it comes to electronic records!

A data retention policy defines:

• Why the school/Trust stores data.
• How data is stored.
• The length of time data is stored.
• How to dispose of data once it is no longer required.

The Data retention policy plays a pivotal role in data management. The Data Retention schedule outlines how long specific records/data are retained for.

NB: We recommend all information be reviewed before destruction to determine if there are special factors which mean destruction should be delayed, e.g., any potential litigation, complaints, or grievances.

Freedom Of Information (FOI) Policy

The Freedom of Information Act (FOIA) gives the public a right of access to information held by public authorities unless exemptions apply. Anyone may request any information.

It is designed to increase public access to information. Your school should understand and recognise its responsibility and commit to promoting a culture of openness and transparency with all the information it holds to meet the requirements of the FOIA.

Your school may provide a substantial quantity of information which is already available to the public on its website. NB: We recommend adopting and maintaining a publication scheme which sets out what information you publish and how you publish it.

Your school should provide access to the information you hold when you receive a written request.

1. Let the requester know whether you hold the information, subject to any exemptions or fees notice.
2. Provide the information within 20 working days.

CCTV Policy

The purpose of this policy is to regulate the management, operation and use of the CCTV system (closed circuit television) at your school.

Schools are entitled to monitor activity if they have a lawful basis for doing so and this is communicated to individuals in advance.

You must place appropriate signage about use of CCTV and consider the security of the CCTV, i.e., is the data recorded encrypted?

In your CCTV policy, you need to explain the reasons why you’re using CCTV.

It should include:

• The lawful basis you’re relying on for gathering and using the CCTV footage.
• Who has responsibility for the CCTV?
• The security measures you have in place to protect the data you’re gathering.
• Who you’ll share the data with
• How long you’ll keep the data.

Biometrics Policy

This policy should outline the procedures your school or Trust follows when collecting and processing biometric data.

Biometric data means personal information about an individual’s physical or behavioural characteristics that can be used to identify that person.

This can include:

• Fingerprints
• Facial shape
• Retina and iris patterns
• Hand measurements

All biometric data is special category data under the UK GDPR. This means the data is more sensitive and requires additional protection as it could create more significant risks to a person’s fundamental rights and freedoms.

The above are the main policies we recommend. However, further policies your school should have in place include: an IT/e-safety policy, Information Security, an Acceptable Use Policy, a social media policy, etc.

Poll 2

Privacy Notices 

Your school or Trust must create and circulate a privacy notice. It’s a document given to data subjects explaining how their personal data is being collected and used.

A School is required to have a privacy policy as it helps to comply with two of UK GDPR core principles:

1. It promotes transparency. It gives individuals the chance to see what data is being collected, why and how it’s being used, and how long it will be kept.
2. It gives individuals the information they need to decide whether to exercise their data subject rights. These are eight privileges enshrined by the GDPR that enable individuals to challenge or request changes to the way their personal data is used.

Privacy notices must be shared with the individuals.

What details should be included in your policies? 

You should include:

• DPO contact and/or your school/Trust Data protection Lead contact details.
• Check content, ensuring the policy refers to the correct legislation.
• Up to date document control.
• Policy was reviewed and include the next review date.

Your DPO should review these policies for you. If you have Judicium’s DPO service, we review these policies annually during your audit, or sooner if required.

How do you make your policies accessible to all?

Top Tips

• Create a Data Protection tab on the website and upload all the data related policies and Privacy Notices.
• If you have a staff drive, utilise it so staff have access to the documents or a hard copy in a folder.
• When policies are updated, ensure you remove the old ones and replace with latest versions.

Sharing Privacy Notices

We recommend sharing your Privacy Notices annually with the relevant individuals:

• New pupils and parents - include the Privacy Notice as part of their Welcome pack.
• Existing pupils – share your privacy notice with parents/carers at least once every academic year.
• New staff - include the Privacy Notice for staff when sending out the employment contract or during induction.
• Existing staff - send annual reminders to all staff members.
• Job Applicants – Your Privacy Notice for applicants should be made available with the job advert. NB: You can also upload onto the Job Vacancy section on the school’s website
• Governors - share annually. NB: You can make it available on Governor Hub if this is used by your school/Trust or send to the Clerk to Governors who can share it with all the Governing Body.
• Visitors – You can include this within the school's electronic sign-in system, share a link to the website on the sign-in system, or provide a physical copy near the signing in area.

Top 3 Takeaways  

1. Have your policies in place.
2. Review them annually (or sooner when necessary).
3. Keep them accessible using a shared drive and your website.

 

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

IRMS Toolkit for Schools

Previous Sofa Session Notes on SAR Redactions, Exemptions and Excessive Requests

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.