Policies & GDPR
Some of our policies are below. They are regularly reviewed and changed by our Governing Body. If you wish to have a paper copy of any of these policies, please request them at reception.
Policies that apply to the whole of the Hawkswood Group can be found on the main 'Hawkswood Group' page.
We review our Safeguarding Suite of Policies annually to ensure compliance with current guidance but the important thing is implementation and the impact of our policies. Therefore, we constantly check compliance and evaluate the impact of what we do. Our Policies have also been cascaded out to all staff and governors.
General Data Protection Regulation (GDPR)
Schools handle a large amount of personal data. This includes information on pupils, such as grades, medical information, images and much more. Schools will also hold data on staff, governors, volunteers and job applicants.
Schools will also handle what the GDPR refers to as special category data, which is subject to tighter controls. This could be details on race, ethnic origin, biometric data or trade union membership. This data is already governed by existing DPA regulations, which ensure personal data is handled lawfully. However, the new GDPR has gone further and requires organisations to document how and why they process all personal data, and gives enhanced rights to the individual.
From 25th May 2018, any data subject (that’s someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the new law an individual could ask for their data in a portable form so they can pass it on to another organisation.
The school would be legally obliged to carry out these requests within 28 days of the request being given.
Key changes for schools
Demonstrate compliance: schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
Schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations.
Processor agreements: for any third-party processors the school must have contracts in place stipulating that personal data is handled in compliance with the GDPR.
Reporting a data breach: if personal data has been put at risk, schools may be required to inform the ICO, and in some cases, the individual at risk. This would be done within 72 hours of the breach being discovered.
Staff training: despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Making sure staff are trained and there is a culture of data compliance is crucial.
Impact at Burnside Secondary School PRU
Key changes for leaders:
We now have secure records for holding and distributing data and all data taken off-site is recorded and monitored.
Our DPO is Maryline Alvis, an Education Data Protection Officer for the London Borough of Waltham Forest.
All third-party processors now have contracts in to ensure that personal data is handled in compliance with the GDPR.
All data breeches will be reported within 72 hours of the breach being discovered.
All of the Burnside Secondary School PRU staff have already or will be receiving training over the next few weeks. This will be an on going process to ensure all staff are up to date with expectations and changes regularly.