Data Protection Policy

Introductory Statement:

This policy was formulated by Staff and Board of Management of St. Mary’s N.S.. The purpose of the policy is to identify all manual and electronic personal data required to be collected and retained by the school; and to ensure that an effective management system for the collection and retention and processing of personal data is in place so the school complies with requirement of the Data Protection Act, 1988 and Data Protection (Amendment) Act, 2003.

 

Scope:

The policy applies to the collection, recording and processing of personal data, either in manual and or electronic form; including personal data held on school community (to include: teachers, Board of Management, students, parents/guardians of students, employee of school and other persons providing services within the school).

Data: means information in a form which can be processed. It includes electronic data (information on computer or information recorded with the intention of putting it on computer) and manual data (information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system).

Relevant filing system: means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Personal data: means data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Data Controller: A data controller is a person who, either alone or with others, controls the contents and use of personal data. The school can be considered to be the data controller, with the principal acting for the board of management in exercising the functions involved. 

 

This policy applies to all the school community (to include: teachers, Board of Management, students, parents/guardians of students, employee of school and other persons providing services within the school).

 

Rationale:

  • A policy on data protection is necessary to ensure that the school has proper procedures in place in relation to accountability and transparency for the collection, recording and processing of personal data
  • It is good practice to collect and record student progress so as to identify learning needs
  • The school recognised the importance of collecting and recording factual information accurately and storing it safely; to retain update information to facilitate and enable the principal and Board of Management to make decisions in respect of the efficient and effective running of the School.
  • The efficient collecting, recording and processing of data is also essential to ensure that there is consistency and continuity where there are changes of teachers and staff within the school and board of management and with students
  • A policy is necessary to ensure a school complies with legislation such as;
    • Education Act, Section 9g requiring a school to provide access to records to students over 18/parents
    • The Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003 (henceforth referred to as the Data Protection Acts)
    • Under Section 20 of the Education (Welfare) Act, 2000, the school must maintain a register of all students attending the school
    • Under section 20(5) of the Education (Welfare) Act, 2000, a principal is obliged to notify certain information relating to the child’s attendance in school and other matters relating to the child’s educational progress to the principal of another school to which a student is transferring
    • Under Section 21 of the Education (Welfare) Act, 2000, the school must record the attendance or non-attendance of students registered at the school on each school day
    • Under Section 28 of the Education (Welfare) Act, 2000, the data controller may supply personal data kept by him or her, or information extracted from such data, to the data controller of another prescribed body if he or she is satisfied that it will be used for a “relevant purpose” only
    • Under Section 14 of the Education for Persons with Special Educational Needs Act, 2004, the school is required to furnish to the National Council for Special Education (and its employees, which would include Special Educational Needs Organisers (“SENOs”)) such information as the Council may from time to time reasonably request
    • Under Section 26(4) of the Health Act, 1947 a School shall cause all reasonable facilities (including facilities for obtaining names and addresses of pupils attending the school) to be given to a health authority who has served a notice on it of medical inspection, e.g. a dental inspection
    • Under Children First: National Guidance for the Protection and Welfare of Children (2011) published by the Department of Children & Youth Affairs, schools, their boards of management and their staff have responsibilities to report child abuse or neglect to TUSLA – Child and Family Agency (or in the event of an emergency and the unavailability of TUSLA, to An Garda Síochána.

Relationship to School Ethos:

St. Mary’s N.S. promotes openness and co-operation between staff, parents and pupils as a means towards providing a caring environment through which a child can develop and grow to their full potential.

Goals & Objectives:

  • To ensure that the school complies with the Data Protection Acts
  • To ensure compliance by the school with the eight rules of data protection as set down by the Data Protection Commissioner based on the Acts (see below)
  • To ensure that the data protection rights of the school community are safeguarded
  • To put in place a proper collecting, recording and reporting framework on the educational progress of students
  • To establish clear guidelines on making these records available to parents/guardians and past students who are over 18
  • To stipulate the length of time personal data will be retained

 

Key Measures:

The policy content is divided into two sections as follows:

  1. Details of all personal data which will be collected, the format in which it will be held and the purpose(s) for collecting the data in each case.

  2. Details of the arrangements in place to ensure compliance with the eight rules of data protection.

 

The Board of Management will assume the function of data controller; and the principal will assume the role of Data Protection Officer, where principal will have the responsibility for ongoing Data Protection compliance within the school.

The data under the control of the Board of Management is identified as follows.

  1. A. Details of all personal data which will be collected, the format in which it will be held and the purpose(s) for collecting the data in each case:

The personal data records collected and held by the school may include:

(1) Staff records: These may include:

  • Name, address and contact details, PPS number
  • Original records of application and appointment
  • Record of appointments to promotion posts
  • Details of approved absences (career breaks, parental leave, study leave etc.)
  • Details of work record (qualifications, classes taught, subjects etc.)
  • Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.
    Note: a record of grievances may be maintained which is distinct from and separate to individual personnel files

 

Location: These records will be kept manually (for e.g., personal file within a filing system), and / or electronically (for e.g., Personal Computer and or database).

 

The Purpose for keeping staff records include:

  • To facilitate the payment of staff and to calculate other benefits / entitlements
  • To facilitate pension payments in the future, a record of promotions made
  • The management and administration of school business (now and in the future)
  • Human resources management
  • To enable the school to comply with its obligations as an employer including the preservation of a safe, efficient working and teaching environment (including complying with its responsibilities under the Safety, Health and Welfare At Work Act. 2005)
  • To enable the school to comply with requirements set down by the Department of Education and Skills, the Revenue Commissioners, the National Council for Special Education, TUSLA, the HSE, and any other governmental, statutory and/or regulatory departments and/or agencies
  • For compliance with legislation relevant to the school

 

(2) Student records:  These may include:

Information which may be sought and recorded at enrolment, including:

  • name, address and contact details, PPS number
  • names and addresses of parents/guardians and their contact details
  • religious belief
  • racial, ethnic or national origin
  • membership of the Traveller community, where relevant
  • Any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply
  • Information on previous academic record / report cards
  • Diagnostic tests reports
  • Screening tests
  • Teacher designed tests
  • Psychological assessments
  • Individual education plans / IPLPs
  • Special education – records of consent / refusal to attend Learning support services
  • Portfolios of pupils work
  • Whether the student is exempt from Irish
  • Attendance Records
  • Academic record – standardised results as recorded on official school reports
  • Photographs and recorded images of students are taken to celebrate school achievements, compilation of newsletters, projects, website, twitter & to keep records for the history of the school
  • Records of significant achievements
  • Records of disciplinary issues and/or sanctions imposed
  • Other records e.g. records of any serious injuries/accidents etc.

 

Location: These records will be kept manually (for e.g., personal file within a filing system), and / or electronically (for e.g., Personal Computer and or database).

Purposes for keeping student data/information include:

  • To enable each student to develop his/her full potential
  • To comply with legislative or administrative requirements, to ensure that eligible students can benefit from the relevant additional teaching or financial supports, to support the provision of religious instruction, to enable parent/guardians to be contacted in the case of emergency
  • To meet the educational, social, physical and emotional requirements of the student
  • Photographs and recorded images of students are taken to celebrate school achievements, compile yearbooks, establish a school website, record school events, and to keep a record of the history of the school. Such records are taken and used in accordance with the school policy
  • To ensure that the student meets the school’s admission criteria
  • To ensure that any student seeking an exemption from Irish meets the criteria in order to obtain such an exemption from the authorities
  • To furnish documentation/ information about the student to the Department of Education and Skills, the National Council for Special Education, TUSLA, and other Schools etc. in compliance with law and directions issued by government departments
  • To furnish, when requested by the student (or their parents/guardians in the case of a student under 18 years) documentation/information/ references to third-level educational institutions and/or prospective employers

 

(3) Board of Management records: These may include:

  • Name, address and contact details of each member of the board of management (including former members of the board of management)
  • Records in relation to appointments to the board
  • Minutes of board of management meetings and correspondence to the board this may include references to particular individuals.

 

Location: These records will be kept manually (for e.g., personal file within a filing system), and / or electronically (for e.g., Personal Computer and or database).

 

Purpose for keeping Board of Management data/information include:

  • To enable the Board of Management to operate in accordance with the Education Act 1998 and other applicable legislation and to maintain a record of board appointments and decisions

 

(4) Other records: These may include:

The school will hold other records relating to parents/guardians or other persons involved with the school. These records will be kept manually (for e.g., personal file within a filing system), and / or electronically (for e.g., Personal Computer and or database).

Location: These records will be kept manually (for e.g., personal file within a filing system), and / or electronically (for e.g., Personal Computer and or database).

Purpose for keeping parents/guardians or other persons involved with the school data/information include:

  • To keep parent community informed of school related activities
  • Parent Association committee

(5) Creditors:  These may include:

The school may hold some or all of the following information about creditors (some of whom may be self-employed individuals):

  • Name
  • Address
  • Contact details
  • PPS number
  • Tax details
  • Bank details
  • Amount paid

Location: These records will be kept manually (for e.g., personal file within a filing system), and / or electronically (for e.g., Personal Computer and or database).

Purpose for keeping creditors data/information includes:  Is required for routine management and administration of the school’s financial affairs, including the payment of invoices, the compiling of annual financial accounts and complying with audits and investigations by the Revenue Commissioners.

 (6) CCTV images/recordings:

Categories: C.C.T.V. is installed, externally i.e. perimeter walls/fencing and internally within the school as detailed in the school C.C.T.V. Policy.  These C.C.T.V. systems may record images of school community (to include: teachers, Board of Management, students, parents/guardians of students, employee of school and other persons providing services within the school) and members of the public who visit the school premises.

Purpose: Safety an-d security of school community (to include: teachers, Board of Management, students, parents/guardians of students, employee of school and other persons providing services within the school) and members of the public who visit the school premises and to safeguard school property and equipment.

Location: Cameras are located externally and internally as detailed in the school CCTV Policy.  The CCTV recording equipment is located in the Comms Room.

Security: Access to images/recordings is restricted to Senior Management of the school (e.g. the principal & deputy principal). Tapes, DVDs, hard disk recordings are retained for 28 days, except if required for the investigation of an incident (to include criminal, civil or disciplinary matter). Images/recordings may be viewed or made available in accordance with section 8 Data Protection Acts 1988 and 2003.

(7) Security of personal data:

In general all manual data and electronic data – will be held in a secure location, where only persons who are authorised to use the data will have access.  Appropriate technical and organisational measures will be taken to ensure the security of personal data, according to whether personal data is in manual or electronic form; for example manual data will be kept in a secure filing cabinet within a locked office.  Electronic data will be kept password protected on PCs, and cloud based storage protected by up to date security and enhanced data protection and controlled password protected access to information, relevant to each staff member’s role/duties.

School staffs are required to maintain the confidentiality of all personal data to which they have access.  Aladdin should only be accessed through school devices, while on the school premises. Personal e-mail should not be accessed through school devices. Where personal data has been released accidentally or otherwise not in accordance with the Data Protection Acts, the breach shall be reported to the Data Protection Officer.

Details of arrangements in place to ensure compliance with the

Eight rules of Data Protection:

This policy outlines the arrangements in place to ensure that all personal data records held by the school are collected, retained and processed in accordance with the following eight rules of data protection (based on the Data Protection Acts):

  1. Obtain and process information fairly
  2. Keep it only for one or more specified, explicit and lawful purposes
  3. Use and disclose it only in ways compatible with these purposes
  4. Keep it safe and secure
  5. Keep it accurate, complete and up-to-date
  6. Ensure that it is adequate, relevant and not excessive
  7. Retain it for no longer than is necessary for the purpose or purposes
  8. Give a copy of his/her personal data to that individual on request.

The minimum age at which consent can be legitimately obtained for processing and disclosure of personal data under rules 1 and 3 above is not defined in the Data Protection Acts. However, guidance material published on the Data Protection Commissioner’s website states the following:

“As a general rule in the area of education, a student aged eighteen or older may give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice.”

See Appendix 1 for a sample statement which could be included on relevant forms when personal information is being requested.

  1. Obtain and process Personal Data fairly: Information on students is gathered with the help of parents/guardians and staff. Information is also transferred from their previous schools. In relation to information the school holds on other individuals (members of staff, individuals applying for positions within the School, parents/guardians of students etc.), the information is generally furnished by the individuals themselves with full and informed consent and compiled during the course of their employment or contact with the School. All such data is treated in accordance with the Data Protection Acts and the terms of this Data Protection Policy. The information will be collected and processed fairly.

 

  1. Keep it only for one or more specified and explicit lawful purposes: The school will inform individuals of the reasons they collect their data and will inform individuals of the uses to which their data will be put.  All information is kept with the best interest of the individual in mind at all times.

 

  1. Process it only in ways compatible with the purposes for which it was given initially: Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered. Information will only be disclosed on a need to know basis, and access to it will be strictly controlled.

 

  1. Keep Personal Data safe and secure: Only those with a genuine reason for doing so may gain access to the information. Sensitive Personal Data is securely stored under lock and key in the case of manual records and protected with firewall software and password protection in the case of electronically stored data. Portable devices storing personal data (such as laptops) should be encrypted and password protected before they are removed from the school premises. Confidential information will be stored securely and in relevant circumstances, it will be placed in a separate file which can easily be removed if access to general records is granted to anyone not entitled to see the confidential data.

 

  1. Keep Personal Data accurate, complete and up-to-date: Students, parents/guardians, and/or staff should inform the school of any change which the school should make to their personal data and/or sensitive personal data to ensure that the individual’s data is accurate, complete and up-to-date. Once informed, the school will make all necessary changes to the relevant records. The principal may delegate such updates/amendments to another member of staff. However, records must not be altered or destroyed without proper authorisation. If alteration/correction is required, then a note of the fact of such authorisation and the alteration(s) to be made to any original record/documentation should be dated and signed by the person making that change.

 

  1. Ensure that it is adequate, relevant and not excessive: Only the necessary amount of information required to provide an adequate service will be gathered and stored.

 

  1. Retain it no longer than is necessary for the specified purpose or purposes for which it was given:

As a general rule, the information will be kept for the duration of the   individual’s time in the school. Thereafter, the school will comply with DES guidelines on the storage of Personal Data and Sensitive Personal Data relating to a student.  In the case of members of staff, the school will comply with both DES guidelines and the requirements of the Revenue Commissioners with regard to the retention of records relating to employees.  The school may also retain the data relating to an individual for a longer length of time for the purposes of complying with relevant provisions of law and or/defending a claim under employment legislation and/or contract and/or civil law. A Records Retention Policy is attached to this policy. It outlines how long each piece of data will be kept for.

  • School registers and roll books are required to be kept indefinitely within the school. Consideration is being given to amending the Data Protection Acts to allow schools to deposit completed school registers and roll books which are no longer required for administrative purposes with the Local Authority Archive Service. The Department will notify schools of any changes to the Acts in this regard
  • Pay, taxation and related school personnel service records should be retained indefinitely within the school
  • Where litigation may potentially arise in the future (e.g. in relation to accidents/personal injuries involving school personnel/students or accidents occurring on school property), the relevant records should be retained until the possibility of litigation ceases
  • Note: The statute of limitations in relation to personal injuries is currently two years. The limitation period for other causes of action varies, but in most cases is not greater than six years. A limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim. In the case of minors, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge post dates their 18th While schools may wish to draw up their own policies as to how long to retain such records, it would appear prudent not to destroy records likely to be relevant in litigation at least until the six year limitation period has expired.
  • In line with the above, it is suggested that the information on student files might, as a general rule, be retained for a period of six years after the student has completed the Senior Cycle and/or reached the age of 18.
  1. Provide a copy of their personal data to any individual, on request:

Individuals have a right to know what personal data/sensitive personal data is held about them, by whom, and the purpose for which it is held.

Links to other policies and to curriculum delivery:

St. Mary’s N.S. policies need to be consistent with one another, within the framework of the overall School Plan. Relevant school policies already in place or being developed or reviewed, shall be examined with reference to the data protection policy and any implications which it has for them shall be addressed.

The following policies may be among those considered:

  • Child Protection Policy
  • Anti-Bullying Policy
  • Code of Behaviour
  • Mobile Phone Policy
  • Enrolment Policy
  • C.T.V. Policy
  • Substance Use Policy
  • C.T. Acceptable Usage Policy
  • S.P.H.E.

Processing in line with data subject’s rights:

Data in this school will be processed in line with the data subjects’ rights.

Data subjects have a right to:

(a)        Request access to any data held about them by the data controller

(b)        Prevent the processing of their data for direct-marketing purposes

(c)        Ask to have inaccurate data amended

(d)        Prevent processing that is likely to cause damage or distress to themselves or anyone else.

Dealing with a data access requests:

Section 3 access request:

Under Section 3 of the Data Protection Acts, an individual has the right to be informed whether the school holds data/information about them and to be given a description of the data together with details of the purposes for which their data is being kept.  The individual must make this request in writing and the data controller will accede to the request within 21 days.

The right under Section 3 must be distinguished from the much broader right contained in Section 4, where individuals are entitled to a copy of their data.

Section 4 access request:

Individuals are entitled to a copy of their personal data on written request.

  • The individual is entitled to a copy of their personal data (subject to some exemptions and prohibitions set down in Section 5 of the Data Protection Act)
  • Know the purpose/s for processing his/her data
  • Request must be responded to within 40 days
  • Fee may apply but cannot exceed €6.35
  • Where a subsequent or similar request is made soon after a request has just been dealt with, it is at the discretion of the school as data controller to comply with the second request (no time limit but reasonable interval from the date of compliance with the last access request.) This will be determined on a case-by-case basis.
  • No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable would the school refuse to furnish the data to the applicant.

Providing information over the phone:

In general, St. Mary’s N.S,’ policy is not to disclose any personal data held by the school over the phone when dealing with telephone enquiries.  However, where a telephone enquiry is from a recognised legitimate person, the call taker at the school will, having been authorised by the Data Controller, provide the personal data.  Where personal data is provided over the phone, the call taker will make a record of the time, date and to whom the request was made and what personal data was processed.

Implementation arrangements, roles & responsibilities:

In St. Mary’s N.S. the Board of Management is the data controller and the principal as Data Protection Officer will co-ordinate the implementation of this Data Protection Policy and will have responsibility for data protection compliance within the school and will process personal data on behalf of the Board of Management.

The following personnel have responsibility for implementing the Data Protection Policy:

Name                                                  Responsibility

Board of management:                       Data Controller

Principal:                                             Data Protection Officer

School Community:                             Awareness of and the implementation of the school policy on data protection.

Ratification & Communication:

When the Data Protection Policy has been ratified by the Board of Management, it becomes the school’s agreed Data Protection Policy. It will then be dated and circulated within the school community. The school community must be familiar with the Data Protection Policy and ready to put it into practice in accordance with the specified implementation arrangements.  It is important that all concerned are made aware of any changes implied in recording information on the school community.

Parents/guardians and students will be informed of the Data Protection Policy from the time of enrolment of the student e.g. by including the Data Protection Policy as part of the Enrolment Pack, by either enclosing it or incorporating it as an appendix to the enrolment form.

 

Monitoring the implementation of the policy:

The implementation of the policy shall be monitored by the principal and a sub-committee of the board of management.

 

At least one annual report will be issued to the board of management to confirm that the actions/measures set down under the policy are being implemented.

 

Reviewing & evaluating the policy:

The policy will be reviewed and evaluated at certain pre-determined times and as necessary. On-going review and evaluation will take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills or the NEWB), legislation and feedback from the school community. The policy will be revised as necessary in the light of such review and evaluation and within the framework of school planning. Review of policy will also include consideration of the following:

  • School community are aware of the policy
  • Requests for access to personal data are dealt with effectively
  • Personal data records are up-to-date and accurate
  • Personal data records are held securely
  • Personal data records are retained only for as long as necessary.

 

Designed By