The purpose of a Privacy Notice
The Data Protection Act (2018) sets out in UK law the legal framework with which education settings and local authorities must comply when they process the personal data. It is based on the EU General Data Protection Regulation (GDPR).
Providing accessible information to individuals about the use of their personal information (data) is a key element of their legal right to transparency as set out in the GDPR Data Controllers and Data Processors are responsible for provide this information and all education settings and local authorities are classed as data controllers and may also be data processors in their own right and, as such, they have a duty to inform pupils, staff and parents (known as Data Subjects) on how they process the data that is within their control.
- Data controller - The organisation who (either alone or in common with other people) determine the purpose for which, and the way data are processed.
- Data Processor - A person or organisation who process data on behalf of and on the orders of a controller
- Data Subject – the person about who you are processing data.
- Data Protection Officer – an officer of the education establishment or local authority who is responsible for data protection issues within the organisation.
- Personal Data is classed as any information which on its own or in conjunction with other information available to a Data Controller can identify a Data Subject.
- Some Personal Data is classed as being part of a special category and if you control or process special category you need additional reason to process the data. GDPR specifically defines ‘special category’ as data relating to:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- health or sex life
- Data relating to criminal offences is also afforded similar special protection.
For the purposes of data protection legislation, the terms ‘process’, ‘processed’ or ‘processing’ apply to any activity involving the personal data, such as:
Please note: this list is not exhaustive
The most common way to provide information is through a privacy notice. The privacy notice is a document that is used to set out the data controller’s policies in plain and simple language how they process the data that is within their control and would be expected to meet the requirements outlined in section 2 of this guide.
As the purpose of the document is to be transparent with how personal data is used, It is recommended that the notice is made available on the school website for pupils and parents and must be made available or highlighted as part of any data collection process at the start of each school year - ensuring it is easily accessible at all times. You may also wish to have two different privacy notices explaining the same information, but one aimed at parents and the other aimed at children.
For new staff members it is recommended that the privacy notice is included as part of an induction pack and is available on the staff notice board / intranet. Existing staff members must be made aware of the privacy notice at the start of each school year.
Privacy Notices should be reviewed by your data protection officer on at least an annual basis and should also be reviewed whenever you make a significant change to how you process personal data.
For more information on privacy notices and the changes required as a result of GDPR, please see the ICO (Information Commissioners Office) website: https://ico.org.uk/for- organisations/guide-to-data-protection/privacy-notices-transparency-and-control/.