General Data Protection Regulations

Introduction

You will be aware that the EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018. This will introduce the most significant changes to data protection law in 20 years.  Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

The new regulation aims to standardise data protection laws and processing across the EU, to provide individuals with stronger and more consistent rights to access, and to better control their personal information.

Our commitment

Chater Infant School is committed to ensuring the security and protection of the personal information that we process and to provide a compliant and consistent approach to data protection. We are confident that our current policies and procedures have complied with the existing laws but we do also recognise the need to update these in line with GDPR and the UK’s Data Protection Bill.

We are dedicated to safeguarding the personal information that we process and to develop procedures that are effective and robust.

At Chater Infant School we have completed the following actions to ensure maximum and ongoing compliance.

How we are preparing for the GDPR

Our preparation includes:

  • Completing an audit in order to identify and access the personal information we hold, why it is processed and if and to whom it is disclosed
  • Policies and procedures – we have revised our data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
    • Data protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR.
    • Data retention and erasure – we are updating our retention policy and schedule.
    • Data breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and will be disseminated to all employees, making them aware of the reporting lines and steps to follow.
    • Subject Access Request (SAR) – we have revised our SAR procedures
  • Legal basis for processing – we are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to.
  • Privacy notices– we have revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
  • Obtaining consent – we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.
  • Data Protection Impact Assessments (DPIA) – where we process personal information that is considered highly sensitive, or includes special category  data, we are developing stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements.
  • Processor agreements – where we use any third-party to process personal information on our behalf (i.e. Payroll, Recruitment, Hosting etc), we have obtained verification from those third-parties that they meet and understand their/our GDPR obligations. These processors include (but are not limited to):
    • Serco
    • DfE
    • Parentmail
    • Staff Insurance – SAS
    • HCC
    • Herts Catering
    • Herts for Learning
    • CPOMS
    • Espresso
    • The School Bus
  • Special categories data – where we obtain and process any special category information, we do so in order to fulfil contractual obligations, and in compliance with the Article 9 requirements. We have encryptions and protections on all such data.

 

Information security and technical and organisational measures

At Chater Infant School we take the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures which are provided by Hertfordshire.

GDPR roles and employees

Chater has designated John Lamb as our Data Protection Officer to ensure that the school is complying with the new data protection Regulation. The   Governors are responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.

Chater Infant School understands that continuous employee and parent awareness and understanding is vital to the continued compliance of the GDPR.

If you have any questions about our preparation for the GDPR, please contact the school office: admiin@chaterinfants.herts.sch.uk  or the Data Protection Officer:  data@chaterinfants.herts.sch.uk

Chater Privacy Notice for Parents and Carers May 2018