Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the...

22
1 Somerset Children in Education Data Protection Policy Data Protection Policy of The Fosse Federation of Schools Contacts and Review Information Data Protection Officer Ian Gover - [email protected] School Data Protection Lead Lisa Ambrose______________________ The policy was approved by Governing body on: 4 th July 2018 Signature of Chair of Governors: ____________________________ The next review date is: ____________________________ Version Control Version Author(s) Date Produced Amendments 1.0 Ian Gover 27/03/18

Transcript of Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the...

Page 1: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

1

Somerset Children in Education Data Protection Policy

Data Protection Policy of The Fosse Federation of Schools

Contacts and Review Information

Data Protection Officer Ian Gover - [email protected] School Data Protection Lead Lisa Ambrose______________________ The policy was approved by Governing body on: 4th July 2018 Signature of Chair of Governors: ____________________________ The next review date is: ____________________________

Version Control

Version Author(s) Date Produced Amendments

1.0 Ian Gover 27/03/18

Page 2: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

2

Contents

Contacts and Review Information 1 Contents 2 Introduction 3 The Data Controller and other roles 3 Responsibilities of the School 3 Responsibilities of Staff 3 Responsibilities of Parents/Carer 4 Rights to Access Information 4 Freedom of Information Requests 5 Data Breaches 5 Data Retention Policy 5 Reporting policy incidents 6 Monitoring and Evaluation 6 Appendix A – Roles of Data Protection Officer 7 Appendix B – Data Protection Lead Role 9 Appendix C – Data Asset Audit 10 Data Asset Audit Document (Example) 10 Appendix D – Staff Privacy Impact Assessment Form 11 Privacy Impact Assessment Form 11 Appendix E – Process for dealing with Subject Access Requests 13 Subject Access Request Record 14 Appendix F – Process for dealing with FoI Requests 15 Freedom of Information Request Record 16 Appendix G – Data Breach 17 Data Breach Record 17 Appendix H – Parent Consent Form 19 Appendix I – Pupil Images, Video and Sound Consent Letter 24 Conditions of Use 25 Consent Form for recording and use of images and sounds 26

Page 3: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

3

1. Introduction The School needs to use information about pupils, staff and other users to allow us to follow our duties, and to provide other services with data that we have a legal, statutory or contractual right to process. The school will comply with the data protection policy which includes (Subject Access, Freedom of Information, Data Breach Reporting and Data Retention procedures) and the principles which are set out in Data Protection regulations and other laws. 2. The Data Controller and other roles The School, as a body, is the Data Controller. The School has identified its designated Data Protection Officer (DPO – see Appendix A). Other day to day matters will be dealt with by the Data Protection Lead (DPL see Appendix B), The Headteacher, Head of School/Teaching and Learning and the Computing Leads. 3. Responsibilities of the School The school is committed to protecting and respecting the confidentiality of sensitive information relating to staff, pupils, parents/carers and governors. This implies that the school will:

a. register with the Information Commissioners Office (ICO); b. keep an up to date Data Asset Audit (See Appendix C) which lists all known uses of personal data in the school; c. verify that all systems that involve personal data or confidential information will be examined to see that they meet the Data Protection regulations; d. inform all users about their rights regarding data protection; e. provide training to ensure that staff know their responsibilities; f. monitor its data protection and information security processes on a regular basis, changing practices if necessary.

4. Responsibilities of Staff All staff are responsible for checking that any information that they provide to the school is accurate and up to date. All staff are responsible for ensuring that any personal data they use in the process of completing their role:

a. is not in the view of others when being used; b. is kept securely in a locked cabinet when not being used; c. is stored on a password protected local hard or network drive;

Page 4: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

4

d. if kept on removable storage (a laptop, tablet, USB memory stick) approved by the school and that this is password protected and encrypted. The data held on these devices must be backed up regularly and this is the responsibility of the individual; e. is not disclosed to any unauthorised third party; f. is assessed and approved by the Senior Leadership Team or the DPL with advice from the DPO (see Privacy Impact Assessment from Appendix D) if used within an app, web service or other application.

Staff should note that unauthorised disclosure or transgression of the above statements will usually be a disciplinary matter. 5. Responsibilities of Parents/Carers The school will inform the Parents/Carers of the importance of the personal data the school uses and the importance of keeping this up to date. This process will include an annual data collection sheet (with the return of this document being recorded) and reminders in newsletters and at class meetings. Appendix H Other permissions will also be sought regarding matters of non-statutory use of personal data such as the use of images and names in publicity materials on induction or when required. The returns to these permissions will be recorded and exemptions communicated to staff. Appendix I 6. Rights to Access Information All people having personal data stored by the school have the rights to:

a. obtain from the school confirmation if personal data concerning him or her (or their child) is being processed;

b. where this is the case, have a copy of the personal data and the following information:

(1) the purposes of the processing; (2) the third parties that the data will be shared with; (3) the period for which the personal data will be stored; (4) the existence of the right to request from the school to correct, erase or restrict processing of personal data if the data can be proved to be incorrectly held; (5) the right to lodge a complaint with a supervisory authority; (6) where the personal data are not collected from the data subject, any available information as to their source.

c. if exemptions are placed on any of the data above, because of safeguarding or other issues, the existence of this data will be declared.

Page 5: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

5

The school will place on its website Privacy Notices1 regarding the personal data held about them and the reasons for which it is processed. Access to the data is called a Subject Access Request. Any person who wishes to exercise this right (or their parental right) should make a request in writing and submit it to the Headteacher or the Chairman of Governors. The process for dealing with these request is outlined in Appendix E. The school aims to comply with requests for access to personal information as quickly as possible and in accordance with advice from the ICO and other professional agencies. 7. Freedom of Information Requests Freedom of Information requests are requests from any member of the public about processes, policies and other non-personal information about the school. These requests will always be processed and the rights of individuals (within Data Processing Regulations) not to be identified respected while maintaining legal responsibilities within the Freedom of Information Act. The process for dealing with Freedom of Information requests is given in Appendix F. 8. Data Breaches If there is a Data Breach the school will inform the DPO who will then advise on any actions. Any Data Breaches will be recorded, comprising the facts relating to the personal data breach, its effects and the remedial action taken as shown in Appendix G. If there are risks to the individual the school will communicate the breach to the data subjects. In the case of a personal data breach where there is a high risk to the rights and freedoms of the data subject, the DPO/School will without undue delay and not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. 9. Data Retention Policy The school has responsibilities under the Data Protection Principles to keep data only for as long as we need to. In respect of the length of time that the school should keep the data the school will follow the advice from the IRMS using their Records Management Toolkit for schools2. If paper is due to be destroyed it will be cross-cut shredded or burnt either by school or by a commercial company. If data is held on electronic devices then these will be deleted in line with the advice from the ICO3. A record should be kept of the data destroyed and/or the certificate of destruction issued by a third party.

1 https://www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices

2 http://irms.org.uk/page/SchoolsToolkit

3 https://ico.org.uk/for-the-public/online/deleting-your-data/

Page 6: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

6

10. Reporting policy incidents Any member of staff, parent or other individual who considers that the Policy has not been followed in respect of personal data should raise the matter with the Head Teacher or Chair of Governors. 11. Monitoring and Evaluation This policy will be monitored and reviewed in line with the school’s policy review procedure.

Page 7: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

7

Appendix A – Roles of Data Protection Officer 1. Purpose The Data Protection Officer (DPO) is responsible for monitoring compliance with current data protection law, and has the knowledge, support and authority to do so effectively. They oversee and verify the school’s data protection processes and advise the school on best prac-tice. Within each school there will be a Data Protection Lead (DPL), who maintains contact with the DPO and is responsible for assisting in monitoring with compliance and verifies the school’s data protection practices on a day to day basis. 2. Data Protection Officer Responsibilities The data protection officer is responsible for:

• advising the school about their obligations under current data protection regulations;

• support the DPL in developing a joint understanding of the school’s processing operations, information systems, data security processes and needs, and administrative rules and procedures;

• assist, in cooperation with the DPL, with the monitoring of the school’s compliance with data protection law, by:

o collecting information to identify data processing activities; o analyzing and checking the compliance of data processing activities; o informing, advising and issuing recommendations to the school; o ensuring they have current and detailed information in data protection issues and

changes to the law, attending relevant training as appropriate;

• assist the DPL in making sure that the school’s policies are followed, through: o assigning responsibilities to individuals; o awareness-raising activities; o coordinating staff training; o conducting internal data protection audits;

• advise on and assisting the school with carrying out data protection impact assessments, if necessary;

• act as a contact point for the ICO, assisting and consulting it where necessary, including: o helping the ICO to access documents and information; o seeking advice on data protection issues;

• act as a contact point for individuals whose data is processed (for example, staff, pupils and parents), including:

o responding with support from the DPL to subject access requests; o responding with support from the DPL to other requests regarding individuals’

rights over their data and how it is used;

• take a risk-based approach to data protection, including: o prioritizing the higher-risk areas of data protection and focusing mostly on these o advising the school if/when it should conduct an audit, which areas staff need

training in, and what the DPO/DPL roles should involve.

• report to the governing board on the school’s data protection compliance and associated risks;

• respect and uphold confidentiality, as appropriate and in line with data protection law, in carrying out all duties of the role;

• assist the DPL in maintaining a record of the school’s data processing activities;

• work with external stakeholders, such as suppliers or members of the community, on data protection issues;

Page 8: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

8

• working with the DPL in fostering a culture of data protection throughout the school;

• work closely with other departments and services to ensure GDPR compliance, such as HR, legal, IT and security;

• work with the Senior Leadership team at the school to ensure GDPR compliance;

• assist with any additional tasks necessary to keep the school compliant with data protec-tion law and be successful in the role.

3. Tasks From these responsibilities, isolated tasks should include:

• providing a model Data Protection Policy and assist in customizing it for the school;

• advising on procedures and proformas to allow the Data Protection Policy to be adhered to;

• providing advice on other associated policies and documents;

• providing materials and advice in completing a dynamic Data Asset Audit and assisting in its completion if necessary;

• collecting the Data Asset Audit on a yearly basis and checking for issues;

• providing training materials to allow the DPL to assist staff in keeping up to date with Data Protection issues;

• acting as the point of contact for SAR and FOI requests and supporting the school to provide the information as required;

• providing a Data Protection Audit on a 3 yearly rota basis and producing a report for Governors;

• providing telephone and email advice and support;

• providing regional training for the DPL and other staff;

• providing school based on-demand training either as part of the Ed Tech subscription or at cost.

Page 9: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

9

Appendix B – Data Protection Lead Role 1. Data Protection Lead Responsibilities The Data Protection Lead Responsibilities include:

• verify that the school has registered with the ICO;

• support the DPO in advising the school about their obligations under current Data Protec-tion regulations;

• support the DPO in developing an understanding of the school’s processing operations, information systems, data security processes and needs, and administrative rules and procedures;

• assist, in cooperation with the DPO, with the monitoring of the school’s compliance with data protection law, by:

o collecting information to identify data processing activities; o analyzing and checking the compliance of data processing activities; o informing, advising and issuing recommendations to the school; o ensuring they have current and detailed information in data protection issues and

changes to the law, attending relevant training as appropriate;

• assist the DPO in making sure that the school’s policies are followed, through: o assigning responsibilities to individuals; o awareness-raising activities; o coordinating staff training; o conducting internal data protection audits;

• act as a contact point for the DPO in supporting individuals whose data is processed (for example, staff, pupils and parents), including:

o responding with support from the DPO to subject access requests; o responding with support from the DPO to other requests regarding individuals’

rights over their data and how it is used;

• assist the DPO in maintaining a record of the school’s data processing activities provid-ing this on a yearly basis to the DPO;

• assisting the DPO in working with external stakeholders, such as suppliers or members of the community, on data protection issues;

• working with the DPO in fostering a culture of data protection throughout the school;

• work with the Senior Leadership team at the school to ensure GDPR compliance;

• assist with any additional tasks necessary to keep the school compliant with data protec-tion law and be successful in the role.

2. Tasks From these responsibilities, isolated tasks should include:

• act as the point of contact with the DPO;

• assist in customizing the Data Protection Policy for the school;

• advising on procedures and proformas to allow the Data Protection Policy to be adhered to;

• provide advice on other associated policies and documents;

• providing materials and advice in completing a Data Asset Audit and assisting in its com-pletion if necessary;

• supplying the DPO with the Data Asset Audit on a yearly basis;

• using the training materials provided by the DPO to assist the staff in keeping up to date with Data Protection issues.

Page 10: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

10

Appendix C – Data Asset Audit 1. Data Asset Audit The school will document the personal data it stores. This document will be a dynamic document and be the responsibility of the DPL assisted by the DPO. It will be updated using the Privacy Impact Assessment forms completed by staff. The document can be in any format but should contain information about the type of data held, why it is held, who it is shared with and any anticipated risks. 2. Data Asset Audit Document (Example)

Description of service

Type of data

Reason to hold data

Where is data stored?

Is the data shared with anyone?

Risks

SIMs Data Personal and Sensi-tive Data

Statutory Duties Education Act

Server DfE LA MAT

Lost pass-words Inappropri-ate viewing Printouts Exchange agreement with Som-erset LA Careful po-sitioning of monitors

Moodle

Potential sensitive data e.g. grades and perfor-mance

Learning tool

In the cloud by MoodleAnywhere. Held in London and Bristol. Contract checked

Parents Lost pass-words Inappropri-ate viewing

ClassDojo

Name and behaviour information

Tool to as-sist with be-haviour manage-ment

In the cloud by Class Dojo

Not in EEA? Display on whiteboard

Page 11: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

11

Appendix D – Staff Privacy Impact Assessment Form 1. Staff Privacy Impact Assessment Form Before the use of any new service that uses personal data, staff should fill in a Privacy Impact Assessment Form. The Senior Leaders and/or the DPL, with advice from the DPO will then approve the use and the information be placed on the Data Asset Audit. 2. Privacy Impact Assessment Form Privacy Impact Assessment (PIA) for: Name of Service/Software/App Data Protection Principles

• processing to be lawful and fair

• purposes of processing be specified, explicit and legitimate

• adequate, relevant and not excessive

• accurate and kept up to date

• kept for no longer than is necessary

• processed in a secure manner

Why we need a PIA – screening questions? We need to complete this form because:

• the use involves the collection of new information about individuals;

• the use compels individuals to provide information about themselves;

• the information about individuals will be disclosed to organisations or people who have not previously had routine access to the information;

• we are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?

• we are using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition;

• the use results in you making decisions or acting against individuals in ways that can have a significant impact on them;

• the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be private;

• the use requires you to contact individuals in ways that they may find intrusive.

Page 12: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

12

Describe the service

Describe the data collected and the possible uses of the data

List of data held

Collection of data

Possible uses

Identify the privacy, related risks and possible solutions To be discussed with the Data Pro-tection Lead Privacy issue Risk to individuals DPA Risks Possible Solu-

tions 1. • • • 2. • • • 3. • • • 4. • • • 5. • • • 6. • • • Sign off and notes

Comments on risks Processes that must be in place

Contact point for future privacy concerns Data Protection Officer: Ian Gover - [email protected] Data Protection Lead: Lisa Ambrose - [email protected] Date completed:

Page 13: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

13

Appendix E – Process for dealing with Subject Access Requests 1. Process for dealing with Subject Access Requests On receiving a Subject Access Request or request for change or deletion of data the DPO or school will:

• inform the DPL in the school (and the Headteacher if necessary);

• record the details of the request, updating this record where necessary;

• reply to the requestor informing receipt of the request asking for clarity if there is confusion about which data is required;

• contact the DPO if clarity on the request is needed or procedure is needed;

• identify the people responsible for gathering the necessary data;

• gather the data indicating a deadline;

• examine the data for redactions making sure there is no ‘bleeding’ of data;

• ask the requestor for an address and time for delivery. The whole process should take no longer than 30 calendar days, which can be extended by a further 2 months where the request is complex or where there are numerous requests. Please note the time for processing a request for an Educational Record is 15 days. The Subjects Access Requests are held here: In the school office.

Page 14: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

14

Subject Access Request Record Name of data subject: ___________________________ Name of person who made request: ___________________________ Date request received: ____/____/____ Contact DPO ([email protected]) : ____/____/____ Date acknowledgement sent: ____/____ /____ Name of person dealing with request: ___________________________ Notes (Overwrite the statements in grey)

Are they entitled to the data? If no reply stating reasons and/or ask for proof

Do you understand what data they are asking for?

If no, ask requestor for clarity

Identify the data What data sources, where they are kept

Collect the data required You may need to ask others – state a deadline in your request.

Do you own all the data? If no, ask third parties to release external data. If data is supplied by another agency such as Psychology Ser-vice, you do not own the data.

Do you need to exempt/redact data?

If exempting/redacting be clear of your reasons Document name, data exempted/redacted, why.

Is the data going to be ready in time?

Record delays and reasons. Communicate with requestor stating reason for delay and asking if they would like the data you have collected so far.

Create pack Make sure that the data is in an easy to access format: paper, word, excel etc.

Inform requestor you have the data

Ask them how they would like it delivered

Deliver data Ask for confirmation/special delivery? At all stages, your DPO or DPL will be able to provide you with advice. Date request completed: ____/____/____ (within 30 days of request) Signed off by: _____________________

Page 15: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

15

Appendix F – Process for dealing with Freedom of Information Request (FoI) Re-quests 1. Process for dealing with FoI Requests On receiving a FoI Request, which must be made in writing, the DPO or the school will:

• inform the DPL in the school (and the Headteacher if necessary);

• record the details of the request, updating this record where necessary (see next page);

• reply to the requestor informing receipt of the request asking for clarity if there is confusion about which data is required;

• decide that if the material is already published or falls within an exemption;

• contact the DPO if clarity on the request is needed or procedure is needed;

• if data is not going to be published inform the requestor why this is not being released;

• identify the people responsible for gathering the necessary data;

• gather the data indicating a deadline;

• examine the data for redactions making sure there is no ‘bleeding’ of data;

• ask the requestor for an address and time for delivery.

The whole process should take no longer than 20 working days. The FoI requests are held here: In the school office

Page 16: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

16

Freedom of Information Request Record Name of person who made request: ___________________________ Date request received: ____/____/____ Contact DPO ([email protected]) : ____/____/____ Date acknowledgement sent: ____/____ /____ Name of person dealing with request: ___________________________ Notes (Overwrite the statements in grey)

Are they entitled to the data? If no reply stating reasons

Do you understand what data they are asking for?

If no, ask requestor for clarity

Identify the data What data sources, where they are kept

Collect the data required You may need to ask others – state a deadline in your request.

Do you own all the data? If no, then refer them to the correct agency Do you need to exempt/redact data?

Could the data identify individuals Are any of the an-swers less than 5 people – use ‘5 or less including zero)? Are their commercial sensibilities?

Is the data going to be ready in time?

Record delays and reasons. Communicate with requestor stating reason for delay and asking if they would like the data you have collected so far.

Create pack Make sure that the data is in an easy to access format: paper, word, excel etc.

Inform requestor you have the data

Ask them how they would like it delivered

Deliver data Ask for confirmation/special delivery? At all stages, your DPO or DPL will be able to provide you with advice. Date request completed: ____/____/____ (within 20 days of request) Signed off by: _____________________

Page 17: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

17

Appendix G – Data Breach 1. Data Breach Every Data Protection Breach should be recorded. The process that should be followed is listed below:

• inform the DPL in the school (and the Headteacher if necessary);

• record the details of the breach, updating this record where necessary;

• contact the DPO if clarity on reporting the breach is needed and if necessary report to the ICO;

• identify the people whose data is accidentally released, inform them of the breach and the processes taken to rectify the situation;

• review why the breach took place and if future similar events can be avoided. The Data Protection Breach records requests are held here: In the school office Data Breach Record

Date: / / Person responsible for dealing with breach

Outline of breach

Which data subjects are involved

Data type involved

Reported by Phone/email sent to DPO [email protected]

y/n Is this high risk? y/n Report to ICO y/n

Date reported to data subjects Actions taken

Preventative action suggestions – including training

Notes

Actions approved by Date / /

Page 18: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

18

Appendix H – Annual Data Collection Sheet

Please check that the information below is correct. Complete any missing or incorrect details, sign and return to the school office in a sealed envelope.

Legal Surname: Preferred Surname:

Preferred Forename: Middle Name:

Legal Forename: Gender:

Date of Birth: Year: Reg Group: Address:

Please check/give details of all persons who have Legal Parental Responsibility, also any additional contacts. (For a definition refer to the GOV.UK website and search for Parental Rights and Responsi-bilities). Please note, removing a contact with Parental Responsibility requires supporting documenta-tion.

Co

nta

ct

Pri

or-

ity

Leg

al P

are

nta

l R

esp

on

sib

ilit

y Contact Title & Full Name/Rela-

tionship Home Address, Phone/Mo-bile

Work Phone/Email

Home Tel: Main Tel: Mobile: Email:

Work Tel: Email:

Home Tel: Main Tel: Mobile: Email:

Work Tel: Email:

Home Tel: Main Tel: Mobile: Email:

Work Tel: Email:

Also list any additional emergency contacts and the priority in which they should be contacted.

Pri

ori

ty

Leg

al P

are

nta

l R

esp

on

sib

ilit

y Contact Title & Full Name/Rela-

tionship Home Address, Phone/Mo-bile

Work Phone/Email

Travel Arrangements: Only 1 option may be chosen

Options: Boarder, Bus, Car Share (ie 2 families sharing), Car/Van, Cycle, School Bus, Metro/Tram/Light Rail, Other, Public Bus, Taxi, Train, Walk

Route if appropriate:

Free School Meal: Is your child entitled to a (Benefits related) Free Meal? No Meal Type: Free Meal, Sandwiches, Home, School Meal, UIFSM* *Universal Infant Free School Meal - Reception, Year 1, Year 2 only

Page 19: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

19

Dietary Needs:

Medical Practice: Tel: Address:

Medical Condition(s):

Medical Note(s):

Young Carers:

Does your child have regular caring responsibilities for someone who has a disability or long term health need? (When did their caring role start?)

If your child is a Young Carer and your health/disability might make it difficult for you to accompany them to Accident and Emergency (if that were neces-sary during the school day), do you give permission for your child to attend Accident and Emergency with a staff member?

Post Looked After Arrangements: (Please ���� as appropriate) Please tick the appropriate box below if you would like the school to be aware of, and record your child’s status on the School Census.

Adopted from Care

Left Care under a Special Guardianship Order

Left Care under a Residence or Child Arrangements Order

Ethnic/Cultural

Ethnicity:

Nationality:

Country of Birth: First Language: (ie language

spoken at home during early years)

Religion:

Service Child

Is the parent(s) the child resides with currently serving in the (regular) Armed Services?

The school is classed as a Data Controller under the Data Protection Act and as such has a duty to process any personal information obtained and held by them according to the Data Protection Prin-ciples. The school also has a statutory duty to share some or all of this information with other pro-fessional bodies as set out in the school’s Privacy Notice. Should you have any queries in relation to this please contact the school directly.

Signature: Date:

Print Name:

Page 20: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

20

Appendix I – Parent/Carer Consent Form Please indicate whether you have given your consent in each case by ticking the box on the right-hand side; and sign and date the form on the last page. 1. On-site activities I give my permission for my child to:

Use the internet in line with the school’s acceptable user policy

Take part in food preparation/cooking and tasting activities

Please outline any food allergies/specific dietary requirements: ................................................................................................................................................... ................................................................................................................................................... 2. Off-site activities I give my permission for my child to take part in:

Supervised visits/sports events to local destinations (within 3 miles) away from the main school site

3. Medical consent I give my permission for:

My child to be given first aid by a trained member of staff during any on-site or off-site activity

My child to receive urgent dental, medical or surgical treatment, including anaesthetics, as may be considered necessary by the medical authorities present, during any on-site or off-site activity

Plasters to be applied to my child

Staff to administer the medicines as specified on signed medication forms - in accordance with our Policy for Supporting Pupils at School with Medical Conditions

Please outline any medical conditions/allergies: ................................................................................................................................................... ................................................................................................................................................... ……………………………………………………………………………………………………………

Page 21: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

21

4. Use of information and image/sound (including photographs and recordings)

I/we acknowledge the receipt of the Digital Image Policy

I/we understand the aims of this policy

I give my permission for my child’s:

Image/recording to be used as part of school wall displays/class activities

Image/recording to be used for the school’s marketing publications (printed & elec-tronic

Image/recording (not named) to be used on the school website

Evercreech website

Lovington website

Image/recording (not named) to be used in external media (including printed and electronic) e.g. local newspaper press release

Image to be used in school publications including letters and newsletters*

Image to be included in the School’s annual formal class/whole school photographs

Annual formal individual photograph to be used by school

Image to be used in communication with international pen pals

Named work to be displayed around the school on wall displays

*Please note that all our newsletters are made available for viewing on our website. If you do not wish to give permission for your child’s image to be used on our website, the school regrets that it will not be able to use your child’s image in any newsletter. 5. Home School Agreement

I/we acknowledge receipt of the Home/School Agreement

I/we together with our child have read and understand the aims of this document

Signature of child (or on behalf of)

The information in this form will be used throughout your child’s time at school. You may withdraw your consent at any time by contacting the school. Please sign and date the form before returning it to the School Office. Name: ………………………………………………..

Signed: ................................................................................Date: .........................................

Page 22: Somerset Children in Education Data Protection Policy · 2019-09-14 · training in, and what the DPO/DPL roles should involve. • report to the governing board on the school’s

22

Conditions of use.

• This form is valid for the duration of your child’s education at our school. If you change your mind about giving consent to any of the above while at our school, please contact the school immediately.

• If we decide to take photographs, video or record sound for any other purpose than those listed here, we will ask for additional specific consent.

• Images of children and sound recordings will be stored securely in school. Please be aware that the school has no control over the way external photographers and the media store images.

• We will not usually retain photographs of your child after they cease to be a pupil at this school. However, photographs on our website; in our school prospectus and other publi-cations; or those that are part of our archive of learning activities, could continue to exist for a period after the child has left the school.

• We will not include any personal details such as surname, home phone numbers or email addresses of pupils in any publication.

• We will only use photographs and video of pupils who are suitably dressed, to minimize any risk of misuse.

• We may use photographs of a whole class with a general label, where individual children are not identified.