The Data Protection Act 1998 is a law designed to protect the privacy of individuals, in particular with regards to the processing of their personal information. The Act covers manual (paper) records as well as those held on computer.
Under the Data Protection Act, schools are their own data controllers and are responsible for registering individually with the ICO as well as complying with the eight principles of the Act and using, storing and protecting data, as appropriate.
Schools who are signed up to Legal Services ‘Service Level Agreement with Hampshire Schools’, can access legal advice within the remit of this agreement, around Data Protection Issues. However, where the school requires legal advice or assistance not covered by the annual subscription(s), a pay-as-you-go service will be offered at an hourly rate.
For more information, please contact Legal Services: firstname.lastname@example.org
To meet the requirements of the Data Protection Act 1998, schools and other service providers need to issue a privacy notice to staff, children and their families summarising the information collected about them, why it is held, and the third parties to whom it may be passed on.
Privacy Notices (previously known as Fair Processing Notices) are needed as the Data Protection Act requires that data is only shared with the data subject (or their parents/carers in the case of children under 13) unless the data subject has given permission to share or where there are statutory requirements for that information to be shared. As the permissions needed and the statutory requirements often change according to the needs of the service, different Privacy Notices have been developed for each type of service and/or data collection.
For general information on privacy policies, please see the Information Commissioner's guidance
Schools are their own data controller in the eyes of the law; accordingly they need to develop their own policies and documentation to comply with the Data Protection Act. The documentation included here is designed to support schools in developing their own privacy notices.
When designing privacy notices, schools need to be aware of the information they collect and wish to share/use about staff, children and their parents outside of the normal reasons for collection. For example:
Emailing electronic school newsletters
Sharing contact details of parents within a class (to assist in arranging birthday parties etc for younger pupils)
Sharing across the Local Children’s Partnership for more vulnerable children
Sharing with the PTA when arranging unofficial school events, such as discos and fundraising activities
Sharing across a school consortia
Contact details for governors
There are also many statutory requirements for schools to exchange information about staff, parents and children; for example
School workforce census
Pupil Level censuses
School Travel Surveys, Forces Children census etc
Youth Service (formally known as Connexions service) data exchange (in year 8)
Information exchanged when moving between schools
Exam entries and results
Apart from the standard reasons of protecting vulnerable individuals and those involving the prevention and detection of crime, which are mentioned in the Data Protection Act.
Many schools used to send out fair processing notices at the start of each academic year, often linked to the provision of an annual data collection to ensure that the information held about pupils is still correct. There is nothing to stop schools doing the same with privacy notices if they wish.
At the start of year 8, schools need to make parents and pupils aware of their right to opt out from the provision of information to the Integrated Youth Service under the Learning and Skills Act 2000. This can be done through the use of a privacy notice, a message in a school newsletter or other suitable means but schools should ensure that the message reaches both the pupils and their parents. Once a child attains the age of 13 they are assumed, for most purposes, to have rights over their own information so they need to be aware of privacy notices and their rights to see their own record.
To help schools, example Privacy Notices have been provided above which schools may wish to personalise to their own requirements.
The text in the outline privacy notice for parents/pupils that relates to the work of the Integrated Youth Service and the Learning Records Service is only necessary for secondary schools.
In addition to the privacy notice, schools need to ensure they have made details of any routine information sharing arrangements known to the individuals concerned. This can be achieved through the use of the school website, as part of the publication scheme or through advice to contact the school’s admin officer.
The EECU provides an outline privacy notice for nurseries and child minders which is updated every autumn and distributed as part of the census package. As most provision in this sector is delivered through private providers, many will wish to use the privacy notices belonging to their organisation. As with schools, the outline privacy notice is provided for advice only
For most people in contact with social care the leaflets Your Records and SAR Form provide the privacy notices required. However the Department for Education has recently set up a new data collection which requires an additional privacy notice for all young people having a referral to social care as a Child in Need. This privacy notice is mandatory for use within Children’s Services and should be provided to the child (if deemed Fraser/Gillick competent, normally aged 13) and their family at the first suitable meeting with social care after the referral.
For any other information about Privacy Notices Children’s Services staff should consult Data protection and information sharing or contact the Department’s Data Protection Lead, (email@example.com).
The Children’s Trust has published a policy document on Information Sharing and Confidentiality which can be downloaded from the Children’s Trust website.
To meet the requirements of the Data Protection Act (1998) Children’s Services, schools and other service providers need to issue a privacy notice to staff, children and their families summarising the information collected about them, why it is held, and the third parties to whom it may be passed on.
Schools are legally responsible for the information they hold (their own ‘data controller’) under the Act and have their own privacy notices.
The County Council collects, holds and uses personal data to allow it to provide services on behalf of the children, young people and families of Hampshire. These services include, amongst others, providing schools and educational facilities within the county; providing care and support for vulnerable individuals and their families; maintaining and improving the services we provide and protecting residents generally.
The data the County Council collects is used to support our day to day operations in delivering our roles and functions, whether they be statutory or to meet a specific identified need. In particular, the data is used to support children, young people and families within Hampshire through the delivery of key services. The data is used to monitor and report on the quality of services (eg quality of learning) as well as the progress of individuals (such as ensuring a pupil is making the right levels of progress at key stages), to ensure that we can demonstrate what is working but also challenge services to improve when things are not as effective as we would require to met the needs of Hampshire residents.
The County Council also uses the data collected to support us in providing appropriate pastoral care. This is in areas where we need to support the physical and mental well being of our children and young people, whilst improving health and reduce inequalities. This includes delivering the new public health role and statutory duties in local authorities as well as supporting partners such as Health in the delivery of their statutory functions.
The data is also a key part to the County Council’s ability to plan for the future. The data collected is a key resource for supporting our activities around financial & sufficiency planning, as well as being used to carry out statistical analysis and performance management functions.
The law requires the following services to share data with the Department for Education (DfE) in the form of statutory returns, which are provided on a monthly, termly or annual basis, including:
Admissions (Parental Preferences Met for Secondary School Applications, Report to School Adjudicator, School Admissions Appeal Survey);
Social Care (Children in Need Census, SSDA903 return, Alternative Provision Census, PF1 Return, SEN2, CTF, various Ofsted Dataset submissions and Junior ISAs);
Education Improvement Service (School Pupil Census, Pupil Referral Unit Census, Phonics, Key Stage 1 Tests and Teacher Assessments, NEET Monthly MI, September Guarantee, Schools Exclusion Appeals Survey, School Workforce Census);
Services for Young Children (Early Years Census, Children’s Centres Return, Early Years Foundation Stage Profile); and
School Organisation (School Capacity Return).
However, some services have other uses for this data, as follows:
Under the Education & Skills Act (2008), the County Council is allowed to share certain pieces of data with service providers who are delivering packages of support on behalf of the County Council, for the delivery of the functions identified within the Act. To ensure we are sharing the right level of detail, we seek consent from individuals to share further details then what the Act permits, with organisations that can support them in their requirements to access Education, Employment or Training.
The Health and Social Care Act (2012) received Royal Assent on 27 March 2012. This is a step in the transition towards the establishment of a new public health system, including the new public health role in local authorities. Local authorities are embedding these new public health functions into their activities, tailoring local solutions to local problems, to improve health and reduce inequalities.
Section 12 of the Act inserts new section 2B into the NHS Act 2006 to give each relevant local authority a new duty to take such steps as it considers appropriate to improve the health of the people in its area. As part of our compliance with these duties, the department shares data with health colleagues in order to identify the correct schools for groups of children and young people who are at the age for contacting regarding health measurement and immunisation programmes.
Once example is where Central Government has mandated the National Child Measurement Programme (mandated through regulations made under new section 6C of the NHS Act 2006). The local authority in turn commissions health services to deliver this function on our behalf. Through this commissioning arrangement, the County Council shares data in order to identify the groups of children and young people in years R and 7, who should be included in this programme. This allows us to audit the process and monitor the success and activity of this commissioned programme.
If you have any further questions around use of data or the Privacy Notices for Children’s Services, please email the Department’s Data Protection Team at: firstname.lastname@example.org .
The Children’s Trust has published a policy document on Information Sharing and Confidentiality which can be downloaded from the Children’s Trust website at: http://www3.hants.gov.uk/childrens-trust
As data controllers, schools should have a data protection policy setting out how they comply with the Data Protection Act. The County Council has developed a template policy for schools to be able to use as the starter for developing your own policies.
If you would like a copy of this policy please send an email to email@example.com requesting a copy of the Data Protection Policy template.
The ICO maintains a public register of data controllers. Each register entry includes the name and address of the data controller and details about the types of personal information they process. Individuals can check the register to find out what processing of personal information is being done by a particular data controller. Notification is the process by which a data controller's details are added to the register.
Schools are required to renew their registration on an annual basis and there is a fee. Schools will need to action the payment directly.
The ICO website has further guidance.
Your pupils and students have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. They - and their parents - also have the right to see their educational records. The Information Commissioner's Office (ICO) has produces a 'Technical Guidance Note' containing information on this and what you need to do.
The County Council has also produced a short Frequently Asked Questions sheet around 'Rights of Access to Information'. To request a copy of the FAQs document, please send an email to firstname.lastname@example.org requesting a copy.
This is concerned with the provision of information not covered by the Data Protection Act, but the two areas are closely linked. As public authorities, schools are subject to the Freedom of Information Act (2000) in their own right and are responsible for the provision of information in response to requests made.
The Information Commissioner's Office (ICO) has produced a guide that explains your obligations under the Freedom of Information Act, answers many frequently asked questions and gives practical examples to illustrate how to apply the Act in practice.