What is the GDPR?
The GDPR is a piece of EU-wide legislation which will determine how people's personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. It applies to organisations that process or handle personal data, including schools.
It is similar to the Data Protection Act (DPA) (1998) in many ways. Most of the differences involve the GDPR building on or strengthening the principals of the DPA.
It has been confirmed that the UK will be implementing the GDPR despite its intention to leave the EU.
Information Commissioner's Office (ICO)
The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. If you click here you can visit the ICO's GDPR website to read in depth information about all aspects of GDPR.
There is a range of terminology that is used to refer to aspects of GDPR that we must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.
- Personal data - The GDPR only applies to organisations' use of personal data. This is any information relating to an "identified, or identifiable, living individual" - as set out in the Data Protection Act 2018. This may include information such as the person's name, contact details, identification number and online identifier, such as a username.
- Special categories of personal data - personal data which is more sensitive and so needs more protection. It includes information about a person's race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometrics (such as fingerprints, retina and iris patterns) where used for identification purposes, health – physical or mental, and sex life or sexual orientation.
- Data subject - the person whose personal data is held or processed (eg all pupils and staff are data subjects)
- Data controller - a person or organisation who determines how and why personal data is used (Horizons Specialist Academy Trust is a data controller)
- Data processor - an external person or organisation, who is not employed by the Trust, who processes the personal data on our behalf (eg payroll provider)
- Processing - anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.
- Data Protection Officer - an appointed person who takes responsibility for monitoring data protection compliance.
Under data protection law, individuals have a right to be informed about how we, Horizons Specialist Academy Trust, use any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data.
These privacy notices explain how we collect, store and use personal data about pupils, parents/carers and staff, and can be downloaded below:
GDPR related policies, as approved by Directors, are as follows:
Data Protection Act 2018
The Data Protection Act 2018, which updates data protection laws in the UK and supplements the GDPR, received Royal Assent on 23 May 2018 and is now an Act of Parliament. Any subsequent amendments to Trust policies resulting from this will be actioned accordingly.