Data Protection Policy

Plans and Policies

DATA PROTECTION POLICY

Purpose and Scope

1.1 The purpose of this Data Protection Policy is to support the school in meeting its responsibilities with regard to the processing of personal data. These responsibilities arise as statutory obligations under the relevant data protection legislation. They also stem from our desire to process all personal data in an ethical manner which respects and protects the fundamental rights and freedoms of natural persons.

1.2 This policy aims to help transparency by identifying how the school expects personal data to be treated (or "processed"). It helps to clarify what data is collected, why it is collected, for how long it will be stored and with whom it will be shared.

1.3 The Irish Data Protection Act (2018) and the European General Data Protection Regulation (2016) are the primary legislative sources. As such they impose statutory responsibilities on the school as well as providing a number of fundamental rights (for students, parents/guardians and staff and others) in relation to personal data.

1.4 The school recognises the seriousness of its data processing obligations and has implemented a set of practices to safeguard personal data. Relevant policies and procedures apply to all school staff, boards of management, trustees, parents/guardians, students and others (including prospective or potential students and their parents/guardians and applicants for staff positions within the school).

1.5 Any amendments to this Data Protection Policy will be communicated through the school website and other appropriate channels, including direct communication with data subjects where this is appropriate. We will endeavour to notify you if at any time we propose to use Personal Data in a manner that is significantly different to that stated in our Policy, or, was otherwise communicated to you at the time that it was collected.

1.6 The school is a data controller of personal data relating to its past, present and future staff, students, parents/guardians and other members of the school community. Formally, the statutory responsibility of Controller is assigned to the Board of Management. The Principal is assigned the role of co-ordinating the implementation of this Policy and for ensuring that all staff who handle or have access to Personal Data are familiar with their responsibilities.

Name Responsibility

Board of Management Data Controller

Principal Implementation of Policy

All Staff Adherence to the Data Processing Principles

Entire School Community Awareness and Respect for all Personal Data

Processing Principles

2.1 Processing is the term used to describe any task that is carried out with personal data e.g. collection, recording, structuring, alteration, retrieval, consultation, erasure as well as disclosure by transmission, dissemination or otherwise making available. Processing can include any activity that might relate to personal data under the control of the school, including the storage of personal data, regardless of whether the records are processed by automated or manual means.

2.2 There are a number of fundamental principles, set out in the data protection legislation, that legally govern our treatment of personal data. As an integral part of its day to day operations, the school will ensure that all data processing is carried out in accordance with these processing principles.

2.3 These principles, set out under GDPR, establish a statutory requirement that personal data must be:

processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (purpose limitation);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy);
kept for no longer than is necessary for the purposes for which the personal data are processed; (storage limitation);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

GDPR also establishes Accountability as a core data processing principle. This places a statutory responsibility on the school, as Data Controller, to be able to demonstrate compliance with the other principles i.e. the 6 data processing principles set out in the previous paragraph (2.3 above).

Lawful Basis for Processing Personal Data

3.1 Whenever the school is processing personal data, all of the principles listed in the previous section(s), must be obeyed. In addition, at least one of the following bases (GDPR Article 6) must apply if the processing is to be lawful,

compliance with a legal obligation
necessity in the public interest
legitimate interests of the controller
contract
consent
vital interests of the data subject.

3.2 When processing special category personal data, the school will ensure that it has additionally identified an appropriate lawful basis under GDPR Article 9. Special categories of personal data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing Activities Undertaken by the School

4.1 Record of Processing Activities: This policy sets out the purposes for which the school collects and uses personal data for each of the various categories of data held (student, staff, parent, etc).

4.2 Student Records: The purposes for processing student personal data include the following:

to provide information prior to application/enrolment;
to determine whether an applicant satisfies the school’s admission criteria;
to comprehend the educational, social, physical and emotional needs of the student;
to deliver an education appropriate to the needs of the student;
to ensure that any student seeking an exemption from Irish meets the criteria;
to ensure that students benefit from relevant additional educational or financial supports;
to contact parents/guardians in case of emergency or in the case of school closure;
to monitor progress and to provide a sound basis for advising students and parents/guardians;
to inform parents/guardians of their child’s educational progress etc.;
to communicate information about, and record participation in, school events etc.;
to establish a school website, and to keep a record of the history of the school;
to comply with legislative or administrative requirements;
to furnish documentation/ information about the student to the Department of Education and Skills, the National Council for Special Education, TUSLA, and others in compliance with law and directions issued by government departments.

4.3 Parent/Guardian Records: The school does not keep personal files for parents or guardians. However, information about or correspondence with parents, may be held in the files for each student. This information shall be treated in the same way as any other information in the student file.

4.4 Staff Records: As well as records for existing members of staff (and former members of staff), records may also relate to applicants applying for positions within the school, trainee teachers and teachers under probation. The purposes for which staff personal data is processed include the following:

the management and administration of school business (now and in the future);
to facilitate the payment of staff, and calculate other benefits/ entitlements (including reckonable service for the purpose of calculation of pension payments, entitlements and/or redundancy payments where relevant);
to facilitate pension payments in the future;
human resources management;
recording promotions made (documentation relating to promotions applied for) and changes in responsibilities etc.;
to enable the school to comply with its obligations as an employer including the preservation of a safe, efficient working and teaching environment (including complying with its responsibilities under the Safety, Health and Welfare at Work Act. 2005);
to enable the school to comply with requirements set down by the Department of Education and Skills, the Revenue Commissioners, the National Council for Special Education, TUSLA, the HSE, and any other governmental, statutory and/or regulatory departments and/or agencies;
and for compliance with legislation relevant to the school.

4.5 Board of Management Records: Board of Management records are kept in accordance with the Education Act 1998 and other applicable legislation. Minutes of Board of Management meetings record attendance, items discussed and decisions taken. Board of Management business is considered confidential to the members of the Board.

4.6 Financial Records: This information is required for routine management and administration of the school’s financial affairs, including the payment of fees, invoices, the compiling of annual financial accounts and complying with audits and investigations by the Revenue Commissioners.

4.7 CCTV Records: The school processes personal data in the form of recorded CCTV images. We use CCTV for the following purposes:

to secure and protect the school’s premises and assets;
to deter crime and anti-social behaviour;
to assist in the investigation, detection, and prosecution of offences;
to deter bullying and/or harassment;
to maintain good order and ensure the school’s Code of Behaviour is respected;
to provide a safe environment for all staff and students;
for the taking and defence of litigation;
for verification purposes and for dispute-resolution, particularly in circumstances where there is a dispute as to facts and where the recordings may be capable of resolving that dispute.

Recipients

5.1 Recipients: These are defined as organisations and individuals to whom the school transfers or discloses personal data. Recipients may be data controllers, joint controllers or processors. A list of the categories of recipients used by the school is provided in the appendices (Appendix 3). This list may be subject to change from time to time.

5.2 Data Sharing Guidelines:

-From time to time the school may disclose Personal Data to third parties, or allow third parties to access specific Personal data under its control. An example could arise should Gardaí submit a valid request under Section 41(b) of the Irish Data Protection Act which allows for processing necessary and proportionate for the purposes of preventing, detecting, investigating or prosecuting criminal offences.

- In all circumstances where personal data is shared with others, the school will ensure that there is an appropriate lawful basis in place (GDPR Articles 6, 9 as appropriate). We will not share information with anyone without consent unless another lawful basis allows us to do so.
-Most data transfer to other bodies arises as a consequence of legal obligations that are on the school, and the majority of the data recipients are Controllers in their own right, for example, the Department of Education and Skills. As such their actions will be governed by national and European data protection legislation as well their own organisational policies.
-Some of the school’s operations require support from specialist service providers. For example, the school may use remote IT back-up and restore services to maintain data security and integrity. In cases such as these, where we use specialist data processors, we will ensure that the appropriate security guarantees have been provided and that there is a signed processing agreement in place.

Personal Data Breaches

6.1 Definition of a Personal Data Breach: A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

6.2 Consequences of a Data Breach:

-A breach can have a significant adverse effect on individuals, which can result in physical, material or non-material damage. This can include discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality etc. Children, because of their age, may be particularly impacted.
- In addition to any detrimental impact on individual data subjects, a data breach can also cause serious damage to the school. This can include reputational damage as well as exposing the school to other serious consequences, including civil litigation.
- It should be noted the consequences of a data breach could include disciplinary action, criminal prosecution and financial penalties or damages for the school and participating individuals.

6.3 Responding to a Data Breach:

- The school will always act to prioritise and protect the rights of those individuals whose personal data is affected.
- As soon as the school becomes aware that an incident has occurred, measures will be taken to assess and address the breach appropriately, including actions to mitigate any possible adverse effects.
- Where the school believes that there is a risk to the affected individuals, the school will (within 72 hours of becoming aware of the incident) submit a report to the Data Protection Commission.
- Where a breach is likely to result in a high risk to the affected individuals, the school will inform those individuals without undue delay.

Data Subject Rights

7.1 Your Rights: Personal Data will be processed by the school in a manner that is respectful of the rights of data subjects. Under GDPR these include 01 For further information on your rights see www.GDPRandYOU.ie.

the right to information
the right of access
the right to rectification
the right to erasure ("right to be forgotten")
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated decision making
the right to withdraw consent
the right to complain.

7.2 Right to be Informed: You are entitled to information about how your personal data will be processed. We address this right primarily through the publication of this Data Protection Policy. We also publish additional privacy notices/statements which we provide at specific data collection times, for example, our Website Data Privacy Statement is available to all users of our website. Should you seek further clarification, or information that is not explicit in our Policy or Privacy Statements, then you are requested to forward your query to the school.

7.3 Right of Access: You are entitled to see any information we hold about you. The school will, on receipt of a request from a data subject, confirm whether or not their personal data is being processed. In addition, a data subject can request a copy of their personal data. The school in responding to a right of access must ensure that it does not adversely affect the rights of others.

7.4 Right to rectification: If you believe that the school holds inaccurate information about you, you can request that we correct that information. The personal record may be supplemented with additional material where it is adjudged to be incomplete.

7.5 Right to be forgotten: Data subjects can ask the school to erase their personal data. The school will act on such a request providing that there is no compelling purpose or legal basis necessitating retention of the personal data concerned.

7.6 Right to restrict processing: Data subjects have the right to seek a restriction on the processing of their data. This restriction (in effect requiring the controller to place a "hold" on processing) gives an individual an alternative to seeking erasure of their data. It may also be applicable in other circumstances such as where, for example, the accuracy of data is being contested.

7.7 Right to data portability: This right facilitates the transfer of personal data directly from one controller to another. It can only be invoked in specific circumstances, for example, when processing is automated and based on consent or contract.

7.8 Right to object: Data subjects have the right to object when processing is based on the school’s legitimate interests or relates to a task carried out in the public interest (e.g. the processing of CCTV data may rely on the school’s legitimate interest in maintaining a safe and secure school building). The school must demonstrate compelling legitimate grounds if such processing is to continue.

7.9 Right not to be subject to automated decision making: This right applies in specific circumstances (as set out in GDPR Article 22).

7.10 Right to withdraw consent: In cases where the school is relying on consent to process your data, you have the right to withdraw this at any time, and if you exercise this right, we will stop the relevant processing.

7.11 Limitations on Rights: While the school will always facilitate the exercise of your rights, it is recognised that they are not unconditional: the school may need to give consideration to other obligations.

7.12 Right to Complain:

If you are concerned about how your personal data is being processed, then please address these concerns in the first instance to the Principal who is responsible for operational oversight of this policy.

A matter that is still unresolved may then be referred to the school’s Data Controller (i.e., the Board of Management) by writing to the Chairperson c/o school.

Should you feel dissatisfied with how we have addressed a complaint or concern that you have raised, you have the right, as data subject, to bring the matter to the attention of the Irish Data Protection Commission.

Telephone +353 57 8684800

+353 (0)761 104 800

Lo Call Number 1890 252 231

Fax +353 57 868 4757

E-mail info@dataprotection.ie

Post Data Protection Commission

Canal House, Station Road

Portarlington, Co. Laois

R32 AP23

Website www.dataprotection.ie

Glossary

Child - a person under the age of 18 years. Children are deemed as vulnerable under GDPR and merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

Controller or Data Controller - an entity or person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In this policy, the data controller is the School.

Consent - any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Protection Commission - the national supervisory authority responsible for monitoring the enforcing the data protection legislation within Ireland. The DPC is the organisation to which schools as data controllers must notify data breaches where there is risk involved.

Data Protection Legislation – this includes (i) the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and (ii) the Irish Data Protection Act (2018). GDPR is set out in 99 separate Articles, each of which provides a statement of the actual law. The regulation also includes 171 Recitals to provide explanatory commentary.

Data Subject - a living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly.

Data concerning health - personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. This is an example of special category data (as is data concerning special education needs).

Personal data - any information relating to an identified or identifiable natural person (a "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor or Data Processor - a person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract (but does not include an employee of a controller who processes such data in the course of his or her employment).

Profiling - any form of automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.

(Relevant) Filing System - any set of information that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.

Special categories of data - personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Implementing the Data Processing Principles

Accountability

Accountability means that compliance with the data protection legislation is recognised as an important Board of Management responsibility as well as one shared by each school employee and member of the wider school community.
Demonstrating Compliance Accountability imposes a requirement on the controller to demonstrate compliance with the other data processing principles (see Section 2 earlier: Processing Principles). This means that the school retains evidence to demonstrate the actions it has taken to comply with GDPR.
School Policies An important way for the school to demonstrate accountability is through the agreement and implementation of appropriate policies. In addition to publishing a Data Protection Policy this may include developing other policies to address some or all of the following areas (i) CCTV (ii) Data Breaches (iii) Data Access Requests (iv) Record Storage and Retention (v) Data Processing Agreements.
Record of Processing Activities As a data controller the school is required to prepare a record of any processing activities (ROPA) that it undertakes. This record should include the following information (GDPR Article 30):

the purposes of the processing;
a description of the categories of data subjects and personal data;
the categories of recipients to whom the personal data will be disclosed;
any transfers to a third country or international organisation, including suitable safeguards;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organisational security measures.

Risk Assessment The school as data controller is required to consider any risks that may arise as a consequence of its processing activities. This assessment should consider both the likelihood and the severity of these risks and their potential impact on data subjects.
Data Protection Impact Assessment (DPIA) A DPIA is a type of risk assessment that is mandatory in specific circumstances (GDPR Article 35). The school will ensure that a DPIA is undertaken where this is appropriate, typically, where a new processing activity has the potential to have a high impact on individual privacy or rights. (The installation of an extensive CCTV system in a school is an example of a processing activity that might trigger the need for a Data Protection Impact Assessment.) The purpose of undertaking a DPIA is to ensure that any risks associated with the new processing activity are identified and mitigated in an appropriate manner.
Security of Processing As a consequence of having assessed the risks associated with its processing activities, the school will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. For example, these measures might include training of staff, establishment of password policies, protocols around device encryption, procedures governing access to special category data etc.

Data Protection by Design The school aims to apply the highest standards in terms of its approach to data protection. For example, school staff will utilise a Privacy by Design approach when any activity that requires the processing of personal data is being planned or reviewed. This may mean implementing technical measures (e.g. security) and organisational measures (e.g. protocols and training).
Data Protection by Default A Privacy by Default approach means that minimal processing of personal data is the school’s default position. In practice this means that only essential data will be collected from data subjects, and that within the school, access to this data will be carefully controlled and only provided to employees where this is appropriate and necessary.
Data Processing Agreements: the school will put written contracts in place with organisations that process data on its behalf (as required under GDPR Article 28).
Data Breach Records: the school will retain records that document its handling of any personal data breaches. These records will clearly set out the facts relating to any personal data breach, its effects and the remedial action taken.
Staff Awareness and Training: All who are granted access to personal data that is under the control of the school have a duty to observe the data processing principles. The school will provide appropriate information, training and support so that staff may gain a clear understanding of these requirements.

Lawful Processing

As part of its decision to collect, use or share personal data, the school as Controller will identify which of the lawful bases is applicable to each processing operation. In the absence of a lawful basis the personal data cannot be processed.

Many of school’s data processing activities rely on legal obligations. These tasks are undertaken because the school must comply with Irish (or European) law. For example, there is a legislative basis underpinning the sharing of specific student data with the Department of Education and Skills and other public bodies.
Another set of data processing activities are undertaken in the public interest i.e. so that the school can operate safely and effectively. For example, an educational profile of the student (literacy competence, language spoken at home etc.) may help the school to target learning resources effectively for the benefit of the student.
In some situations, for example the use of CCTV, the school may rely on its legitimate interests to justify processing. In such cases the specific legitimate interests (e.g. health and safety, crime prevention, protection of school property etc.) must be identified and notified to the data subjects.
Contract will provide a lawful basis for some processing of data by the school. For example, the processing of some employee data may rely on this lawful basis.
There is also the possibility that processing can be justified in some circumstances to protect the Vital Interests of a data subject, or another person. For example, sharing some data subject data with emergency services might rely on this lawful basis.
Finally there is the option of using a data subject’s consent as the lawful basis for processing personal data. The school will not rely on consent as the basis for processing personal data if another lawful condition is more appropriate. Consent will usually be the lawful basis used by the school to legitimise the publication of student photographs in print publications and electronic media.

Consent

Where consent is relied upon as the appropriate condition for lawful processing, then that consent must be freely given, specific, informed and unambiguous. All of these conditions must be satisfied for consent to be considered valid. There are a significant number of restrictions around using consent.

A separate consent will be sought for each processing activity (together with appropriate guidance as necessary to ensure the data subject is informed).
When asking for consent, the school will ensure that the request is not bundled together with other unrelated matters.
Consent requires some form of clear affirmative action. Consent can be provided by means of an oral statement.
Consent must be as easy to withdraw as to give.
A record should be kept of how and when consent was given.
The school will take steps to ensure the consent is always freely given i.e. that it represents a genuine choice and that the data subject does not feel under an obligation to consent to processing.
If the consent needs to be explicit, this means the school must minimise any future doubt about its validity. This will typically require the school to request and store a copy of a signed consent statement.

Special Category Data

Some personal data is defined as Special Category Data and the processing of such data is more strictly controlled. In a school context this will occur whenever data that relates to Special Needs or Medical Needs is being processed. GDPR Article 9 identifies a limited number of conditions, one of which must be applicable if the processing of special category data is to be lawful. Some of these processing conditions, those most relevant in the school context, are noted here.

Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law. This condition could provide an appropriate basis for processing of data relating to employee and student health e.g. proportionate sharing of special category data to ensure the school is compliant with provisions in health, safety and welfare legislation.
Processing is necessary for the assessment of the working capacity of an employee;….or for the provision of health or social care or treatment.. on the basis of Union or Member State law.
Processing is based on Explicit Consent. Where a school is processing biometric data for identification purposes (e.g. facial image recognition or the use of fingerprint systems) it is unlikely that this processing will be justifiable on any lawful basis other than consent. (And, as a data subject should be able to withhold consent without suffering any detriment, the school will need to provide access to an alternative processing option which is not reliant on biometric data.)

Transparency

The school as Controller is obliged to act with Transparency when processing personal data. This requires the communication of specific information to individuals in advance of any processing of their personal data.

Transparency is usually achieved by providing the data subject with a written document known as a Privacy Notice or a Privacy Statement. This notice will normally communicate:

the name of the controller and their contact details;
the categories of personal data being processed;
the processing purposes and the underlying legal bases;
any recipients (i.e. others with whom the data is shared/disclosed);
any transfers to countries outside the EEA (and safeguards used);
the storage period (or the criteria used to determine this);
the rights of the data subject.

Transparency information should be provided in a manner that is concise and easy to understand. To best achieve this, the school may use a "layering" strategy to communicate information. And, while a written Privacy Notice is the default mode, transparency information may also be communicated using other means, for example through the spoken word or through use of pictorial icons or video.
Privacy statements (include those used on school websites) should be regularly reviewed to take account of any enhancements, new practices or additional services which involve the collection and use of personal data.

Purpose Limitation

Personal data stored by the school has been provided by data subjects for a specified purpose or purposes. Data must not be processed for any purpose that is incompatible with the original purpose or purposes.
Retaining certain data (originally collected or created for a different purpose) with a view to adding to a school archive for public interest, scientific or historical research purposes or statistical purposes is acceptable subject to certain safeguards, most particularly the need to respect the privacy of the data subjects concerned.

Data Minimisation

As Controller, the school must ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In practice, this principle has a number of important implications illustrated in the examples below.

The school should ensure, when data is being collected from data subjects, that this is limited to what is necessary for the completion of the duties. For example, where information is being collected from students and parents/guardians, as part of the admissions process, this should be limited to whatever information is needed to operate the admissions process. This means that it is usually not appropriate for the school to seek information about Special Education Needs (SEN) in order to decide whether a place should be offered.
Data minimisation also requires that the sharing of student data within the school should be carefully controlled. Members of staff may require varying levels of access to student data and reports. Access should be restricted to those who have a defined processing purpose. Staff will not access personal data unless processing is essential to deliver on their role within the school.
School staff will necessarily create personal data in the course of their duties. However employees should ensure that this processing is necessary and appropriate. For example, while it will often be necessary for school staff to communicate information to each other by email, consideration should be given, on a case by case basis, as to whether it is necessary for personal data to be included in these communications.
Data sharing with external recipients should be continuously reviewed to ensure it is limited to that which is absolute necessary. This may mean, for example, that when the school is seeking professional advice, no personal data will be included in communications unless the disclosure of this information is essential.

Storage Limitation

Personal data is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which it is being processed. Some personal data may be stored for longer periods insofar as the data is being processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

(i) When deciding on appropriate retention periods, the school’s practices will be informed by advice published by the relevant bodies (notably the Department of Education and Skills, the Data Protection Commission, and the school management advisory bodies ).

(ii) When documentation or computer files containing personal data are no longer required, the information is disposed of in a manner that respects the confidentiality of the data.

(iii) Data subjects are free to exercise a “right to erasure” at any time (also known as the “right to be forgotten”, see Data Subject Rights).

(iv) Data should be stored in a secure manner that recognises controller obligations under GDPR and the Data Protection Act. This requires the school for example, to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Integrity and Confidentiality

Whenever personal data is processed by the school, technical and organisational measures are implemented to safeguard the privacy of data subjects. The school as controller is obliged to take its security responsibilities seriously, employing the most appropriate physical and technical measures, including staff training and awareness. These security procedures should be subject to regular review.

(ii) School employees are required to act at all times in a manner that helps to maintain the confidentiality of any data to which they have access. Guidance and training are important to help identify and reinforce appropriate protocols around data security.

(iii) The school is legally required to consider the risks to the data subject when any processing of personal data is taking place under its control. Any Risk Assessment should take particular account of the impact of incidents such as accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, the personal data.

(iv) As well considering the potential severity of any data incident, a risk assessment should also consider the likelihood of any incident occurring. In this way risks are evaluated on the basis of an objective assessment, by which it is established whether the data processing operations involve a risk or a high risk.

(v) The follow-on from any risk assessment is for the school to implement appropriate technical and organisational measures that ensure a level of security appropriate to the risk. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected (GDPR Recital 83).

(vi) As well as processing activities undertaken by staff, the school must also consider the risks associated with any processing that is being undertaken on behalf of the school by other individuals or organisations (Data Processors). Only processors who provide sufficient guarantees about the implementation of appropriate technical and organisational measures can be engaged.

(vii) The important contribution that organisational policies can make to better compliance with the Accountability principle was previously highlighted. Similarly, the implementation of agreed policies and protocols around data security is very helpful. Some possible areas are listed below.

o School ICT policy
o Acceptable User Polices for employees, board members, students etc
o Accessing school data from home
o Password policy
o Mobile phone and electronic devices policy
o Apps

Categories of Recipients

Department of Education and Skills (DES) The school is required to provide student data to the Department of Education and Skills (DES). This transfer of data is primarily made at the beginning of each academic year ("October Returns") using a secure Primary Online Database (POD) system. The October Returns contain individualised data such as PPS number which acts as an identifier to validate that the data belongs to a recognised student. The DES has published a "Fair Processing Notice" to explain how the personal data of students is processed.

Student support and welfare student data may be shared with a number of public state bodies including National Educational Psychological Service (NEPS psychologists support schools and students); National Council for Special Education (the NCSE role is to support schools and students with special education needs); National Education Welfare Board (the school is required to share student attendance with the NEWB).

Legal requirements where appropriate, particularly in relation to Child Protection and safeguarding issues, the school may be obliged to seek advice and/or make referrals to Túsla. The school may share personal data with An Garda Síochána where concerns arise in relation to child protection. The school will also report matters of alleged criminal acts, criminal behaviour, criminal damage, etc., to allow prevention, detection and investigation of offences. Where there is a lawful basis for doing so, personal data may also be shared with the Revenue Commissioners and the Workplace Relations Commission.

Insurance data may be shared with the school’s insurers where this is appropriate and proportionate. The school may also be obliged to share personal data with the Health and Safety Authority, for example, where this is required as part of an accident investigation.

Professional Advisors some data may be shared with legal advisors (solicitors, etc.), financial advisors (pension administrators, accountants, etc.) and others such as school management advisors; this processing will only take place where it is considered appropriate, necessary and lawful.

Other schools where the student transfers to another educational body, the school may be asked to supply certain information about the student, such as academic records etc. Note: Education Passport (6 th Class Report) provided to post-primary school, after the post-primary school confirms enrolment. These protocols are set out in DES Circulars 0042/2015, 0034/2016 and Circular 0056/2011 (Initial Steps in the Implementation of the National Literacy and Numeracy Strategy).

Voluntary Bodies some personal data may be shared as appropriate with bodies such as the school’s Parents Association. This data sharing will only take place where consent has been provided.

Other not-for-profit organisations limited data may be shared with recognised bodies who act to promote student engagement with co-curricular and other activities, competitions, recognition of achievements, etc. This would include bodies promoting participation in sports, arts, sciences, environmental and outdoor activities, etc. This data sharing will usually be based on consent.

Service Providers in some circumstances the school has appointed third parties to undertake processing activities on its behalf. These Data Processors have provided guarantees that their processing satisfies the requirements of the General Data Protection Regulation. The school has implemented written contractual agreements with these entities to ensure that the rights of data subjects receive an appropriate level of protection. Third party service providers include the following categories:

School Management Information Systems (e.g. Aladdin)
Productivity Applications (e.g. Google Apps for Education, Microsoft 365)
Online Storage & File Sharing (e.g. Dropbox, Google Drive, iCloud, OneDrive)
Video Sharing and Blogging Platforms (e.g. Youtube, Wordpress)
Virtual Learning Environments (e.g. Edmodo, Schoology, Schoolwise, Google Classroom)
IT Systems Support (local ICT Support Company)
Fee management software (Name)
School communications (Twitter)
Security and CCTV Systems
Accounting & Payroll software (Thesaurus)
Learning software and Apps

Transfers Abroad In the event that personal data may be transferred outside the European Economic Area (EEA) the school will ensure that any such transfer, and any subsequent processing, is carried out in strict compliance with recognised safeguards or derogations (i.e., those approved by the Irish Data Protection Commission).

Managing Rights Requests

MANAGING RIGHTS REQUESTS

o Responding to rights requests

(i) The school will log the date of receipt and subsequent steps taken in response to any valid request. This may include asking the data subject to complete an Access Request Form in order to facilitate efficient processing of the request. There is no charge for this process.

(ii) The school is obliged to confirm the identity of anyone making a rights request and, where there is any doubt on the issue of identification, will request official proof of identity (e.g. photographic identification such as a passport or driver’s licence).

(iii) If requests are manifestly unfounded or excessive , in particular because of their repetitive character, the school may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.

(iv) The school will need to confirm that sufficient information to locate the data requested has been supplied (particularly if CCTV footage/images are to be searched ). Where appropriate the school may contact the data subject if further details are needed.

(v) In responding to rights requests (e.g. data access requests) the school will ensure that all relevant manual and automated systems (computers etc.) are checked.

(vi) The school will be conscious of the need to respond without undue delay and within the advised timeframes. A response will be made within one month of receipt of any request.

(vii) The school must be conscious of the restrictions that apply to rights requests. Where unsure as to what information to disclose, the school reserves the right to seek legal advice.

(viii) Where a request is not being fulfilled, the data subject will be informed as to the reasons and the mechanism for lodging a complaint, including contact details for the Data Protection Commission.

(ix) Where action has been taken by the school with regard to rectification, erasure or restriction of processing, the school will ensure that relevant recipients (i.e. those to whom the personal data has been disclosed) are appropriately informed.

Format of Information supplied in fulfilling a request

(i) The information will be provided in writing, or by other means, including where appropriate, by electronic means. (When requested by a data subject the information access may be provided in alternative means e.g. orally.)

(ii) The school will endeavour to ensure that information is provided in an intelligible and easily accessible format.

(iii) Where a request relates to video, then the school may offer to provide the materials in the form of a series of still images. If other people’s images cannot be obscured, then it may not prove possible to provide access to the personal data.

RATIFICATION & COMMUNICATION

This policy was ratified at the BoM meeting on June 11th 2019 and will be made available to the school community through the school website.

MONITORING THE IMPLEMENTATION OF THE POLICY

The implementation of the policy shall be monitored by the Principal, staff and the Board of Management.

REVIEWING AND EVALUATING THE POLICY

The policy will be reviewed and evaluated after 2 years. On-going review and evaluation will take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills or TUSLA), legislation and feedback from parents/guardians, pupils, school staff and others.

Reference sites

Data Protection Act 2018 http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/html

General Data Protection Regulation (GDPR official text) 2016 https://eur-lex.europa.eu/eli/reg/2016/679/oj

General Data Protection Regulation (GDPR unofficial web version) 2016 https://gdpr-info.eu/

GDPR for Schools website https://gdpr4schools.ie/

Data Protection for Schools http://dataprotectionschools.ie/en/

Irish Data Protection Commission https://www.dataprotection.ie/

Data Breach Report https://forms.dataprotection.ie/report-a-breach-of-personal-data

European Data Protection Board (EDPB) https://edpb.europa.eu/

EDPB Guidelines, Recommendations and Best Practices on GDPR https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en

PDST Technology in Education https://www.pdsttechnologyineducation.ie

Cyber Security Centre (Ireland) https://www.ncsc.gov.ie/

Cyber Security Centre (UK) https://www.ncsc.gov.uk/