Legislation and guidance

This policy meets the requirements of the GDPR (General Data Protection Regulation) and the expected provisions of the Data Protection Law 2020. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR.
It meets the requirements of the Protection of Freedoms Act 2012 when referring to our use of biometric data.
It also reflects the ICO’s code of practice for the use of surveillance cameras and personal information.
The data controller Our Academy processes personal data relating to parents, students, staff, Governors, visitors and others, and therefore is a data controller.

Roles and responsibilities

This policy applies to all staff employed by our Academy, and to external organizations or individuals working on our behalf. Staff who do not comply with this policy may face disciplinary action.

DATA PROTECTION OFFICER

The data protection officer (DPO) is responsible for overseeing the implementation of this policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable.

Principal

The Principal acts as the representative of the data controller on a day-to-day basis.

All staff

Staff are responsible for:

• Collecting, storing and processing any personal data in accordance with this policy
• Informing the Academy of any changes to their personal data, such as a change of address



Contacting the DATA PROTECTION OFFICER in the following circumstances:

• With any questions about the operation of this policy, data protection law, retaining personal data or keeping personal data secure
• If they have any concerns that this policy is not being followed
• If they are unsure whether or not they have a lawful basis to use personal data in a particular way
• If they need to rely on or capture consent, draft a privacy notice, deal with data protection rights invoked by an individual, or transfer personal data outside INDIA
• If there has been a data breach
• Whenever they are engaging in a new activity that may affect the privacy rights of individuals
• If they need help with any contracts or sharing personal data with third parties.

Data security and storage of records

We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage

In particular

• Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are kept under lock and key when not in use
• Papers containing confidential personal data must not be left on office and classroom desks, on staff room tables, pinned to notice/display boards, or left anywhere else where there is general access
• Where personal information needs to be taken off site, staff must sign it in and out from the Academy office
• Passwords that are at least 8 characters long containing letters and numbers are used to access Academy computers, laptops and other electronic devices. Staff and students are reminded to change their passwords at regular intervals
• Encryption software is used to protect all portable devices and removable media, such as laptops and USB devices
• Staff, students or governors who store personal information on their personal devices are expected to follow the same security procedures as for Academy-owned equipment.
• Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected

Disposal of records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.

For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files. We may also use a third party to safely dispose of records on the Academy’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law

Photographs and videos

As part of our Academy activities, we may take photographs and record images of individuals within TIS.

We will obtain written consent from parents/carers, or students aged 18 and over, for photographs and videos to be taken of students for communication, marketing and promotional materials upon enrollment to the Academy

Where we need parental consent, we will clearly explain how the photograph and/or video will be used to both the parent/carer and student. Where we don’t need parental consent, we will clearly explain to the student how the photograph and/or video will be used.

Any photographs and videos taken by parents/ carers at the Academy for their own personal use are not covered by data protection legislation. However, we will ask that photos or videos are not taken of other students unless express permission has been provided.

Uses may include:

• Within the Academy on notice boards and in the Academy prospectus, display photos around the Academy, and the Academy newsletters.
• Outside of the Academy by external agencies such as the Academy photographer, newspapers, and campaigns.
• Online on our Academy website or social media pages.

Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further.

When using photographs and videos in this way we will not accompany them with any other personal information about the child, to ensure they cannot be identified.

CCTV

We use CCTV in various locations around the Academy site to ensure it remains safe. We will adhere to the ICO’s code of practice for the use of CCTV.

We do not need to ask individuals’ permission to use CCTV, but we make it clear where individuals are being recorded. Security cameras are clearly visible and accompanied by prominent signs explaining that CCTV is in use.

Only SCHOOL LEADERSHIP TEAM can view CCTV footage to assist with any investigation. Any enquiries about the CCTV system should be directed to the Principal.