Data Protection legislation governs how all personal and sensitive data is processed. It gives individuals (data subjects) rights in how their data is collected, used, stored, shared and disposed of. It requires data controllers - that is anyone who processes personal data, such as a school - to notify the Information Commissioner's Office of the types of personal data that they hold and the purposes for which it will be used.
All data processing must comply with 6 core data protection principles. The principles state that personal data must be:
- Processed fairly, lawfully and transparently
- Obtained for a specific, explicit and legitimate purpose/s
- Adequate, relevant and limited to what is necessary
- Accurate and where necessary up to date
- Not kept longer than is necessary
- Handled ensuring appropriate security
Personal data must also be processed in accordance with the rights of data subjects. These rights in brief are:
The right to be informed - Data subjects must be provided with a minimum of information regarding the collection and further processing of their personal data.
The right of access - Anyone have the right to obtain confirmation if data is being processed and then have a copy of their personal data. If a school is asked to provide personal information to the data subject it is known as a 'Subject Access Request'. You must provide the enquirer with their data in accordance with the provisions of the legislation.
The right to rectification - Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete.
The right to erasure - Data subjects have ‘the right to be forgotten’ and request their data be erased where there is no compelling reason for its continued processing.
The right to restrict - Data subjects have a right to request to stop processing their data when certain conditions apply.
The right to data portability - Data subjects are entitled to receive a copy of their personal data in a commonly used machine-readable format, and to transfer their personal data.
The right to object - Data subjects have the right to object to the processing of their personal data under certain circumstances.
Automated decision making and profiling rights.
The legislation also states that personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection. This includes where personal data may be held on Third Party servers.
In order to comply with the Data Protection legislation schools need to ensure that they have a Privacy Notice in place, more information can be found on the Privacy Notice page.