Data Protection Policy
Data Protection Policy
Introductory Statement
Kolbe Special School’s Data Protection Policy applies to the personal data held by the school which is protected by the Data Protection Acts 1998 and 2003.
This policy applies to all school staff, the Board of Management, parents/guardians, students on work experience insofar as the measures under the policy relate to them. Data will be stored securely, so that confidential information is protected in compliance with relevant legislation. This policy sets out the manner in which personal data and sensitive data will be protected by the school.
Data Protection Principles
Kolbe Special School is a Data Controller of personal information relating to its past, present and future staff, students, parents/guardians and other members of the school community and therefore under the Data Protection Acts, 1998 and 2003 it has a legal responsibility to
The purpose of this Data Protection Policy is to endeavour:
To protect the privacy rights of the individual pupils, the staff, parents/guardians, students on work placement in accordance with Data Protection legislation.
To ensure that Personal Data in Kolbe Special School’s possession is held in a safe and secure manner.
To support staff to meet their legal responsibilities set out in the Eight Data Protection Principles.
To protect Kolbe Special School from the consequences of a breach of its responsibilities.
Policy Statement
Kolbe Special School will endeavour to:
Comply with both the Data Protection Acts and good practice.
Respect individual’s rights.
Be open and honest with individual’s whose data is held.
Policy Scope
The Data Protection Acts 1998 and 2003 apply to the keeping and processing of personal data, both in manual and electronic form. The purpose of this policy is to assist Kolbe Special School meet its statutory obligations, to explain those obligations to all school staff and to inform staff, parents and guardians, students on work experience and volunteers how their data will be treated.
This policy applies to all staff, the board of management, parents and guardians, pupils, students on work experience and others (including prospective and potential students and their parents/guardians, students applying for work experience and applicants for staff positions within the school) insofar as the school handles or processes their personal data in the course of their dealings with the school.
Definition of Data Protection Terms
Access Request – is where a person makes a request to an organisation for the disclosure of their Personal Data under section 4 of the Data Protection Acts.
Data – means information in a form that can be processed. It includes both automated data and manual data. Automated data means any information on computer, or information recorded with the intention that it be processed by computer. Manual data means information that is kept/recorded as part of a relevant filing system or with the intention that it forms part of a relevant filing system.
Data Controller – for the purpose of this policy is the Board of Management of Kolbe Special School.
Data Processing – is the performance of any operation on data including:
Obtaining, recording or keeping the data;
Collecting, organising, storing, altering or adapting the data;
Retrieving, consulting or using the data;
Disclosing the data by transmitting, disseminating or otherwise making it available;
Aligning, combining, blocking, erasing or destroying the data.
Personal Data – is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller. It includes information in the form of photographs, audio and video recordings and text messages.
Relevant Filing System – is any set of information organised by name, date of birth, PPS number, payroll number or any other unique identifier.
Sensitive Personal Data – refers to personal data regarding a person’s
Racial or ethnic origin, political opinions or religious or philosophical beliefs
Membership of a trade union
Physical or mental health or sexual life
Commission or alleged commission of any offence or
Any proceedings for an offence committed or alleged to have been committed by the person, the disposal of such proceedings or the sentence of any court in such proceedings, criminal convictions or the alleged commission of any offence.
Rationale
Why is it necessary to devise a data protection policy at this time?
Kolbe Special School seeks to
Staff records: These may include:
Purpose of staff records:
Format: These records will be kept as both a manual record (personal file within filing system) and a computer record (database).
Student records: These may include:
Purpose for keeping student records may include: to enable each student to develop his/her full potential, to comply with legislative or administrative requirements, to ensure that eligible students can benefit from the relevant additional teaching or financial supports, to support the provision of religious instruction, to enable parent/guardians to be contacted in the case of emergency etc.
In the classroom all pupils’ data will be kept in the pupil’s individual Red Folder. This data will include IEP reports, class plans, Multi-disciplinary recommendations, Dietician recommendations, End of Year reports only. The staff working within the class will have full access to this folder. Only student teachers and student nurses will have limited supervised access to the pupil’s red folder under the direct supervision of the class teacher.
Format: These records will be kept both as a manual record (personal file within filing system) and a computer record (database).
Board of Management records: These may include:
Purpose for keeping Board of Management records may include: a record of board appointments, documenting decisions made by the board etc. in accordance with the Education Act 1998.
Format: These records will be kept both as a manual record (personal file within filing system) and a computer record (database).
“As a general rule in the area of education, a student aged eighteen or older may give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student's parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice.”
See Appendix 1 for a sample statement which could be included on relevant forms when personal information is being requested.
The following prompt questions should be regarded as a checklist in proofing the arrangements for adherence to each of the eight rules:
In general, personal data should not be kept for any longer than is necessary to fulfil the function for which it was first recorded. Retention times cannot be rigidly prescribed to cover every possible situation and schools need to exercise their individual judgement in this regard in relation to each category of records held. However, the following particular requirements should be met:
Note: The statute of limitations in relation to personal injuries is currently two years. The limitation period for other causes of action varies, but in most cases is not greater than six years. A limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim. In the case of minors, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge post dates their 18th birthday. While schools may wish to draw up their own policies as to how long to retain such records, it would appear prudent not to destroy records likely to be relevant in litigation at least until the six year limitation period has expired.
In line with the above, it is suggested that the information on student files might, as a general rule, be retained for a period of six years after the student has completed the Senior Cycle and/or reached the age of 18.
Consent to take photos or make video/audio recordings of the pupils
Any photograph, video or audio recording of a pupil constitutes their personal data and therefore, subject to the provisions of the Data Protection Acts. In all instances where a photograph is taken, a video or audio recording is made the explicit consent of the pupils parent/guardian must be sought for its use or publication in any medium for example the school website or the local paper. At the beginning of each school year parents will be asked to sign their consent.
For staff or students on work experience who are undertaking a course of study and who require photographic or video evidence must seek parental/guardian consent prior to their studies. For such assignments a pupil’s face will not appear in any photographs/videos.
Parents/guardians are permitted to take photographs or make video/audio recordings for their own personal use e.g. Christmas concert, Graduation, School celebrations, First Communion and Confirmation.
Providing Information over the Phone
At Kolbe Special School any employee dealing with telephone enquiries should be careful about disclosing any personal information held by the school over the phone. In particular the staff member should
Data Breach Management
A data breach may happen for a number of reasons
There are three elements to managing a data breach
The Board of Management will immediately convene to deal with the data breach. The Board may appoint a school data breach management team to include the Chairperson, one or more members of the Board of Management, the principal and deputy principal.
The team will assess the incident details and the risks involved including
The school principal/Chairperson of the Board of Management will be responsible for contacting the ODPC to inform them of the data breach on 1890-252-231 or [email protected]
The school data breach management team in consultation with the ODPC will decide in the particular circumstance if it is appropriate to inform the persons whose data has been breached. In this regard Kolbe Special School will be aware of the dangers of “over notifying” as not every incident will warrant notification.
When notifying individuals the School data breach management team will consider the most appropriate medium for doing so. Specific and clear advice will be given to those individuals affected by the data breach, on the steps they can take to protect themselves and what Kolbe Special School is willing to do in order to assist them.
The school management team will also consider notifying third parties such as An Garda Siochana.
Links to Other Policies and Curriculum Delivery
School policies need to be consistent with one another, within the framework of the overall School Plan. Relevant school policies already in place, being developed or reviewed, should be examined with reference to the data protection policy and any implications which it has for them should be addressed.
The following policies may be among those considered:
Implementation Arrangements, Roles and Responsibilities
In Kolbe Special School the Board of Management is the data controller and the principal will be assigned the role of co-ordinating implementation of this Data protection policy and for ensuring that staff handle or have access to personal data are familiar with their data protection responsibilities.
The following personnel have responsibility for implementing the Data Protection Policy:
Name Responsibility
Board of Management Data Controller
Principal Implementation of Policy
Teaching personnel Awareness of responsibilities
Administrative personnel Security, confidentiality
Ratification and Communication
When the finalised draft policy has been ratified by the Board of Management, it becomes the school's agreed Data Protection Policy. It should then be circulated within the school community. The entire staff must be familiar with the policy and ready to put it into practice in accordance with the specified implementation arrangements. It is important that all concerned are made aware of any changes implied in recording information on students, staff and others in the school community.
Parents/guardians will be given a copy of the Data Protection Policy as part of the enrolment pack. A copy of the Data Protection Policy will be made available on the school website.
Monitoring the implementation of the policy
The implementation of this policy shall be monitored by the principal/deputy principal and the Board of Management.
At least one annual report will be made available to the Board of Management to confirm that the actions/measures set down in this policy are being implemented.
Reviewing and evaluating the policy
This policy will be reviewed every three years or earlier if deemed appropriate, to ensure it remains comprehensive, up-to-date with current legislation and relevant good practice.
Signed: __________________________
Chairperson
Date: ___________________________
Appendix 1
Sample Data Protection Statement for inclusion on relevant forms when personal information is being requested
The information collected on this form will be held by Kolbe Special School in manual and in electronic format. The information will be processed in accordance with the Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003.
The purpose of holding this information is ….. (School should insert the relevant information eg. for administration, to facilitate the school in meeting the student’s educational needs etc. ).
Disclosure of any of this information to statutory bodies such as the Department of Education and Science or its agencies will take place only in accordance with legislation or regulatory requirements. Explicit consent will be sought from Parents/Guardians or students aged 18 or over if the school wishes to disclose this information to a third party for any other reason.
Parents/Guardians of students and students aged 18 or over have a right to access the personal data held on them by the school and to correct it if necessary.
I consent to the use of the information supplied as described.
Signed Parent/Guardian: _________________________
Signed Student: _________________________
Appendix 2
To be completed in the event of a data breach
Incident Details
Description of the incident
Date and time of the incident
Name of person reporting the incident and to whom it was reported
The type of data involved and the sensitive nature of same
Was the data encrypted?
Details of Information Technology (IT) systems involved
Include any other relevant supporting information deemed appropriate
Data Protection Policy
Introductory Statement
Kolbe Special School’s Data Protection Policy applies to the personal data held by the school which is protected by the Data Protection Acts 1998 and 2003.
This policy applies to all school staff, the Board of Management, parents/guardians, students on work experience insofar as the measures under the policy relate to them. Data will be stored securely, so that confidential information is protected in compliance with relevant legislation. This policy sets out the manner in which personal data and sensitive data will be protected by the school.
Data Protection Principles
Kolbe Special School is a Data Controller of personal information relating to its past, present and future staff, students, parents/guardians and other members of the school community and therefore under the Data Protection Acts, 1998 and 2003 it has a legal responsibility to
- Obtain and process personal information data fairly: Information on students is gathered with the help of parents/guardians and staff. Information on students is also transferred from their previous school settings and the multi-disciplinary team. In relation to information the school holds on other individuals, this information is generally furnished by the individuals themselves with full and informed consent and compiled during the course of their employment or contact with the school. All such data is treated in accordance with the Data Protection Acts and the terms of this policy. The information will be obtained and processed fairly.
- Keep Personal data only for one or more specified, explicit and lawful purposes: Kolbe Special School will inform individuals of the reasons they collect their data and will inform individuals of the uses to which their data will be put. All information will be kept with the best interest of the individual in mind at all times.
- Process Personal Data only in ways compatible with the purposes for which it was given initially: Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered. Information will only be disclosed on a need to know basis and access will be strictly controlled.
- Keep Personal Data safe and secure: Only those with a genuine reason for doing so may gain access to the information. Sensitive Personal Data is securely stored under lock and key for all manual records and protected with firewall software and password protection for electronically stored data. Confidential information will be stored securely and in relevant circumstances, it will be placed in a separate file which can easily be removed if access to general records is granted to anyone not entitled to see the confidential data.
- Keep Personal Data accurate, complete and up-to-date: Parents/guardians, staff and students on placement should inform the school of any change which the school should make to their personal data and /or sensitive personal data to ensure that the individual’s data is accurate, complete and up-to-date. Records must not be altered or destroyed without proper authorisation. If alteration/correction is required, then a note of the fact of such authorisation and the alterations to be made to any original record/documentation should be dated and signed by the person making that change.
- Ensure that Personal Data is accurate, relevant and not excessive: Only the relevant amount of information required to provide an adequate service will be gathered and stored.
- Retain Personal Data no longer than is necessary for the specified purpose or purposes for which it was given: Pupils: information will be kept for the duration of the pupil’s time at Kolbe Special School. Thereafter, the school will comply with the Department of Education and Skills guidelines on the storage of Personal Data and Sensitive Personal Data relating to individual students. Staff: Kolbe Special School will comply with both the Department of Education and Skills guidelines and the requirements of the Revenue Commissioners with regard to the retention of records relating to employees.
- Provide a copy of his/her Personal Data to any individual, on request: Individuals have the right to know what personal data/sensitive personal data is held about them, by whom and the purpose for which it is held.
The purpose of this Data Protection Policy is to endeavour:
To protect the privacy rights of the individual pupils, the staff, parents/guardians, students on work placement in accordance with Data Protection legislation.
To ensure that Personal Data in Kolbe Special School’s possession is held in a safe and secure manner.
To support staff to meet their legal responsibilities set out in the Eight Data Protection Principles.
To protect Kolbe Special School from the consequences of a breach of its responsibilities.
Policy Statement
Kolbe Special School will endeavour to:
Comply with both the Data Protection Acts and good practice.
Respect individual’s rights.
Be open and honest with individual’s whose data is held.
Policy Scope
The Data Protection Acts 1998 and 2003 apply to the keeping and processing of personal data, both in manual and electronic form. The purpose of this policy is to assist Kolbe Special School meet its statutory obligations, to explain those obligations to all school staff and to inform staff, parents and guardians, students on work experience and volunteers how their data will be treated.
This policy applies to all staff, the board of management, parents and guardians, pupils, students on work experience and others (including prospective and potential students and their parents/guardians, students applying for work experience and applicants for staff positions within the school) insofar as the school handles or processes their personal data in the course of their dealings with the school.
Definition of Data Protection Terms
Access Request – is where a person makes a request to an organisation for the disclosure of their Personal Data under section 4 of the Data Protection Acts.
Data – means information in a form that can be processed. It includes both automated data and manual data. Automated data means any information on computer, or information recorded with the intention that it be processed by computer. Manual data means information that is kept/recorded as part of a relevant filing system or with the intention that it forms part of a relevant filing system.
Data Controller – for the purpose of this policy is the Board of Management of Kolbe Special School.
Data Processing – is the performance of any operation on data including:
Obtaining, recording or keeping the data;
Collecting, organising, storing, altering or adapting the data;
Retrieving, consulting or using the data;
Disclosing the data by transmitting, disseminating or otherwise making it available;
Aligning, combining, blocking, erasing or destroying the data.
Personal Data – is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller. It includes information in the form of photographs, audio and video recordings and text messages.
Relevant Filing System – is any set of information organised by name, date of birth, PPS number, payroll number or any other unique identifier.
Sensitive Personal Data – refers to personal data regarding a person’s
Racial or ethnic origin, political opinions or religious or philosophical beliefs
Membership of a trade union
Physical or mental health or sexual life
Commission or alleged commission of any offence or
Any proceedings for an offence committed or alleged to have been committed by the person, the disposal of such proceedings or the sentence of any court in such proceedings, criminal convictions or the alleged commission of any offence.
Rationale
Why is it necessary to devise a data protection policy at this time?
- Schools are obliged to comply with the Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003 (henceforth referred to as the Data Protection Acts)
- Under Section 9(g) of the Education Act, 1998, the parents of a student, or a student who has reached the age of 18 years, must be given access to records kept by the school relating to the progress of the student in his or her education.
- Under Section 20 of the Education (Welfare) Act, 2000, the school must maintain a register of all students attending the school.
- Under Section 21 of the Education (Welfare) Act, 2000, the school must record the attendance or non-attendance of students registered at the school on each school day.
- Under Section 28 of the Education (Welfare) Act, 2000, the data controller may supply personal data kept by him or her, or information extracted from such data, to the data controller of another prescribed body if he or she is satisfied that it will be used for a “relevant purpose” only. See Section B.3 under Key Measures below. #
Kolbe Special School seeks to
- Enable each student to develop to their full potential
- Provide each pupil with a safe and secure environment for learning
- Promote respect for the diversity of values, beliefs, traditions and cultures
- Details of all personal data which will be held, the format in which it will be held and the purpose(s) for collecting the data in each case
Staff records: These may include:
- Name, address and contact details, PPS number
- Original records of application and appointment
- Record of appointments to promotion posts
- Details of approved absences (career breaks, parental leave, study leave etc.)
- Details of work record (qualifications, classes taught, subjects etc)
- Details of any accidents/injuries sustained on school property or in connection with the staff member carrying out their school duties.
- Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.
Note: a record of grievances may be maintained which is distinct from and separate to individual personnel files.
Purpose of staff records:
- The management and administration of school business
- To facilitate the payment of staff, calculate other benefits/entitlements i.e. entitlements, pension, redundancy etc.
- To facilitate pension payments in the future
- Human resources management
- Recording promotions made and changes in responsibilities etc.
- To enable the school to comply with its obligations as an employer including the preservation of a safe, efficient working and teaching environment – to include complying with its responsibilities under the Safety, Health and Welfare at Work Act 2005
- To enable the school to comply with requirements set down by the Department of education and Skills, the Revenue Commissioners, the NCSE, TUSLA,the HSE and any other governmental, statutory and/or regulatory departments/agencies.
- For compliance with legislation relevant to the school.
Format: These records will be kept as both a manual record (personal file within filing system) and a computer record (database).
Student records: These may include:
- Information which may be sought and recorded at enrolment, including:
- name, address and contact details, PPS number
- names and addresses of parents/guardians and their contact details
- religious belief
- racial, ethnic or national origin
- membership of the Traveller community, where relevant
- any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply
- Information on previous academic record
- Psychological assessments
- Medical Records – Doctor’s Letters; Dietician Reports
- Multi-disciplinary Reports – Physiotherapy, Occupational Therapy and Speech and Language Recommendations/Reports
- Attendance Records
- Academic record – subjects studied, learning outcomes, evalucation/progress
- Records of significant achievements
- Records of disciplinary issues and/or sanctions imposed
- Individual Education Plans (IEP)
- Behaviours of Concern tick sheets
- Other records e.g. records of any serious injuries/accidents etc.
Purpose for keeping student records may include: to enable each student to develop his/her full potential, to comply with legislative or administrative requirements, to ensure that eligible students can benefit from the relevant additional teaching or financial supports, to support the provision of religious instruction, to enable parent/guardians to be contacted in the case of emergency etc.
In the classroom all pupils’ data will be kept in the pupil’s individual Red Folder. This data will include IEP reports, class plans, Multi-disciplinary recommendations, Dietician recommendations, End of Year reports only. The staff working within the class will have full access to this folder. Only student teachers and student nurses will have limited supervised access to the pupil’s red folder under the direct supervision of the class teacher.
Format: These records will be kept both as a manual record (personal file within filing system) and a computer record (database).
Board of Management records: These may include:
- Name, address and contact details of each member of the board of management
- Records in relation to appointments to the board
- Minutes of Board of Management meetings and correspondence to the board, which may include references to particular individuals.
Purpose for keeping Board of Management records may include: a record of board appointments, documenting decisions made by the board etc. in accordance with the Education Act 1998.
Format: These records will be kept both as a manual record (personal file within filing system) and a computer record (database).
- Details of arrangements in place to ensure compliance with the eight rules of data protection
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purposes
- Give a copy of his/her personal data to that individual on request.
“As a general rule in the area of education, a student aged eighteen or older may give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student's parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice.”
See Appendix 1 for a sample statement which could be included on relevant forms when personal information is being requested.
The following prompt questions should be regarded as a checklist in proofing the arrangements for adherence to each of the eight rules:
- Obtain and process information fairly:
- Are procedures in place to ensure that staff members, parents/guardians and students are made fully aware when they provide personal information of the identity of the persons who are collecting it, the purpose in collecting the data, the persons or categories of persons to whom the data may be disclosed and any other information which is necessary so that processing may be fair (as stated above, the sample statement in Appendix 1 could be included on relevant forms where personal information is being requested).
- Is personal information processed fairly in accordance with the Data Protection Acts, with consent being obtained from staff members, parents/guardians or students, where required? See A Guide for Data Controllers (pg. 7 and 8) for a list of exemptions from obtaining consent.
- Is sensitive personal information processed fairly in accordance with the Data Protection Acts, with explicit consent being obtained from staff members, parents/guardians or students, where required? See A Guide for Data Controllers (pg. 8) for a list of exemptions from obtaining consent.
- Keep it only for one or more specified, explicit and lawful purposes:
- That the persons whose data is collected know the reason/s why it is collected and kept.
- The purpose for which the data is collected and kept a lawful one.
- That school management is aware of the different sets of data which are kept and the specific purpose of each?
- Use and disclose it only in ways compatible with these purposes:
- That data is used only in ways consistent with the purpose/s for which it was obtained
- That there is a procedure in place, which is in accordance with the Data Protection Acts to facilitate the transfer of information to another school when a student transfers.
Note: Under Section 20 of the Education (Welfare) Act, 2000, each school principal must maintain a register with the names of all children attending that school. When a child is transferring from the school, the principal must notify the principal of the new school of any problems relating to school attendance that the child concerned had and of any other matters relating to the child’s educational progress that he or she considers appropriate. Under Section 28 of the Act, schools may supply personal data, or information extracted from such data, to other schools or another prescribed body if they are satisfied that it will be used in recording the student’s educational history, monitoring the student’s educational progress or developing the student’s full educational potential. The bodies which have been prescribed (and so can share information) under Section 28 are: - The Minister for Education and Skills (which includes the Inspectorate and the National Educational Psychological Service (NEPS)
- The National Council for Special Education (NCSE)
- The National Educational Welfare Board (NEWB)
- Each school recognised in accordance with section 10 of the Education Act, 1998
- Each place designated by the Minister under section 10 of the Education Act, 1998 to be a centre for education.
- In what circumstances will personal data be disclosed to third parties, including the Department of Education and Science, the NEWB, Gardaí, in legal proceedings, HSE personnel etc.?
- Is there a procedure in place, which is in accordance with the Data Protection Acts to facilitate the transfer of personal data abroad? See A Guide for Data Controllers (pg. 17).
- Data can be disclosed when required by law
- Data can generally be disclosed to an individual himself/herself or with his/her consent (see 8 below).
- Keep it safe and secure:
- Is access to the information (including authority to add/amend/delete records) restricted to authorised staff on a “need to know” basis?
- Who has access to what information based on this “need to know” policy?
- Are computer systems password protected and encrypted?
- Is information on computer screens and manual files kept out of view of callers to the school/office?
- Are back-up procedures in operation for computer held data, including off-site back-up?
- Are all reasonable measure taken to ensure that staff are made aware of the security measures, and comply with them?
- Are all waste papers, printouts etc. disposed of carefully?
- Are steps taken to ensure that no unauthorised person can access data from computers which are no longer in use or subject to change of use?
- Is there a designated person responsible for security?
- Are there periodic reviews of the measures and practices in place?
- Are premises secure when unoccupied?
- Is there a contract in place with any data processor which imposes an equivalent security obligation on the data processor?
- Keep it accurate, complete and up-to-date:
- It is important that clerical and computer procedures are adequate to ensure high levels of data accuracy.
- That appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date.
- Staff are responsible for ensuring that they inform the school principal of any changes in their personal details, e.g. change of address.
- Ensure that it is adequate, relevant and not excessive:
- That information held is adequate in relation to the purpose/s for which it is kept.
- That information held is relevant in relation to the purpose/s for which it is kept.
- That information held not excessive in relation to the purpose/s for which it is kept.
- Only information necessary for the stated purpose should be collected, nothing more.
- A periodic review will be carried out by class teachers, nurses and the principal, to examine the relevance of personal data sought from individual staff, pupils and families, through the various channels by which information is collected.
- Retain it for no longer than is necessary for the purpose or purposes:
- Staff should be clear regarding the length of time Data will be kept and the reason why the information is being retained.
- Personal data collected for one purpose, should not be retained once that purpose has ceased.
- Exceptions may apply from specific legislation which requires information to be retained for particular periods.
- Personal data should be disposed of securely when no longer required. The method should appropriate to the sensitivity of the data. Shredding is appropriate for paper records and reformatting or overwriting for electronic data.
- Particular care is to be taken when transferring, pupils files and information from one class teacher to another class teacher.
- To ensure that there are management, clerical and computer procedures in place to implement this policy.
In general, personal data should not be kept for any longer than is necessary to fulfil the function for which it was first recorded. Retention times cannot be rigidly prescribed to cover every possible situation and schools need to exercise their individual judgement in this regard in relation to each category of records held. However, the following particular requirements should be met:
- School registers and roll books are required to be kept indefinitely within the school. Consideration is being given to amending the Data Protection Acts to allow schools to deposit completed school registers and roll books which are no longer required for administrative purposes with the Local Authority Archive Service. The Department will notify schools of any changes to the Acts in this regard.
- Pay, taxation and related school personnel service records should be retained indefinitely within the school.
- Where litigation may potentially arise in the future (e.g. in relation to accidents/personal injuries involving school personnel/students or accidents occurring on school property), the relevant records should be retained until the possibility of litigation ceases.
Note: The statute of limitations in relation to personal injuries is currently two years. The limitation period for other causes of action varies, but in most cases is not greater than six years. A limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim. In the case of minors, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge post dates their 18th birthday. While schools may wish to draw up their own policies as to how long to retain such records, it would appear prudent not to destroy records likely to be relevant in litigation at least until the six year limitation period has expired.
In line with the above, it is suggested that the information on student files might, as a general rule, be retained for a period of six years after the student has completed the Senior Cycle and/or reached the age of 18.
- Give a copy of his/her personal data to that individual on request
- a copy of the data which is kept about him/her
- know the purpose/s for processing his/her data
- know the identity of those to whom the data is disclosed
- know the source of the data, unless it is contrary to public interest
- know the logic involved in automated decisions
- a copy of any data held in the form of opinions, except where such opinions were given in confidence.
- apply in writing
- give any details which might be needed to help identify him/her and locate all the information you may keep about him/her
- pay an access fee if the school wishes to charge one. The school need not do so, but if it does it cannot exceed the prescribed amount of €6.35.
Consent to take photos or make video/audio recordings of the pupils
Any photograph, video or audio recording of a pupil constitutes their personal data and therefore, subject to the provisions of the Data Protection Acts. In all instances where a photograph is taken, a video or audio recording is made the explicit consent of the pupils parent/guardian must be sought for its use or publication in any medium for example the school website or the local paper. At the beginning of each school year parents will be asked to sign their consent.
For staff or students on work experience who are undertaking a course of study and who require photographic or video evidence must seek parental/guardian consent prior to their studies. For such assignments a pupil’s face will not appear in any photographs/videos.
Parents/guardians are permitted to take photographs or make video/audio recordings for their own personal use e.g. Christmas concert, Graduation, School celebrations, First Communion and Confirmation.
Providing Information over the Phone
At Kolbe Special School any employee dealing with telephone enquiries should be careful about disclosing any personal information held by the school over the phone. In particular the staff member should
- Check the identity of the caller to ensure the information is only given to a person who is entitled to the information.
- Suggest that the caller put their request in writing if the staff member is not sure about the identity of the caller and in circumstances where the identity of the caller cannot be identified.
- Refer the request to the principal for assistance in difficult situations. No staff member should feel forced into disclosing personal information.
Data Breach Management
A data breach may happen for a number of reasons
- Loss or theft of equipment on which data is stored
- Inappropriate access controls allowing unauthorised use
- Equipment failure
- Human error e.g. misaddressing an email
- Unforeseen circumstances such as flood or fire
- Computer hacking
- Access where information is detained by deception
There are three elements to managing a data breach
- Incident Details
- Notification of data breach and Risk Assessment
- Evaluation and Response
- Incident Details – see Appendix 2
- Description of the incident
- Date and time of the incident
- Date and time it was detected
- Who reported the incident and to whom it was reported
- The type of data involved and how sensitive it was
- The number of individuals affected by the breach
- Was the data encrypted?
- Details of the Information Technology (IT) systems involved
- Other relevant supporting material
- Notification of Data Breach and Risk Assessment
The Board of Management will immediately convene to deal with the data breach. The Board may appoint a school data breach management team to include the Chairperson, one or more members of the Board of Management, the principal and deputy principal.
The team will assess the incident details and the risks involved including
- What type of data was involved?
- How sensitive is the data involved?
- How many individual’s “Personal Data” are affected by the breach?
- Were there protections in place? E.g. encryptions
- What are the potential adverse consequences for individuals and how serious or substantial are they likely to be?
- How likely is it that adverse consequences will materialise?
- External Notification
The school principal/Chairperson of the Board of Management will be responsible for contacting the ODPC to inform them of the data breach on 1890-252-231 or [email protected]
The school data breach management team in consultation with the ODPC will decide in the particular circumstance if it is appropriate to inform the persons whose data has been breached. In this regard Kolbe Special School will be aware of the dangers of “over notifying” as not every incident will warrant notification.
When notifying individuals the School data breach management team will consider the most appropriate medium for doing so. Specific and clear advice will be given to those individuals affected by the data breach, on the steps they can take to protect themselves and what Kolbe Special School is willing to do in order to assist them.
The school management team will also consider notifying third parties such as An Garda Siochana.
Links to Other Policies and Curriculum Delivery
School policies need to be consistent with one another, within the framework of the overall School Plan. Relevant school policies already in place, being developed or reviewed, should be examined with reference to the data protection policy and any implications which it has for them should be addressed.
The following policies may be among those considered:
- Child Protection Policy
- Guidance Plan
- Anti-Bullying Policy
- Substance Use Policy
- Code of Behaviour.
Implementation Arrangements, Roles and Responsibilities
In Kolbe Special School the Board of Management is the data controller and the principal will be assigned the role of co-ordinating implementation of this Data protection policy and for ensuring that staff handle or have access to personal data are familiar with their data protection responsibilities.
The following personnel have responsibility for implementing the Data Protection Policy:
Name Responsibility
Board of Management Data Controller
Principal Implementation of Policy
Teaching personnel Awareness of responsibilities
Administrative personnel Security, confidentiality
Ratification and Communication
When the finalised draft policy has been ratified by the Board of Management, it becomes the school's agreed Data Protection Policy. It should then be circulated within the school community. The entire staff must be familiar with the policy and ready to put it into practice in accordance with the specified implementation arrangements. It is important that all concerned are made aware of any changes implied in recording information on students, staff and others in the school community.
Parents/guardians will be given a copy of the Data Protection Policy as part of the enrolment pack. A copy of the Data Protection Policy will be made available on the school website.
Monitoring the implementation of the policy
The implementation of this policy shall be monitored by the principal/deputy principal and the Board of Management.
At least one annual report will be made available to the Board of Management to confirm that the actions/measures set down in this policy are being implemented.
Reviewing and evaluating the policy
This policy will be reviewed every three years or earlier if deemed appropriate, to ensure it remains comprehensive, up-to-date with current legislation and relevant good practice.
Signed: __________________________
Chairperson
Date: ___________________________
Appendix 1
Sample Data Protection Statement for inclusion on relevant forms when personal information is being requested
The information collected on this form will be held by Kolbe Special School in manual and in electronic format. The information will be processed in accordance with the Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003.
The purpose of holding this information is ….. (School should insert the relevant information eg. for administration, to facilitate the school in meeting the student’s educational needs etc. ).
Disclosure of any of this information to statutory bodies such as the Department of Education and Science or its agencies will take place only in accordance with legislation or regulatory requirements. Explicit consent will be sought from Parents/Guardians or students aged 18 or over if the school wishes to disclose this information to a third party for any other reason.
Parents/Guardians of students and students aged 18 or over have a right to access the personal data held on them by the school and to correct it if necessary.
I consent to the use of the information supplied as described.
Signed Parent/Guardian: _________________________
Signed Student: _________________________
Appendix 2
To be completed in the event of a data breach
Incident Details
Description of the incident
Date and time of the incident
Name of person reporting the incident and to whom it was reported
The type of data involved and the sensitive nature of same
Was the data encrypted?
Details of Information Technology (IT) systems involved
Include any other relevant supporting information deemed appropriate