In this Policy, the term “Data Subjects” encompasses students, members of staff, volunteers, trustees and supporters, whether past, current or prospective. The DPA applies equally to current records and those archived as part of our Document Retention Policy.
TLG is registered with the Information Commissioner as a Data Controller and as a Data Processor (i.e. an organisation which processes data on behalf of others). All individuals about whom we hold data (data subjects) have the right to access those data including details regarding why that data is held, any recipients to whom the data is likely to be disclosed, the source of the data, and the logic involved in any solely automatic decision taking that may significantly affect him/her and the right to seek compensation from TLG should they suffer damage or distress because of inaccurate data.
As part of its operation, TLG is required to process relevant personal data regarding students, their parents and guardians, staff, trustees and supporters in which it shall take all reasonable steps to do so in accordance with this policy. Consent may be required for the processing of personal data unless that processing is necessary for TLG to undertake its obligations to the Data Subjects. ‘Personal Data’ that are not otherwise exempt, will remain confidential and will be disclosed to third parties only with the consent of the appropriate individual or under the terms of this policy.
The Act and its implications
It is important to be aware that individual employees (or agents) of TLG may be criminally liable under the Act where there is a breach of the Data Protection Principles. For this reason, it is essential that TLG's Data Protection Officer be kept informed of any registered processing you stop doing and/or any processing you start or plan to do
You are obliged to comply with this request - it is not optional. TLG is legally required to keep its Data Protection registration correct. If you are unsure about what is/isn’t registered, please ask.
As a data controller TLG does not have to supply this information unless it is specifically requested and the data subject has paid a fee of £10. The information must then be supplied within 40 days.
A different scale of charges applies in the case of education records, up to a maximum of £50, depending on the number of pages. Records must be supplied within 15 days.
This is data relating to a living individual who can be identified from the data, including CCTV images. Data may be held across several databases or operating sites which, when all put together enables the individual to be identified. It includes not only proven facts but also opinions about an individual and any indications of the intentions of the data controller or any other person towards that individual. N.B. there is a specific exemption for confidential references.
Sensitive Personal Data includes medical information and data relating to religion, race or criminal records and proceedings. From time to time, TLG may be required to process sensitive personal data regarding a Data Subject, for which processing the explicit consent of the appropriate individual will generally be required in writing.
The Act creates new additional restrictions relating to the processing of sensitive personal data. Such data is defined to include the following about an individual:
- their racial or ethnic origins
- their political views
- their religious or similar beliefs
- whether or not they are trade union members
- their physical or mental health
- their sex life
- whether they have committed any offence or have been subject to any such allegation, together with details of any proceedings or sentence arising from that offence or allegation.
This Sensitive Personal Data carries additional protection over and above the eight basic principles previously mentioned. In addition at least one of a number of other conditions must be satisfied.
Those most likely to be relevant include:
- the data subject has given his specific consent to the processingthe processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law in connection with employment
- the processing is necessary in order to protect the vital interests of the data subject or another person in a case where consent cannot be given by the data subject or other person
- the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject
- the processing is necessary in connection with any legal proceedings or to obtain legal advice
- the processing is necessary for the administration of justice.
- If the processing relates to data on racial or ethnic origins it is necessary to monitor equality of opportunity or with a view to such equality being promoted or maintained and is carried out with appropriate safeguards for the rights and freedoms of employees.
The rights under the Data Protection Act are the individual’s to whom the data relates. TLG will however in most cases rely on parental consent to process data relating to students unless, given the nature of the processing in question, and the student’s age and understanding, it is unreasonable in all the circumstances to rely on the parent’s consent. Parents should be aware that in such situations they may not be consulted.
TLG will only grant the student direct access to their personal data if in TLG's reasonable belief the student understands the nature of the request.
Students agree that TLG may disclose their personal data to their parents or guardian.
Where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents or guardian, TLG will maintain confidentiality unless it has reasonable grounds to believe that the student does not fully understand the consequences of withholding their consent, or where TLG believes disclosure will be in the best interests of the student or other students.
Separately from the Data Protection Act, regulations provide a pupil’s parent (regardless of the age of the pupil) with the right to view, or to have a copy of, their child’s educational record at the school. If they wish to exercise this right parents should write to the school.
Disclosure of personal information
Requests for information from within TLG
When a TLG employee requests personal data about another individual, such information should only be released if it is clear that the member of staff requires that information in order to perform his/her official duties. In the case of any doubt the request should be referred to the Head of Department.
Requests for information from outside TLG
When members of staff receive enquiries as to whether a named person is a student or a member of staff of TLG, the enquirer should be asked why the information is required. If the reason is not one that would justify disclosure without consent (see below), the member of staff should decline to comment one way or the other. Please remember that merely confirming that an individual is a member of TLG may constitute an unauthorised disclosure.
TLG will, from time to time, make use of personal data relating to students, their parents or guardians in the following ways. Should you wish to limit or object to any such use please notify the DPC in writing.
- Use of photographic images of students in TLG publications and on the TLG website: TLG will not publish photographs of individual students with their names on the TLG website without the express agreement of the appropriate individual.
- Fundraising, marketing and/or promotional purposes and to maintain relationships with students of TLG, including transferring information to any association society or club set up for the purpose of establishing or maintaining contact with former students or for fundraising, marketing or promotional purposes.
Under normal circumstances information should not be provided in response to a telephone request as individuals may use deception to gain access to information to which they are not entitled.
Bodies/individuals that request personal data should be asked to provide a written or faxed request and/or provide documentary evidence to support their request, e.g. many police forces have a specific procedure that officers must follow to obtain official documentation stating that the information is required in support of an ongoing investigation. The absence of such documentation or a warrant may justify refusal to disclose the requested personal data.
Ideally, the request for the disclosure of the details to the third party should either come from the Data Subject directly, or a statement should accompany the request from the third party from the Data Subject consenting to the disclosure.
Action when disclosure is refused
If the subject matter of the enquiry is evidently of importance to the Data Subject, they should be informed of the enquiry. This will allow the Data Subject to contact the enquirer should they so wish.
As an alternative to divulging personal data, TLG may be willing to accept a sealed envelope which it will attempt to forward to the student or staff member's last-recorded address or to forward an incoming email message.
Where the matter is urgent, an attempt should be made to contact the individual by telephone or other means in order to put him/her in touch with the enquirer.
N.B. Forwarding such information should be done conditionally i.e. 'if the person is a student/staff member' to avoid confirming their presence or absence at the institution.
TLG will endeavour to ensure that all personal data held in relation to an individual is accurate. Individuals must notify the DPC of any changes to information held about them. An individual has the right to request that inaccurate information about them is erased or corrected.
TLG will take reasonable steps to ensure that members of staff will only have access to personal data relating to students, their parents or guardians where it is necessary for them to do so. All staff will be made aware of this policy and their duties under the Data Protection Act. TLG will ensure that all personal information is held securely and is not accessible to unauthorised persons.
If an individual believes that TLG has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, they should utilise the TLG complaints procedure and should also notify TLG’s DPC.
Certain data is exempted from the provisions of the Data Protection Act, with such disclosures permitted under the Data Protection Act 1998, provided one or more of the following criteria are met:
- (*)For the purpose of safeguarding national security
- (*)For the purpose of preventing or detecting crime including the apprehension or prosecution of offenders
- (*)For the assessment or collection of tax or duty
- (*) To discharge regulatory functions, including securing the health, safety and welfare of persons at work
- For the purpose of preventing serious harm to a third party if the data were not disclosed
- For the purpose of protecting the vital interests of the individual i.e. release of medical data without which the individual could suffer harm
- (*)Requests relating to disclosures of this nature (including enquiries from the police) should be supported by the appropriate paperwork and referred to the appropriate Data Protection authority - see Sources of Advice.
In summary, TLG will:
- Treat all personal data with care
- Ensure consent has been provided, unless consent is not required
- If in doubt, will not disclose; and always ask for advice
- Not provide information over the telephone
- Ask that requests for information are submitted in writing/by fax/by email
- Keep notes of what has been disclosed, when and to whom
- Treat wilful disclosure of personal information as potential gross misconduct
Sources of Advice
Data Protection Controller Paul Chenery 01274 900 387 email@example.com
Appendix A: Fair Processing Statement for Parents
Data protection act
Schools, Local Authorities (LAs), the Department for Education and Skills (DfE), the government department which deals with education, the Qualifications and Curriculum Authority (QCA), Ofsted and the Learning and Skills Council (LSC) all process information on pupils in order to run the education system and in doing so have to comply with the Data Protection Act 1998. This means, among other things, that
the data held about pupils must only be used for specific purposes allowed by law. This document tells you about the types of data held, why that data is held, and to whom it may be passed on.
TLG holds information on students in order to support their teaching and learning, to monitor and report on their progress, to provide appropriate pastoral care, and to assess how well the school as a whole is doing. This information includes contact details, national curriculum assessment results, attendance information, characteristics such as ethnic group, special educational needs and any relevant medical information.
From time to time schools are required to pass on some of this data to LAs, the DfE and to agencies that are prescribed by law, such as QCA, Ofsted, and LSC.
The Local Authority uses information about children for whom it provides services to carry out specific functions for which it is responsible, such as the assessment of any special educational needs the child may have. It also uses the information to derive statistics to inform decisions on (for example) the funding of schools, and to assess the performance of schools and set targets for them. The statistics are used in such a way that individual children cannot be identified from them.
LAs have a duty under the Children Act 2004 to cooperate with their partners in health and youth justice to improve the well-being of children in their areas. As part of this duty they will be required to maintain the accuracy of the information held on the Information Sharing (IS) Index about children and young people in their area.
The Qualifications and Curriculum Authority uses information about pupils to administer national curriculum assessments throughout Key Stages 1 to 3. This includes both assessments required by statute and those that are optional. The results of these are passed on to DfE to compile statistics on trends and patterns in levels of achievement. The QCA uses the information to evaluate the effectiveness of the national curriculum and the associated assessment arrangements, and to ensure that these are continually improved.
Ofsted uses information about the progress and performance of pupils to help inspectors evaluate the work of schools, to assist schools in their self-evaluation, and as part of Ofsted’s assessment of the effectiveness of education initiatives and policy. Inspection reports do not identify individual pupils.
The Learning and Skills Council uses information about pupils for statistical purposes, to evaluate and develop education policy and to monitor the performance of the education service as a whole. The statistics (including those based on information provided by the QCA) are used in such a way that individual pupils cannot be identified from them. On occasion information may be shared with other Government departments or agencies strictly for statistical or research purposes only. The LSC or its partners may wish to contact learners from time to time about courses, or learning opportunities relevant to them.
The Department for Education uses information about pupils for research and statistical purposes, to inform, influence and improve education policy and to monitor the performance of the education service as a whole.
The DfE will feed back to LAs and schools information about their pupils for a variety of purposes that will include data checking exercises, use in self-evaluation analyses and where information is missing because it was not passed on by a former school.
The Children Act 2004 provides for the Secretary of State to issue Regulations requiring the “governing body of a maintained school in England” to disclose information for inclusion on the Information Sharing (IS) Index.
The purposes of the index are to:
- Help practitioners working with children quickly identify a child with whom they have contact.
- Determine whether that child is getting the universal services (education, primary health care) to which he or she is entitled.
- Enable earlier identification of needs and earlier, more effective action to address these needs by providing a tool to help practitioners identify which other practitioners are involved with a particular child.
- Encourage better communication and closer working between practitioners.
- The index will hold for each child or young person in England:
- Basic identifying information: name, address, gender, date of birth and a unique identifying number, based on the existing Unique Identifying Number/National Insurance Number.
- Basic identifying information about the child’s parent or carer.
- Contact details for services involved with the child: as a minimum school and GP Practice but also other services where appropriate.
The facility for practitioners to indicate to others that they have information to share, are taking action or have undertaken a common assessment in relation to a child.
The index will NOT record statements of a child’s needs, academic performance, attendance or clinical observations about a child.
All practitioners and system support staff (in LAs who will be responsible for maintaining the data) will have to have relevant training and to have undergone rigorous checks and appropriate security clearance procedures. To ensure high standards of accuracy, information on the IS Index will be drawn from a number of sources including the termly School Census from which, from January 2007, pupils’ home address will be collected.
The DfE will also provide Ofsted with pupil data for use in school inspection. Where relevant, pupil information may also be shared with post 16 learning institutions to minimise the administrative burden on application for a course and to aid the preparation of learning plans.
Pupil information may be matched with other data sources that the Department holds in order to model and monitor pupils’ educational progression; and to provide comprehensive information back to LAs and learning institutions to support their day to day business. The DfE may also use contact details from these sources to obtain samples for statistical surveys: these surveys may be carried out by research agencies working under contract to the Department and participation in such surveys is usually voluntary. The Department may also match data from these sources to data obtained from statistical surveys.
Pupil data may also be shared with other Government Departments and Agencies (including the Office for National Statistics) for statistical or research purposes only. In all these cases the matching will require that individualised data is used in the processing operation, but that data will not be processed in such a way that it supports measures or decisions relating to particular individuals or identifies individuals in any results. This data sharing will be approved and controlled by the Department’s Chief Statistician.
The DfE may also disclose individual pupil information to independent researchers into the educational achievements of pupils who have a legitimate need for it for their research, but each case will be determined on its merits and subject to the approval of the Department’s Chief Statistician.
Appendix B: Use of personal data regarding supporters of TLG
When a supporter signs up (through whatever means be it online, over the phone or in writing) to receive further information from TLG or makes a donation, TLG may keep personal data of our supporters which could include:
- Your name and address
- Your contact information (email address, landline and mobile telephone number)
- Your date of birth
- Our contact history with you (where we met you, any contact we have made with you)
- Financial information (if you have given a one-off donation or regular donations to TLG, either currently or in the past)
This information may be kept and used for the following reasons:
- To keep you updated with our work
- To contact you for fundraising and/or marketing purposes
- To ensure our records are accurate regarding any communication we have had with you since you joined our database
- To set up and manage any donations you may give during your time as a TLG supporter
TLG keeps this information in a secure database and will never sell your information to a third party.
TLG also keeps a record of your communication preferences. We want to make sure you receive information that is appropriate to you and at your discretion.
TLG is also a member of the Fundraising Standards Board (FRSB) self-regulatory scheme. As members of this scheme, we follow the Institute of Fundraising’s Code of Fundraising Practice and comply with the key principles embodied in the Code. This includes the following promises:
- We respect the rights, dignities and privacy of our supporters and beneficiaries
- If you tell us that you don’t want us to contact you in a particular way we will not do so
- We take care not to cause unreasonable nuisance or disruption
- We comply with the law including those that apply to data protection
- If you are unhappy with anything we’ve done whilst fundraising, you can contact us to make a complaint
At any point you may wish to change the way that TLG contacts you. If for any reason you wish to amend your communication preferences, please contact us by calling 01274 900377 or emailing firstname.lastname@example.org.
It is your right to request to see the personal information that we hold about you. If you would like this information supplied, please write a cheque of £10 payable to TLG The Education Charity and send to the Data Protection Officer, TLG, Hope Park, Bradford, BD5 8HH. We will respond to your request within 40 days.