The General Data Protection Regulation (GDPR)
What is the GDPR?
The GDPR is a piece of EU-wide legislation which will determine how people's personal data is processed and kept safe, and the legal rights individuals have in relation to their own data. It applies to organisations that process or handle personal data, including schools. Its implementation date is 25 May 2018.
It is similar to the Data Protection Act (DPA) (1998) in many ways. Most of the differences involve the GDPR building on or strengthening the principals of the DPA.
It has been confirmed that the UK will be implementing the GDPR despite its intention to leave the EU.
Information Commissioner's Office (ICO)
The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. If you click here you can visit the ICO's GDPR website to read in depth information about all aspects of GDPR.
There is a range of terminology that is used to refer to aspects of GDPR that we must get used to using. Below is an overview with definitions to provide clarity over what is meant by certain types of data and the different roles involved in the handling of data.
- Personal data - The GDPR only applies to organisations' use of personal data. This is any information relating to an "identified, or identifiable, living indiuvidual" - as set out in the Data Protection Act 2018. This may include information such as the person's:
- Contact details
- Identification number
- Online identifier, such as a username
- Special categories of personal data - personal data which is more sensitive and so needs more protection. It includes information about a person's:
- Race or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic information
- Biometrics (such as fingerprints, retina and iris patterns), where used for identification purposes
- Health – physical or mental
- Sex life or sexual orientation
- Data subject - the person whose personal data is held or processed (eg all pupils and staff are data subjects)
- Data controller - a person or organisation who determines how and why personal data is used (Horizons Specialist Academy Trust is a data controller)
- Data processor - an external person or organisation, who is not employed by the Trust, who processes the personal data on our behalf (eg payroll provider)
- Processing - anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.
- Data Protection Officer - an appointed person who takes responsibility for monitoring data protection compliance.
Horizons Specialist Academy Trust are working to ensure GDPR compliance and one of the most important pieces of work is to update our Privacy Notices - for parents/carers, pupils and staff. The ICO is very clear in terms of what must be contained in the Privacy Notices, ie
- What personal data we hold
- Why we use the data
- Our legal basis for using the data
- How we collect the information
- How the information is stored
- Who we share the data with
- Data subjects right
- How to make a complaint
- How to contact the Data Protection Officer
Please follow the link to the Trust's Privacy Notices.
The GDPR has resulted in updates to Trust policies and procedures. While some policies have need small updates, others had required re-writes.
Please follow the link to the Trust's GDPR compliant policies.
Data Protection Act 2018
The Data Protection Act 2018, which updates data protection laws in the UK and supplements the GDPR, received Royal Assent on 23 May 2018 and is now an Act of Parliament. Any subsequent amendments to Trust policies resulting from this will be actioned accordingly.