St. Patrick’s N.S., Curtlestown

Data Protection Policy

Table of Contents

		Page
Title		1
Introductory statement		2
Relationship to characteristic spirit of the school		2
Goals / objectives		2
Scope		2
Definition of Data Protection Terms		3
Rationale		3
Other legal obligations		4
Data Protection Principles		5
Key Measures		7
	Personal data	7
	Staff data	7
	Student & Parent / Guardian data	9
	Board of Management data	11
	Other data	12
	Ensuring compliance	15
	Data subject access requests	15
	Other GDPR considerations	16
Links to other policies		17
Implementation arrangements, roles and responsibilities		17
Ratification & communication		18
Appendix I – Data Collection Form[AB1]
Appendix II – Relevant Legislation
Appendix III – Retention Periods
Appendix IV – Audit Template & Data Breach Risk Assessment [AB2]
Appendix V – Data Subject Access Requests[AB3]
Appendix VI – Data Breach Template[AB4]

Data Protection Policy

Title   

Data Protection Policy of St. Patrick’s National School, Curtlestown

Introductory Statement

The school’s Data Protection Policy was formulated by the Board of Management in September and November 2017. Input was also given by the staff at a meeting in January 2018.

The Data Protection Policy of St. Patrick’s N.S. applies to the personal data held by the school which is protected by the Data Protection Acts 1988 and 2003 and the GDPR 2018.

Relationship to characteristic spirit of the school

St. Patrick’s N.S. seeks to enable each student to develop his/her full potential in a caring, safe and secure environment where the talents of each child are valued. St. Patrick’s seeks to promote respect for the diversity of values, beliefs, traditions, languages and ways of life in society. This work can best be done where there is a high level of openness and co-operation between staff, parents and pupils.  

We aim to achieve these goals while respecting the privacy and data protection rights of students, staff, parents/guardians and others who interact with us. The school wishes to achieve these aims/missions while fully respecting individuals’ rights to privacy and rights under the Data Protection Acts.

Goals/Objectives 

• To ensure that the school complies with the Data Protection Acts.
  
  
• To ensure compliance by the school with the eight rules of data protection as set down by the Data Protection Commissioner based on the Acts (see below).
  
  
• To ensure that the data protection rights of students, staff and other members of the school community are safeguarded.

Scope             

Purpose of the Policy: The Data Protection Acts 1988 and 2003 and the EU Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) apply to the keeping and processing of Personal Data, both in manual and electronic form. The purpose of this policy is to assist the school to meet its statutory obligations, to explain those obligations to school staff, and to inform staff, students and their parents/guardians how their data will be treated.

The policy applies to all school staff, the board of management, parents/guardians, students and others (including prospective or potential students and their parents/guardians, and applicants for staff positions within the school) insofar as the school handles or processes their Personal Data in the course of their dealings with the school.

This policy sets out the manner in which personal data and sensitive personal data will be protected by the school. Data will be stored securely, so that confidential information is protected in compliance with relevant legislation.   

Definition of Data Protection Terms

In order to properly understand the school’s obligations, there are some key terms which should be understood by all relevant school staff:

Data means information in a form that can be processed. It includes both automated data (e.g. electronic data) and manual data.  Automated data means any information on computer, or information recorded with the intention that it be processed by computer. Manual data means information that is kept/recorded as part of a relevant filing system or with the intention that it form part of a relevant filing system.

Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily, quickly and easily accessible.

Personal Data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller i.e. the school.

Sensitive Personal Data refers to Personal Data regarding a person’s

• racial or ethnic origin, political opinions or religious or philosophical beliefs
• membership of a trade union
• physical or mental health or condition or sexual life
• commission or alleged commission of any offence or
• any proceedings for an offence committed or alleged to have been committed by the person, the disposal of such proceedings or the sentence of any court in such proceedings, criminal convictions or the alleged commission of an offence.

Data Controller is the individual or legal entity which controls the contents and use of personal data. For the purpose of this policy is the Board of Management, St. Patrick’s N.S., Curtlestown is the data controller, with the Principal, Mary Conroy acting for the Board of Management in exercising the functions involved.

Rationale

In addition to its legal obligations under the broad remit of educational legislation, the school has a legal responsibility to comply with the Data Protection Acts, 1988 and 2003 and with the GDPR.

This policy explains what sort of data is collected, why it is collected, for how long it will be stored and with whom it will be shared.  As more and more data is generated electronically and as technological advances enable the easy distribution and retention of this data, the challenge of meeting the school’s legal responsibilities has increased.

The school takes its responsibilities under data protection law very seriously and wishes to put in place safe practices to safeguard individual’s personal data. It is also recognised that recording factual information accurately and storing it safely facilitates an evaluation of the information, enabling the principal and board of management to make decisions in respect of the efficient running of the School. The efficient handling of data is also essential to ensure that there is consistency and continuity where there are changes of personnel within the school and board of management. 

This Data Protection policy was formulated because;

• Schools are obliged to comply with the Data Protection Act, 1988, the Data Protection (Amendment) Act, 2003 and the GDPR (henceforth referred to as the Data Protection Acts)
• Under Section 9(g) of the Education Act, 1998, the parents of a student, or a student who has reached the age of 18 years, must be given access to records kept by the school relating to the progress of the student in his or her education.

• Under Section 20 of the Education (Welfare) Act, 2000, the school must maintain a register of all students attending the school.

• Under Section 21 of the Education (Welfare) Act, 2000, the school must record the attendance or non-attendance of students registered at the school on each school day.
• Under Section 28 of the Education (Welfare) Act, 2000, the School may supply Personal Data kept by it to certain prescribed bodies (the Department of Education and Skills, the National Education Welfare Board, the National Council for Special Education, other schools, other centres of education) provided the School is satisfied that it will be used for a “relevant purpose” (which includes recording a person’s educational or training history or monitoring their educational or training progress in order to ascertain how best they may be assisted in availing of educational or training opportunities or in developing their educational potential; or for carrying out research into examinations, participation in education and the general effectiveness of education or training)

Other Legal Obligations

Implementation of this policy takes into account the school’s other legal obligations and responsibilities. Some of these are directly relevant to data protection.

• Under section 20(5) of the Education (Welfare) Act, 2000, a principal is obliged to notify certain information relating to the child’s attendance in school and other matters relating to the child’s educational progress to the principal of another school to which a student is transferring

• Under Section 14 of the Education for Persons with Special Educational Needs Act, 2004, the school is required to furnish to the National Council for Special Education (and its employees, which would include Special Educational Needs Organisers (“SENOs”)) such information as the Council may from time to time reasonably request

• The Freedom of Information Act 1997 provides a qualified right to access to information held by public bodies which does not necessarily have to be “personal data” as with data protection legislation. While schools are not currently subject to freedom of information legislation, if a school has furnished information to a body covered by the Freedom of Information Act (such as the Department of Education and Skills, etc.) these records could be disclosed if a request is made to that body

• Under Section 26(4) of the Health Act, 1947 a School shall cause all reasonable facilities (including facilities for obtaining names and addresses of pupils attending the school) to be given to a health authority who has served a notice on it of medical inspection, e.g. a dental inspection

• Under Children First: National Guidance for the Protection and Welfare of Children (2011) published by the Department of Children & Youth Affairs, schools, their boards of management and their staff have responsibilities to report child abuse or neglect to TUSLA- Child and Family Agency (or in the event of an emergency and the unavailability of TUSLA, to An Garda Síochána). 

Data Protection Principles

The school is a data controller of personal data relating to its past, present and future staff, students, parents/guardians and other members of the school community. As such, the school is obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 and 2003 and the principles of the GDPR as

1. processed lawfully, fairly and in a transparent manner (“lawfulness, fairness and transparency”)
2. collected for specified, explicit and legitimate purposes (“purpose limitation”)
3. adequate, relevant and limited to what is necessary (“data minimisation”)
4. accurate and, where necessary, kept up to date (“accuracy)
5. kept for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”)
6. processed in a manner that ensures appropriate security of the personal data (“integrity & confidentiality”)

1. Lawfulness, fairness & transparency

Obtain and process Personal Data lawfully, fairly and in a transparent manner:

Information on students is gathered with the help of parents/guardians and staff. Where relevant, information is also transferred from their previous schools.

Where sensitive data relating to students is collected, this is due to our legal or contractual obligations imposed upon us by the Department of Education. For example, in order to receive capitation grants, sensitive data relating to students is collected and passed onto the Department for the purpose of populating their POD database.

In relation to information the school holds on other individuals (members of staff, individuals applying for positions within the School, parents/guardians of students etc.), the information is gathered for the purpose of running the school and every attempt is made to inform the individual of the same.

In the case of members of staff, the information is compiled during the course of their employment or, in the case of parents / guardians, during contact with the School.

Where sensitive data relating to members of staff is collected, for example Garda Vetting information, this is for the lawful purpose of running the school in line with relevant Health & Safety / Child protection legislation.

Sensitive data is not collected relating to individuals applying for positions within the school nor the parents/guardians of the school.

1. Purpose limitation

Keep it only for the specified and explicit lawful purposes: The School will inform individuals of the reasons they collect their data and will inform individuals of the uses to which their data will be put. In the case of parents / guardian this is communicated via the relevant data collection forms – see Appendix I. The relevant legislation relating to the collection of data by St. Patrick’s is included in Appendix II.

1. Data minimisationa

Process it only in ways compatible with the purposes for which it was given initially: Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered The data collected will be adequate, relevant and limited to what is necessary for the purposes of the processing: ie only the necessary amount of information required to provide an adequate service will be gathered and stored. 

1. Accuracy

Keep Personal Data accurate, complete and up-to-date: Students, parents/guardians, and/or staff shall inform the school of any change which the school shall make to their personal data and/or sensitive personal data to ensure that the individual’s data is accurate, complete and up-to-date. Once informed, the school shall make all necessary changes to the relevant records. The principal may delegate such updates/amendments to another member of staff. However, records must not be altered or destroyed without proper authorisation. If alteration/correction is required, then a note of the fact of such authorisation and the alteration(s) to be made to any original record/documentation shall be dated and signed by the person making that change.

1. Storage limitation

Retain it no longer than is necessary for the specified purpose or purposes for which it was given: In the case of students, the information will be kept for the duration of the individual’s time in the school (see Appendix III). Thereafter, the school will comply with DES guidelines on the storage of Personal Data and Sensitive Personal Data relating to a student (again see Appendix III).

In the case of members of staff, the school will comply with both DES guidelines and the requirements of the Revenue Commissioners with regard to the retention of records relating to employees.  The school may also retain the data relating to a member of staff afor a longer length of time for the purposes of complying with relevant provisions of law and or/defending a claim under employment legislation and/or contract and/or civil law. 

1. Integrity & confidentiality

Keep Personal Data safe and secure: Only those with a genuine reason for doing so may gain access to the information. Sensitive Personal Data is securely stored under lock and key in the case of manual records and protected with firewall software and password protection in the case of electronically stored data. Portable devices storing personal data (such as laptops) are encrypted and password protected before they are removed from the school premises. Confidential information is stored securely and only relevant information is shared with relevant individuals. For example, a substitute teacher would not necessarily need access to the history of a child’s psychological / behavioral record and therefore does not have access to the same.  

1. Accountability

The Controller shall be responsible for, and be able to demonstrate compliance with the above principles.

Key measures

The content of this policy are organised into sections as follows:

1. Details of all personal data which will be held, the purpose(s) for collecting the data in each case, the location where it is held and the relevant security provisions in place.   
2. Retention of Data
3. Details of the arrangements in place to ensure compliance with the principles of the GDPR.
4. Data subject access rights
5. Other GDPR considerations (Data transfer)

1. Personal Data

The school collects personal data relating to the following stakeholders:

1. Staff records
   1. existing & former members of staff and teachers under probation
   1. applicants applying for positions within the school and trainee teachers
2. Student & Parent/Guardian records
3. Board of Management records
4. Other records

1. Staff records:

1. Data collected relating to existing & former members of staff and teachers under probation:

• Name, address and contact details, PPS number
• Original records of application and appointment to promotion posts
• Details of approved absences (career breaks, parental leave, study leave etc.)
• Details of work record (qualifications, classes taught, subjects etc.)
• Details of any accidents/injuries sustained on school property or in connection with the staff member carrying out their school duties
• Records of any reports the school (or its employees) have made in respect of the staff member to State departments and/or other agencies under mandatory reporting legislation and/or child-safeguarding guidelines (subject to the DES Child Protection Procedures).

1. Data collected relating to applicants applying for positions within the school and trainee teachers:
2. Name, address and contact details
3. Original records of application (for applicants only)
4. Details of any accidents/injuries sustained on school property or in connection with the staff member carrying out their school duties
5. Records of any reports the school (or its employees) have made in respect of the staff member to State departments and/or other agencies under mandatory reporting legislation and/or child-safeguarding guidelines (subject to the DES Child Protection Procedures).

• Purposes: Staff records are kept for the purposes of:
• the management and administration of school business (now and in the future)
• to facilitate the payment of staff, and calculate other benefits/ entitlements (including reckonable service for the purpose of calculation of pension payments, entitlements and/or redundancy payments where relevant)
• to facilitate pension payments in the future
• human resources management
• recording promotions made (documentation relating to promotions applied for) and changes in responsibilities etc.
• to enable the school to comply with its obligations as an employer including the preservation of a safe, efficient working and teaching environment (including complying with its responsibilities under the Safety, Health and Welfare At Work Act. 2005)
• to enable the school to comply with requirements set down by the Department of Education and Skills, the Revenue Commissioners, the National Council for Special Education, TUSLA, the HSE, and any other governmental, statutory and/or regulatory departments and/or agencies 
• and for compliance with legislation relevant to the school.

• Location: In a secure, locked filing cabinet in the office, that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access.  

• Security: Hard copy records are kept in a locked filing cabinet in the office. The office is locked outside school hours. In the case of applications relating to data subjects applying for a position within the school, soft copy applications received via email (password protected email account) are hosted by the relevant email provider in the Cloud, access is via the computer in the office which is also password protected. These applications may also be held on the computer in the office, which is password protected. Such applications are held for a duration of 18 months.

• Student & Parent/Guardian records: 

• Information which is sought and recorded at enrolment and is collated and compiled during the course of the student’s time in the school:
  • name, address and contact details, PPS number
  • date and place of birth
  • names and addresses of parents/guardians and their contact details (including any special arrangements with regard to guardianship, custody or access)
  • religious belief
  • racial or ethnic origin
  • membership of the Traveller community, where relevant
  • whether they (or their parents) are medical card holders
  • whether English is the student’s first language and/or whether the student requires English language support
  • any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply
• Records of disciplinary issues/investigations and/or sanctions imposed
• Other records e.g. records of any serious injuries/accidents etc. Parents are aware that the School records details pertaining to all serious incidents .
• Records of any reports the school (or its employees) have made in respect of the student to State departments and/or other agencies under mandatory reporting legislation and/or child safeguarding guidelines (subject to the DES Child Protection Procedures). 
• Attendance records
• Photographs and recorded images of students (including at school events and noting achievements)
• Information on previous academic record (including reports, references, assessments and other records from any previous school(s) attended by the student
• Psychological, psychiatric and/or medical assessments
• Academic record – subjects studied, class assignments, examination results as recorded on official School reports
• Whether the student is exempt from studying Irish
• Records of significant achievements
• Transactional data relating to payments received from Parents/Guardians for school activities

• Purposes: The purposes for keeping student & parent/guardian records are:
• to enable each student to develop to their full potential
• to comply with legislative or administrative requirements
• to ensure that eligible students can benefit from the relevant additional teaching or financial supports
• to support the provision of religious instruction
• to enable parents/guardians to be contacted in the case of emergency or in the case of school closure, or to inform parents of their child’s educational progress or to inform parents of school events etc.
• to meet the educational, social, physical and emotional requirements of the student 
• photographs and recorded images of students are taken to celebrate school achievements, establish a school website, record school events, and to keep a record of the history of the school. Such records are taken and used in accordance with the school’s “Guidance for Taking and Using Images of Pupils in Schools”  
• to ensure that the student meets the school’s admission criteria
• to ensure that students meet the minimum age requirements for enrolment
• to ensure that any student seeking an exemption from Irish meets the criteria in order to obtain such an exemption from the authorities
• to furnish documentation/ information about the student to the Department of Education and Skills, the National Council for Special Education, TUSLA, and other Schools etc. in compliance with law and directions issued by government departments
• to process the payments of school activities

.

• & (c) Location & Security

Information is stored according to its purpose

The format in which these records are kept is described below, e.g. manual record, computer record (database) or both.

The following are classed as confidential and are stored in a locked filing cabinet in the office. The office is locked outside school hours or when unattended;

• Information which is sought and recorded at enrolment, 
• Records of any reports the school (or its employees) have made in respect of the student to State departments and/or other agencies under mandatory reporting legislation and/or child safeguarding guidelines (subject to the DES Child Protection Procedures). 
• Records of disciplinary issues/investigations and/or sanctions imposed
• Other records e.g. records of any serious injuries/accidents etc.  [AB6]Is this a correct statement, or is it more accurate to say that Parents are aware that the School records details pertaining to all serious incidents

The following is stored in a database on the office computer or in the cloud on password protected sites. The office computer is password protected, has firewall software installed and antivirus protection;

• Attendance records (on the Aladdin Software system) accessible by password.
• Payments to the school and from whom
•  data (on the XX software system) accessible by password
• Photographs and recorded images of students (including at school events and noting achievements) on teaching laptops and the school iPad. These are stored in the locked strong room outside school hours.

The following are stored in manual form in a locked strong room in filing boxes;

• Attendance records
• Older/ historical photographs and recorded images of students (including at school events and noting achievements

The following are stored in the staffroom and office, freely available in the event of an accident or a child who has not been collected at home time;

• names of parents/guardians and their contact details (including any special arrangements with regard to guardianship, custody or access)

The following are also classed as confidential and are stored in a locked filing cabinet in the S.E.N. room;

• Information on previous academic record (including reports, references, assessments and other records from any previous school(s) attended by the student
• Psychological, psychiatric and/or medical assessments
• Academic record – subjects studied, class assignments, examination results as recorded on official School reports
• Whether the student is exempt from studying Irish

The following are stored in individual teacher’s desks which are locked outside school hours;

• Academic record –class assignments, examination results as recorded on official School reports
• Some information gathered at enrolment; name, address and contact details, date of birth, names and addresses of parents/guardians and their contact details

The following are stored on teaching laptops which are locked in the strong room outside school hours;

• Records of academic record –class assignments, examination results as recorded on official school reports, Personalised Pupil Plan. These file will be encrypted and passwords shared among staff on a need to know basis.
• Photographs and recorded images of students (including at school events and noting achievements) on teaching laptops and the school iPad. These are stored in the locked strong room outside school hours

Records of significant achievements are celebrated and displayed in public areas and in our newsletter.

Employees are required through their contractual obligations to maintain the confidentiality of any data to which they have access. 

• Board of management records:

Data collected relating to the Board of Management:

• Name, address and contact details of each member of the board of management (including former members of the board of management)
• Records in relation to appointments to the Board
• Minutes of Board of Management meetings and correspondence to the Board which may include references to particular individuals.

• Purposes: To enable the Board of Management to operate in accordance with the Education Act 1998 and other applicable legislation such as The Charities Act 2009 which requires all charities to register with the Charities Regulator, and to maintain a record of board appointments and decisions.

• Location: In a secure, locked filing cabinet and that only personnel who are authorised to use the data can access it. Employees are required to maintain the confidentiality of any data to which they have access.

• Security: These records are kept as a manual record i.e. a Board of Management file within a filing system in a locked filing cabinet in the office. The office is locked outside school hours or when unattended;

A computer record is also kept on the Principals laptop which is password protected, has firewall software installed and antivirus protection. All documents relating to the Board of Management are encrypted.

• Other data/records:

The school holds other records relating to creditors and donors. The format in which these records will be kept are both manual record (personal file within a relevant filing system), and/or computer record (database).

1. Creditors

The school may hold some or all of the following information about creditors (some of whom are self-employed individuals):

• Name
• Address
• Contact details
• PPS number
• Tax details
• Bank details
• Transactional details

1. Purposes: This information is required for routine management and administration of the school’s financial affairs, including the payment of invoices, the compiling of annual financial accounts and complying with audits and investigations by the Revenue Commissioners.

• Location: In a secure, locked filing cabinet in the office, that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. 

• Security: These records are kept as a manual record (personal file within a relevant filing system) in on the computer record (database) or both. The office is locked outside school hours or when unattended. Records stored on the office computer which is password protected, has firewall software installed and antivirus protection;

1. Donors

The school holds the following data (in the form of Charity tax-back forms) in relation to donors who have made charitable donations to the school:

• Name
• Address
• Telephone number
• PPS number
• Tax rate
• Signature
• Gross amount of donation

• Purposes: Schools are entitled to avail of the scheme of tax relief for donations of money they receive. To claim the relief, the donor must complete a certificate (CHY2) and forward it to the school to allow it to claim the grossed up amount of tax associated with the donation. The information requested on the appropriate certificate is the parent’s name, address, PPS number, tax rate, telephone number, signature and the gross amount of the donation. This is retained by the School in the case of audit by the Revenue Commissioners. 

• Location: In a secure, locked filing cabinet that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. 

• Security: These records are kept as a manual record (personal file within a relevant filing      system) in on the computer record (database) or both. The office is locked outside school hours or when unattended. Records stored on the office computer which is password protected, has firewall software installed and antivirus protection

In addition to the security measure listed above relating to the personal data of stakeholders, the school also undertakes the following appropriate measures to mitigate against or avoid the unauthorised access to, alteration of and disclosure of the data and its accidental loss or destruction:

• access to the information (including authority to add/amend/delete records) restricted to authorised staff on a “need to know” basis.
• Only the Principal and The Chairperson of the Board of Management have access to employee personal data
• Teaching staff have access to pupil information on a “need to know” policy. The Principal has access to staff sensitive personal information. The Principal and the school secretary have access to pupil’s sensitive personal information.
• Computer systems are password protected.
• In order to ensure high levels of data accuracy in clerical and computer procedures, data on new enrolments are inputted by the secretary and checked by the Data Controller. Attendance records are inputted by the Deputy Principal and checked by the Principal
• Information on computer screens and manual files is kept out of view of callers to the school/office?
• Back-up procedures are in operation for computer-held data, in the office and including off-site One Drive back-up.
• All reasonable measure are taken to ensure that staff are made aware of the security measures, and comply with them, through annual discussion at the First staff meeting of the year and dissemination of this policy.
• All sensitive or confidential waste papers and printouts are shredded.
• Hard drives from computers which are no longer in use are over-written and physically destroyed. Data from computers which are subject to subject to change of use is deleted and overwritten.  Mary Conroy is the designated person responsible for security.
• The Data Protection policy is reviewed every two years and the measures and practices in place are reviewed.
• There is a monitored alarm system on the premises and a key pad access during school hours.
•  is that is being transmitted externally will be send in an encrypted email, with the password being texted to the recipient.
• Verification documents are sought for enrolment (birth certificate) and for employee recruitment e.g. access to original Garda Vetting, original transcripts of qualifications received, original Teaching Council Certificate.
• An annual review takes place on contact details to ensure that each data item is kept up-to-date

• Retention of Data

Retention times cannot be rigidly prescribed to cover every possible situation and the school exercises its individual judgement in this regard in relation to each category of records held. However, the following particular requirements are met:

• School registers and roll books are required to be kept indefinitely within the school.  

• Pay, taxation and related school personnel service records are retained indefinitely within the school.

Where litigation may potentially arise in the future (e.g. in relation to accidents/personal injuries involving school personnel/students or accidents occurring on school property), the relevant records are retained until the possibility of litigation ceases. The school will not to destroy records likely to be relevant in litigation at least until the six year limitation period has expired.

Note: The statute of limitations in relation to personal injuries is currently two years. The limitation period for other causes of action varies, but in most cases is not greater than six years. A limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim. In the case of minors, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge post dates their 18th birthday.

Information on student files will be retained for a period of six years after the student has completed the Senior Cycle and/or reached the age of 18.

• Ensuring Compliance

To ensure compliance with the above, we carry out audits on a yearly basis to review the data collected, the purpose of its collection, and its storage. The relevant data collection forms are also reviewed annually. An example of the School’s audit template is included in Appendix IV.

In addition, staff training is also carried out as necessary to ensure their understanding of our policies. Practical examples of potential data breaches are also included during training.

The School has a process for dealing with Subject Access Rights. Requests must be made in writing (see sample form in Appendix V) and accompanied by sufficient photographic identification to verify the identity of the Data Subject as well as give the School any relevant details which might be needed to help identify him/her and locate all the information you may keep about him/her. The School Principal, Mary Conroy, is responsible for handling access requests. The relevant records will be retrieved by the School Principal; photocopies are made of any original documents and are given to the Data Subject (data portability). The School will also ensure that the Data Subject knows:

• the purpose/s for processing his/her data
• the identity of those to whom the data is disclosed
• the source of the data, unless it is contrary to public interest
• the logic involved in any automated decisions
• a copy of any data held in the form of opinions, except where such opinions were given in confidence.

Students aged 18 and over are entitled to access their personal information in accordance with the Data Protection Acts.

Students under 18 years of age can be given access to their personal information, depending on the age of the student and the nature of the record i.e. it is suggested that:

• if the information is ordinary, routine or non-controversial (e.g. a record of a test result) the student could readily be given access
  
  
• if the record is of a sensitive nature, it would be prudent to seek parental/guardian consent
  
  
• if a student has some disability or medical condition that would impair his or her ability to understand the information, or if disclosure would be likely to be harmful to the individual concerned, parental/guardian consent should be sought.

The Data Subject may request the erasure of any documents where the lawful basis for holding them is Consent or Legitimate Interest. In the case of any data held lawfully under any other basis, the School will seek appropriate advice before permanently erasing any data.

In addition, Data Subjects are entitled to have personal data rectified if it is inaccurate or incomplete. If a school has disclosed personal data to third parties, it will inform them of the rectification where possible. It will also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

The school will rectify or erase any inaccurate information as identified by the individual on whom the data is kept, within 40 days of the request being made on the production of appropriate documentation to support the same.

Exceptions to note:

The School notes that data protection regulations prohibit the supply of:

• health data to a patient in response to a request for access if that would cause serious harm to his or her physical or mental health. The regulations also provide that such data is to be communicated only by, or after consultation with, an appropriate “health professional”, normally the patient’s own doctor
• personal data obtained in the course of carrying on social work if that would cause serious harm to the health or emotional condition of the data subject concerned. The regulations apply to social work carried on by Ministers, local authorities, the HSE or any other such bodies receiving financial assistance from public funds

• Other GDPR considerations (Data transfer, DPIAs)

Data Transfer

St. Patrick’s N.S. is cognisant of the regulations regarding transferring data outside the EU area and will not transfer data without the prior written consent of the data subject, for example to facilitate a student moving to a new school outside of Europe, unless there is another lawful basis for transferring data.

Data breaches

While the School has taken all reasonable and appropriate measures to avoid an occurrence of a data breach, the Board of Management recognises that breaches can occur through misappropriation; loss or theft of data or equipment; unauthorised individuals gaining access; a deliberate attack on systems; equipment failure; human error, or malicious acts such as hacking, viruses or deception

Where a data breach is likely to result in a risk for the rights and freedoms of individuals, the School will notify the Office of the Data Protection Commissioner within 72 hours of first having become aware of the breach. The School will also notify the relevant data subject “without undue delay” after first becoming aware of a data breach. In addition, the School will document any data breaches, comprising the facts relating to the personal data breach.

A copy of the School’s data breach template is in Appendix VI

The school also completes a Data Breach Risk Assessment (AppendixIV) which is reviewed on an annual basis.

Data Protection Impact Assessments (DPIA)[AB14] 

It is not envisaged that the school will undertake any new projects which would warrant carrying out a DPIA.

Links to other policies and to curriculum delivery

Our school policies need to be consistent with one another, within the framework of the overall School Plan. Relevant school policies already in place or being developed or reviewed, shall be examined with reference to the data protection policy and any implications which it has for them shall be addressed.

The following policies are among those considered:

• Child Protection Policy
• Anti-Bullying Policy
• Code of Behaviour
• Mobile Phone Code
• Admissions/Enrolment Policy
• CCTV Policy
• Substance Use Policy
• ICT Acceptable Usage Policy
• SPHE/CSPE etc.

Providing information over the phone

In our school, any employee dealing with telephone enquiries should be careful about disclosing any personal information held by the school over the phone. In particular the employee should:

• Check the identity of the caller to ensure that information is only given to a person who is entitled to that information
• Suggest that the caller put their request in writing if the employee is not sure about the identity of the caller and in circumstances where the identity of the caller cannot be verified
• Refer the request to the principal for assistance in difficult situations. No employee should feel forced into disclosing personal information.

Implementation arrangements, roles and responsibilities 

In our school the board of management is the data controller and the principal will be assigned the role of co-ordinating implementation of this Data Protection Policy and for ensuring that staff who handle or have access to Personal Data are familiar with their data protection responsibilities.

The following personnel have responsibility for implementing the Data Protection Policy:

Name                                      Responsibility

Board of management:           Data Controller

Principal:     Implementation of Policy and ensuring that staff who handle or have access to personal data are familiarised with their data protection responsibilities

Teaching personnel:                Awareness of responsibilities

Administrative personnel:       Security, confidentiality

IT personnel:                           Security, encryption, confidentiality

Ratification & communication

The Data Protection Policy has been ratified by the Board of Management, it becomes the school’s agreed Data Protection Policy. It should then be dated and circulated within the school community. The entire staff must be familiar with the Data Protection Policy and ready to put it into practice in accordance with the specified implementation arrangements.  It is important that all concerned are made aware of any changes implied in recording information on students, staff and others in the school community.

Parents/guardians and students should be informed of the Data Protection Policy from the time of enrolment of the student e.g. by including the Data Protection Policy as part of the Enrolment Pack, by either enclosing it or incorporating it as an appendix to the enrolment form.

Implementation Date

This policy will be implemented from 12^th June 2018.

Monitoring the implementation of the policy

The implementation of the policy shall be monitored by the principal and a sub-committee of the board of management.

An annual report at the first board meeting of each year will be issued to the Board of Management to confirm that the actions/measures set down under the policy are being implemented

Reviewing and evaluating the policy

The policy will be reviewed and evaluated at a two yearly review (and as necessary) using the Compliance Checklist issued by the Office of the Data Protection Commissioner will be undertaken by the Board and staff. On-going review and evaluation will take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills or the NEWB), legislation and feedback from parents/guardians, students, school staff and others. The policy will be revised as necessary in the light of such review and evaluation and within the framework of school planning.

Some indicators which will be used to gauge the impact and effectiveness of the policy include

• Students, staff and parents/guardians are aware of the policy 
• Requests for access to personal data are dealt with effectively
• Personal data records are accurate
• Personal data records are held securely
• Personal data records are retained only for as long as necessary

Signed: Margaret O’Grady.

            For and on behalf of board of management

Date: …18^th June2019