Quick Links

Quick Links

St Edward's College

  • Instagram Instagram
  • Twitter Twitter
  • Facebook Facebook
  • SearchSearch Site
  • Translate Translate Page

GDPR

GENERAL DATA PROTECTION REGULATIONS (GDPR) SUMMARY

Statement of intent

St Edward’s College has an ongoing commitment to ensure that we attain GDPR compliance and introduce procedures to safeguard that compliance.  St Edward’s College, in line with the requirements of GDPR, has appointed a Data Protection Officer who is not part of the school: Chris Walsh, Liverpool City Council.  The Data Protection Officer will take responsibility for data protection compliance and has the knowledge, support and authority to carry out this role effectively.  The GDPR is a piece of EU-wide legislation which determines how people’s personal data is processed and kept safe.

‘Personal data’ means information that can identify a living individual. 

Main principles

•    The GDPR sets out the key principles that all personal data must be processed in line with. Data must be: processed lawfully, fairly and transparently; collected for specific, explicit and legitimate purposes; limited to what is necessary for the purposes for which it is processed; accurate and kept up to date; held securely; only retained for as long as is necessary for the reasons it was collected

There are also stronger rights for individuals regarding their own data.

•    The individual’s rights include: to be informed about how their data is used, to have access to their data, to rectify incorrect information, to have their data erased, to restrict how their data is used, to move their data from one organisation to another, and to object to their data being used at all

New requirements

The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already comply with), but strengthens many of the DPA’s principles. The main changes are: 

•    Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law 
•    Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data
•    Schools will only have a month to comply with subject access requests, and in most cases can’t charge 
•    Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
•    There are new, special protections for children’s data
•    The Information Commissioner’s Office must be notified within 72 hours of a data breach
•    Organisations will have to demonstrate how they comply with the new law
•    Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils

Any requests regarding GDPR to be emailed to data@st-edwards.co.uk or in writing c/o Administration Manager at St Edward’s College, Sandfield Park, Liverpool, L12 1LF.  

Please view the following policies:

 

GDPR Data Protection Policy

GDPR Privacy Notice for Pupils and Families

GDPR Privacy Notice for College Workforce

GDPR Photography and Video Policy

GDPR Compliant Records Management

GDPR Data Breach Procedure

GDPR Clear Desk Policy