Data Privacy Summary



Document Purpose

The purpose of this document is to provide an explanation of data privacy terms and considerations in the context of Groupcall Data Sharing Agreement (DSA) and Security documents. This document is for guidance only. Any member of staff with a responsibility for data in your school should familiarise themselves with the latest information on the Information Commissioner’s Office website at http://www.ico.gov.uk and participate in relevant courses such as the Data Protection Act (DPA).

The Data Protection Act

The 8 core Data Protection Act principles are:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
    1. at least one of the conditions in Schedule 2 is met, and
    2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

Data means information which –

    1. is being processed by means of equipment operating automatically in response to instructions given for that purpose,
    2. is recorded with the intention that it should be processed by means of such equipment,
    3. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
    4. does not fall within paragraph A, B or C but forms part of an accessible record as defined by section 68 of the Data Protection Act, or
    5. is recorded information held by a public authority and does not fall within any of paragraphs A to D.

Paragraphs A and B make it clear that information that is held on computer, or is intended to be held on computer, is data. So data is also information recorded on paper if you intend to put it on computer.

 

Personal data means data, which relates to a living individual who can be identified –

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.

 

The Data Controller is a person who (either alone, or jointly, or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

 

The Data Processor is any person (other than an employee of the Data Controller) who processes data on behalf of the Data Controller.

The Data Processor and the Data Controller must agree to –

  • what data is extracted;
  • the frequency and schedule of data extraction;
  • where the data is extracted to;
  • and what the data will be used for.

Privacy Policy

This forms part of the application process to use relevant Groupcall Products.  The Head Teacher or an authorised member of staff will agree to have read and understood the terms and conditions outlined below:

 

There are additional product specific terms and conditions detailed in each product's Data Sharing Agreement.

Data Protection Impact Levels

With all Government and public sector systems there is a need to make sure that information stored in them is appropriately protected.  ‘Appropriate’ could range from:

  • open to the public;
  • to patient records;
  • right through to highly secret national security information.

So there needs to be a process to assess what is required in each case.  When you think about risks to a system, it makes sense to think about the “What if” should the system be compromised.  The impact that it would have on the school is a logical place to start.  If you group that into levels, you get Business Impact Levels.  They are currently defined from 0 (no impact) to 6 (severe impact).

An Impact Level (IL) comes from consideration of 3 potential compromise areas:

  • Confidentiality – the potential impact if the information is seen by those who should not see it;
  • Integrity – the potential impact if the accuracy or completeness of the information is compromised,
  • Availability – the potential impact if the information becomes inaccessible.

It is very unlikely that a school will be responsible for datasets with a BIL (or IL) value of greater than 4.

The following table defines the Impact Levels most likely to require managing by schools and includes some examples:

Level Type Impact
IL1

Not sensitive

Personally identifiable, or aggregated beyond 1,000 records
  • Class list of names
Limited impact but caution must be taken at all times.
IL2

Protect

  • Class list of names and DoB
  • Attendance, Assessment information for a single or multiple students
The vast majority of data should be classified at IL2-Protect, or lower. Likely to cause embarrassment to an individual, or organisation.
IL3

Restricted

  • Free School Meals
  • Special Needs record
Most of the information in a school’s MIS is likely to fall into this category. Likely to cause loss of reputation to an individual, or organisation.
IL4 Additional detail to Special Needs, or Child in Care Likely to cause loss of reputation to an individual, or organisation.
Print Friendly