What happens to information held about you? Your rights and our obligations to you.
How We Use Personal Data
This document explains how St. Mary’s RC school, holds, uses and discloses information about people (their personal data), the steps we take to ensure that it is protected, and also describes the rights individuals have in regard to their personal data handled by the school.
The use and disclosure of personal data is governed by the Data Protection Act 2018 (‘the Act’). St. Mary’s RC school is registered with the Information Commissioner’s Office as a ‘data controller’ for the purposes of the Act. As such St.Mary’s RC Primary is obliged to ensure that it handles all personal data in accordance with the Act.
St. Mary’s RC School takes that responsibility very seriously and takes great care to ensure that personal data is handled appropriately in order to secure and maintain individuals’ trust and confidence in the school.
Why do we handle personal data?
St. Mary’s RC School processes personal information to enable it to provide a range of public services to local people and businesses which include:
- Maintaining our own accounts and records
- Supporting and managing our employees
- Promoting the services the School provides
- What type/classes of personal data do we handle?
In order to carry out the purposes described under section 1 above St. Mary’s RC School may obtain, use and disclose personal data including the following:
- Personal details
- Family details
- Lifestyle and social circumstances
- Employment and education details
- Student and pupil records
- Case file information
- Physical or mental health details
- Racial or ethnic origin
- Religious or other beliefs of a similar nature
St. Mary’s RC School will only use appropriate personal data necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record i.e. a file, as images, but it can also include other types of electronically held information e.g. CCTV images.
Who information is processed about
In order to carry out the purposes described under section 1 above St. Mary’s RC School may obtain, use and disclose personal data about the following:
- Staff / persons contracted to provide a service
- Professional advisors and consultants
- Students / pupils
- Individuals with parental responsibility for students / pupils
- Carers or representatives
- People captured by CCTV images
- Representatives of other organisations
Where do we obtain personal data from?
In order to carry out the purposes described under section 1 above St. Mary’s RC School may obtain personal data from a wide variety of sources, including the following:
- HM Revenue and Customs;
- Defence solicitors;
- Voluntary sector organisations;
- Approved organisations and people working with the School;
- Central government, governmental agencies and departments;
- Emergency services;
- Individuals themselves;
- Relatives, guardians or other persons associated with the individual;
- Current, past or prospective employers of the individual;
- Healthcare, social and welfare advisers or practitioners;
- Education, training establishments and examining bodies;
- Business associates and other professional advisors;
- Employees and agents of the School;
- Persons making an enquiry or complaint;
- Medical consultants and GPs
- Local government;
- Voluntary and charitable organisations;
- Ombudsman and regulatory authorities;
- The media;
- Data Processors working on behalf of the School;
- Information openly available on the internet.
St. Mary’s RC School may also obtain personal data from other sources such as its own CCTV systems, or correspondence.
How do we handle personal data?
In order to achieve the purposes described under section 1 St. Mary’s RC School will handle personal data in accordance with the Act. In particular we will ensure that personal data is handled fairly and lawfully with appropriate justification. We will strive to ensure that any personal data used by us or on our behalf is of the highest quality in terms of accuracy, relevance, adequacy and non-excessiveness, is kept as up to date as required, is protected appropriately, and is reviewed, retained and securely destroyed when no longer required.
How do we ensure the security of personal data?
St. Mary’s RC School takes the security of all personal data under our control very seriously. We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and integrity monitoring, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.
Who do we disclose personal data to?
We sometimes need to share information with the individuals we process information about and other organisations. Where this is necessary we are required to comply with all aspects of the Act. What follows is a description of the types of organisations we may need to share some of the personal information that we process with for one or more reasons:
- Family, associates or representatives of the person whose personal data we are processing
- Healthcare, social and welfare organisations
- Educators and examining bodies
- Local and central government
- Press and the media
- Professional advisers and consultants
- Courts and tribunal
- Trade unions
- Professional bodies
- Survey and research organisations
- Police forces
- Voluntary and charitable organisations
- Students and pupils including their relatives, guardians, carers or representatives
- Data processors
- Regulatory bodies
- Local and central government
- Partner agencies and approved organisations
- Service providers
- Healthcare professionals
- Current past and prospective employers and examining bodies
- Law enforcement and prosecuting authorities
- Legal representatives / defence solicitors
- The disclosure and barring service
It may sometimes be necessary for the School to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the Act.
What are your rights in relation to your personal data which is handled by St. Mary’s RC School?
Individuals have various rights under the Act:
Right of access
You can obtain a copy, subject to exemptions, of your personal data held by the School. A copy of the application form is available on the Council’s website.
Under the Act you are also entitled to obtain confirmation as to whether or not data concerning you is being processed by the School. Where that is the case, you are entitled to the following information subject to exemptions:
- The purposes of and legal basis for the processing
- The categories of personal data concerned
- The recipients to whom the personal data has been disclosed
- The period for which it is envisaged that the personal data will be stored
Communication of the personal data undergoing processing and of any available information as to its origin.
- Please note that ‘processing’ means an operation or set of operations performed on personal data such as collection, recording, organisation, structuring, storage, adaption, alteration, erasure, restriction, retrieval.
Proof of ID and any further information needed to locate the information may be required before the School can comply with your request.
Any request for the above information should be made in writing to the Data Protection Officer and the School will respond within one month.
Rectification of data
You can request the School to rectify inaccurate personal data relating to you. If the data is inaccurate because it is incomplete, the School must complete it if required to do so by you.
A request should be made in writing to the Data Protection Officer and a response will be sent within one month.
Erasure or restriction of personal data
You can request that the School erase your data or restrict any processing of your data, subject to exemptions.
All requests should be made to the Data Protection Officer. The School will then inform you of whether the request has been granted and if it has been refused, the reasons for the refusal.
Right not to be subject to automated decision-making
Under the Act you have the right, subject to exemptions, not to be subject to a decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on you. You have a right to express your point of view and obtain an explanation from the School of its decision and challenge it.
However, it should be noted that this right does not apply to all decisions as there are exemptions for example authorisation by law, performance of a contract to which you are a party.
How long does St. Mary’s RC School retain personal data?
The School keeps personal data as long as is necessary for the particular purpose or purposes for which it is held in accordance with the School’s Retention Policy.
Any individual with concerns over the way St Mary’s RC Primary School handles their personal data may contact the Data Protection Officer at the Council as below:
Blaenau Gwent County Borough Council,
Legal & Corporate Compliance,
Telephone: 01495 311556
You can also raise concerns with the Information Commissioner for Wales. The Information Commissioner can be contacted at:
Information Commissioner’s Office – Wales