The aim of the James Marks Academy Trust is to ensure that all personal data collected about staff, pupils, parents, governors, visitors and other individuals is stored and processed in accordance with the General Data Protection Regulation (GDPR) and the provisions set out in the Data Protection Act 2018 (DPA 2018).

We know that complete GDPR compliance can only be achieved through a collaborative and transparent approach and we also want to ensure that this is comprehensive and complete.

In particular we have:

• Identified a Data Protection Officer
• Completed the data mapping and Data Asset Register
• Embedded data privacy into all our processes
• Assessed information security risk
• Identified third party risk and our data partners
• Responded to data subject access requests (DSARs)
• Implemented data privacy breach procedures
• On-going monitoring

Below are the policies related to GDPR:

The James Marks Academy Trust will ensure that all processing of data complies with the six processing conditions in the GDPR:

• Compliance with a legal obligation
• Performance of a contract
• Legitimate interest
• Public interest
• Vital interest
• Consent

Consent

The Data Protection policy and Privacy notices outline processes undertaken by the Trust as to how data about an individual is used and who it will be shared with.

GDPR Governance and Data Protection Officer
Data privacy is discussed regularly at the Standards and GDPR Committee and regularly reviewed by senior leaders within schools.

To avoid any conflict of interest, James Marks Academy Trust buys into the School DPO Service and Carole Connelly is the named registered Data Protection Officer (DPO) with the ICO.

The CFO has passed the IBITGQ accredited Foundation and Data Protection Practitioner (DPP) course and registered with GASQ under the successful candidate register. The CFO will support teams across the school embedding data privacy into operations whilst also monitoring activity on an ongoing basis.

Trustees from the Standards and GDPR committee will oversee this work and act as a critical friend. There will be regular training for all staff from the School DPO Service to ensure a deeper level of understanding, allowing staff to identify risks and stop them from happening.

Data Mapping and Data Asset Register
Data mapping and Data asset registering are continuously revised and revisited. Data mapping ensures we know what data we have, where it is held, how we access it, the classification of the data, records for transfer and flow charts to show how it moves between systems and processes.

The Data Asset Register captures all data processing, aiding transparency and supporting the tight controls which are required to ensure compliance.

Embedding Data Privacy into day to day life of the school – Training and Awareness
All our staff are trained during insets and staff meetings to ensure our team members do the right thing, specifically that they:

• know what we can do with data, and if unsure, who to ask
• are clear about how data is used
• protect the data we hold/process
• understand the need to comply with GDPR, individually and as a team

Information Security Risk
We have robust systems in place to manage our school network. This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data and restricted access to personal data, protection of our physical premises and hard assets and maintaining security measures for our staff.

Third Party Risk and our Data Partners
Due diligence prior to working with a third party is key to ensure data has been gathered lawfully, and to ensure any data we share will be secure.

Responding to data subject access requests (DSARs)
DSARs from parents in respect of their child, where a pupil does not have sufficient maturity to understand their rights, should be processed as requests made on behalf of the data subject (the pupil), subject to any court orders which may be in place. Where the school considers the pupil to be mature enough (usually over the age of 12) to understand their rights to request their data following receipt of a request from a parent, the school should ask the pupil for their consent to disclose the personal data (subject to any enactment or guidance which permits the school to disclose the personal data to a parent without the young person’s consent).  If consent is not given to disclose, the school should not disclose the personal data as to do so would breach the data protection principles. 

DSAR will be responded to within 30 days of receipt Subject Access Request (SAR) Form with proof of identity. There is normally no charge for DSARs.

Breach Management
The breach management plan is regularly reviewed to reflect changes to the regulation or other changes.

Should individuals become aware of a breach, they must contact the DPP and DPO without undue delay. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours of becoming aware of the incident. 
 
Ongoing Monitoring
Internally, we conduct audits and ad-hoc walk-throughs to make sure we are doing the right thing.  An action plan is in place to ensure we continue to address any outstanding compliance requirements. 

For any data protection enquiries, please contact: mandy.crow@romanfields.herts.sch.uk

DPO contact: carole@schooldposervice.com.