General Data Protection Regulations (GDRP) Policy

Enhance Learning and Support

The GDPR came into force on 25th May 2018; this regulation replaced the Data Protection Act 1998.

Enhance learning and Support has changed their policy in line with the new elements and significant replacements to ensure we are in line with GPDR requirements.

Our aim is to ensure that all personal data collected by customers, staff and other agencies is collected, stored and processed in accordance with the GDPR. This policy applies to all personal data collected either by electronic or paper format.

The GDPR is based on data protection principles that Enhance Learning and Support must comply with.

The principles require that all personal data shall be:

(1) processed lawfully, fairly and in a transparent manner

(2) used for specified, explicit and legitimate purposes

(3) used in a way that is adequate, relevant and limited to what is necessary

(4) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, are erased or rectified without delay

(5) kept no longer than is necessary

(6) processed in a manner that ensures it is safe and secure, ensuring that measures against unauthorised or unlawful processing and against accidental loss, destruction or damage are in place.

Collecting personal data

Enhance Learning and Support shall only process personal data where it has one of 5 ‘lawful bases’ (legal reasons) available to do so under data protection law:

• The data needs to be processed so that Enhance Learning and Support can fulfil a contract with the individual

• The data needs to be processed so that Enhance Learning and Support can comply with a legal obligation

• The data needs to be processed to ensure the vital interests of the individual e.g. to protect someone’s life

• The individual (or their parent/carer when appropriate in the case of a patient) has freely given clear consent

We will only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data. If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so and seek consent where necessary.

Sharing personal data

We will not normally share personal data with anyone else except, if consent is gained to signpost and make appropriate referrals to other agencies.

GDPR and the DPA 2018 also allow information to be shared where:

• There is an issue with a customer, patient or parent/carer that puts the safety of our staff at risk

• We need to liaise with other agencies – we will seek consent as necessary before doing this

• The prevention or detection of crime and/or fraud

• The apprehension or prosecution of offenders

• The assessment or collection of tax owed to HMRC

• In connection with legal proceedings

• Where the disclosure is required to satisfy our safeguarding obligations

Subjects access requests and other rights of individuals

Subject access requests Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them. This includes:

• Confirmation that their personal data is being processed

• Access to a copy of the data

• The purposes of the data processing

• The categories of personal data concerned

• Who the data has been, or will be, shared with

• How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period

• The source of the data, if not the individual

• Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual Subject access requests may be submitting in writing or verbally and can be sent either to the Data Protection Officer, a member of staff or a Governor / Trustee.

To enable the request to be accurately responded to, the applicant should be encouraged to make the request in writing and to set out:

• Name of individual

• Correspondence address

• Contact number and email address

• Details of the information requested

Responding to subject requests

When responding to requests, we:

• May ask the individual to provide 2 forms of identification

• May contact the individual via phone to confirm the request was made

• Will respond without delay and within 1 month of receipt of the request

• Will provide the information free of charge

Data storage

Enhance Learning and Support will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage. In particular:

• Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are kept under lock and key when not in use

• Papers containing confidential personal data must not be left on office desks or left anywhere else where there is general access

• Staff must ensure passwords are hard for anyone else to guess by incorporating numbers and mixed case into it.

• Staff who store personal information on their personal devices are expected to follow the same security procedures as Enhance Learning and Support’s equipment

• Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected

Policy written: 27th February 2019

Review date: 27th February 2022

Policy written by: Christiana Flynn
Job Title: Owner of Enhance Learning and Support