Data Protection Quick Overview
The Trust (and thus Cheam High School) is designated a public authority. Our justification for processing data is very much linked to a mixture of: legal obligation, vital interests, public tasks and/or legitimate interest. For example: education is our key purpose and is very much a public task and a legitimate interest. Vital interests include keeping students safe, passing on information as needed. Legal obligations covers some data we have to collect as well as other duties, including HMRC and pension obligations related to our staff.
For schools (unlike some other organisations), consent will be rarely used as our justifications are very much linked to the above reasons. However, we would ask for consent in certain circumstances as explained in the data protection policies and also the privacy notices found on the website.
Consent won’t apply to internal use of photographs eg for curriculum purposes or as part of the school security system. It will apply where student images are used eg in presentational videos for open evening shown to parents/carers on that evening. The photograph policy explains this and also shows the consent form to be used with both parents/carers and the student themselves.
Where consent is needed, then this passes to the child from approximately the age of 12 for many purposes UNLESS there is reason to think the child does not understand the question or implication of what they are being asked (eg some students with particular learning needs). This means we will continue to ask the parents/carers of Year 7 students with regard to the use of photographic images in promotional material, but from Year 8 onwards, we will ask the student for consent.
The school uses a range of software applications. Many of these relate to curriculum areas eg homework tasks or revision resources. We do have to use some of our students’ personal data eg their names to allocate out individual accounts. Part of our checks will be to ensure that these software areas are able to demonstrate suitable security and compliance systems; we remain responsible for the data for our students.
One of the areas where we need to be explicit is how long we retain records held on various parties. This means making clear how long we usually keep information and when we would delete it. Where we have student files, we have a duty to keep the Educational Record until the student reaches the age of 25 years. However, as our policy notes, there will be times when we keep other data as experience has indicated that this can be useful to students eg examination results, particularly where certificates have been lost.
Finally, we have made explicit the advice given to staff about the acceptable use of ICT. This includes network security, deleting information that does not need to be kept as part of a regular spring clean, and general guidelines for professional ICT behaviour.