Data Protection / GDPR
From 25th May 2018 Data protection regulations have changed. This page will show how Iver Village Junior School use and store your data. It will also give you information about how to access and change the data we hold on you or your child and what consent you will be asked to give.
As part of the new regulations the school have appointed turn IT on as their Data Protection Officer. Any enquiries about data should go to the Data Protection Officer via the e-mail address [email protected] or by calling 01865 597620 (option 3 - GDPR).
Iver Village Junior School is registered with the ICO. Registration reference Z4601951.
As part of the new regulations the school have appointed turn IT on as their Data Protection Officer. Any enquiries about data should go to the Data Protection Officer via the e-mail address [email protected] or by calling 01865 597620 (option 3 - GDPR).
Iver Village Junior School is registered with the ICO. Registration reference Z4601951.
Policies and Privacy Notices
Identifying Our Lawful Basis For Processing Data
In schools
We use public task as your lawful basis for most of your processing. This means that we need to process personal data to carry out your official functions in the public interest.
We also use consent for processing data where it's not necessary for you to fulfill your function. This is used when none of the other bases apply, as the standard for getting consent is very high and consent can be withdrawn at any time.
We use public task as your lawful basis for most of your processing. This means that we need to process personal data to carry out your official functions in the public interest.
We also use consent for processing data where it's not necessary for you to fulfill your function. This is used when none of the other bases apply, as the standard for getting consent is very high and consent can be withdrawn at any time.
Six Principles Of Data Protection
There were 8 principles under the DPA and now there are 6. Essentially the same but condensed. Article 5 of the GDPR states that personal data must be:
1) Processed fairly, lawfully and in a transparent manner in relation to the data subject.
2) Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
3) Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
4) Accurate and, where necessary, kept up to date.
5) Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
6) Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
1) Processed fairly, lawfully and in a transparent manner in relation to the data subject.
2) Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
3) Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
4) Accurate and, where necessary, kept up to date.
5) Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
6) Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Rights
Individuals have the following rights:
1) be informed of data processing (which is covered by the School’s Privacy Notice)
2) access information (also known as a Subject Access Request)
3) have inaccuracies corrected
4) have information erased
5) restrict processing
6) data portability (this is unlikely to ever be relevant to schools)
7) intervention in respect of automated decision making (automated decision making is rarely operated within schools)
8) Withdraw consent
9) Complain to the Information Commissioner’s Office
1) be informed of data processing (which is covered by the School’s Privacy Notice)
2) access information (also known as a Subject Access Request)
3) have inaccuracies corrected
4) have information erased
5) restrict processing
6) data portability (this is unlikely to ever be relevant to schools)
7) intervention in respect of automated decision making (automated decision making is rarely operated within schools)
8) Withdraw consent
9) Complain to the Information Commissioner’s Office
How We Deal With Records
Data With Third Parties / Privacy Policies
Iver Village Junior School use third party IT systems in order to process data such as attendance, communication and special needs information. All providers are GDPR compliant and have strict procedures in place to protect any information they hold.
The third party providers are:-
SIMS - this is the system run on behalf of Buckinghamshire County Council by Capita. It holds all of the pupils information that is required for their education. Contact details for the pupils and parents/guardian as well as any special needs and medical information. This information is passed to any school that the pupil transfers to through an electronic CTF file. This system also provides the Government details for census and exam results as well as recording registration and attendance information. SIMS Privacy Notice.
Teachers2Parents - This is the school's communication platform. Data is transferred from SIMS to Eduspot who host Teachers2Parents. The data required will be basic name, gender, and phone number/email address that is used for communicating. Please click the link to read Eduspot GDPR Statement for further details.
SchoolMoney - This is the school's payment platform. Payments for trips and parent evening bookings can be made through this portal. Data is transferred from SIMS to Eduspot who host SchoolMoney. The data required will be basic name, gender, phone number/email address that is used for communicating. Please click the link to read Eduspot GDPR Statement for further details.
Target Tracker - Powered by Juniper Education - On this system test results and assessments are kept to help the school monitor pupil progress. This system gets data from SIMS. Privacy Policy
Times Tables Rock Stars - run by Maths Circle Ltd. Information comes from SIMS. Pupils details are deleted when they leave. Click on link for more details Times Table Rock Stars GDPR.
Purple Mash - run by 2Simple. Information comes from SIMS. Pupils details are deleted when they leave. Click on link for more details - 2simple Compliant Statement
SchoolCloud - This is the school's trial system for booking Parents' Evening appointments online. Data is transferred from SIMS to School Cloud Systems Ltd. The data required will be basic name, gender, and class. Please click the link to read their GDPR Compliance Statement for further details.
turn IT on - This is our IT supplier who manage our server and IT systems. Data is held on a cloud system. turn IT on work with many schools in the Buckinghamshire area are are GDPR compliant. Click the link to read Privacy Notice - turn-it-on-privacy-notice-schools-data
Tempest Photography - Tempest take the school photos each year. They are given via SIMS a list of all of the children with a barcode that hold identification information. Once the photos are taken this barcode enables the photographs to be uploaded into SIMS for identification of children. Tempest Privacy Notice.
Parents' Evening Booking System - This is the school's system for booking Parents' Evening appointments online. Data is transferred from SIMS to NetMedia Limited who host Parents' Evening Booking System. The data required will be basic name, gender, and class. Please click the link to read their Terms and Conditions for further details.
CENTURY - AI-powered personalised teaching and learning for KS1-2. We use it for English, maths and science for Years 2-6. It is now our Home Learning platform. It instantly spots and plugs gaps in knowledge. Data insights for timely, targeted interventions. The data for each child will be required so personalised learning can be tailored. - Privacy Notice
PE Hub - Is a high quality primary PE planning and assessment tool that empowers our teachers to deliver high quality PE lessons. The data for each child will be required for the assessment tool. Privacy Policy
CPOMS - CPOMS StudentSafe helps schools uphold and enhance their student wellbeing initiatives. Completely customisable, the software also helps lessen the burden on staff managing administrative tasks, allowing schools to gain efficiency. StudentSafe helps schools confidently demonstrate their student wellbeing policies and protocols, such as referrals, child-on-child abuse, interventions, attendance, persistent absence, and more. It provides clear, effective, and secure record-keeping. CPOMS Privacy Notice.
IRIS Connect - IRIS Connect is a secure, cloud-based platform that helps teachers develop their practice by recording, analyzing, and reflecting on their lessons. IRIS Connect Privacy Policy
The third party providers are:-
SIMS - this is the system run on behalf of Buckinghamshire County Council by Capita. It holds all of the pupils information that is required for their education. Contact details for the pupils and parents/guardian as well as any special needs and medical information. This information is passed to any school that the pupil transfers to through an electronic CTF file. This system also provides the Government details for census and exam results as well as recording registration and attendance information. SIMS Privacy Notice.
Teachers2Parents - This is the school's communication platform. Data is transferred from SIMS to Eduspot who host Teachers2Parents. The data required will be basic name, gender, and phone number/email address that is used for communicating. Please click the link to read Eduspot GDPR Statement for further details.
SchoolMoney - This is the school's payment platform. Payments for trips and parent evening bookings can be made through this portal. Data is transferred from SIMS to Eduspot who host SchoolMoney. The data required will be basic name, gender, phone number/email address that is used for communicating. Please click the link to read Eduspot GDPR Statement for further details.
Target Tracker - Powered by Juniper Education - On this system test results and assessments are kept to help the school monitor pupil progress. This system gets data from SIMS. Privacy Policy
Times Tables Rock Stars - run by Maths Circle Ltd. Information comes from SIMS. Pupils details are deleted when they leave. Click on link for more details Times Table Rock Stars GDPR.
Purple Mash - run by 2Simple. Information comes from SIMS. Pupils details are deleted when they leave. Click on link for more details - 2simple Compliant Statement
SchoolCloud - This is the school's trial system for booking Parents' Evening appointments online. Data is transferred from SIMS to School Cloud Systems Ltd. The data required will be basic name, gender, and class. Please click the link to read their GDPR Compliance Statement for further details.
turn IT on - This is our IT supplier who manage our server and IT systems. Data is held on a cloud system. turn IT on work with many schools in the Buckinghamshire area are are GDPR compliant. Click the link to read Privacy Notice - turn-it-on-privacy-notice-schools-data
Tempest Photography - Tempest take the school photos each year. They are given via SIMS a list of all of the children with a barcode that hold identification information. Once the photos are taken this barcode enables the photographs to be uploaded into SIMS for identification of children. Tempest Privacy Notice.
Parents' Evening Booking System - This is the school's system for booking Parents' Evening appointments online. Data is transferred from SIMS to NetMedia Limited who host Parents' Evening Booking System. The data required will be basic name, gender, and class. Please click the link to read their Terms and Conditions for further details.
CENTURY - AI-powered personalised teaching and learning for KS1-2. We use it for English, maths and science for Years 2-6. It is now our Home Learning platform. It instantly spots and plugs gaps in knowledge. Data insights for timely, targeted interventions. The data for each child will be required so personalised learning can be tailored. - Privacy Notice
PE Hub - Is a high quality primary PE planning and assessment tool that empowers our teachers to deliver high quality PE lessons. The data for each child will be required for the assessment tool. Privacy Policy
CPOMS - CPOMS StudentSafe helps schools uphold and enhance their student wellbeing initiatives. Completely customisable, the software also helps lessen the burden on staff managing administrative tasks, allowing schools to gain efficiency. StudentSafe helps schools confidently demonstrate their student wellbeing policies and protocols, such as referrals, child-on-child abuse, interventions, attendance, persistent absence, and more. It provides clear, effective, and secure record-keeping. CPOMS Privacy Notice.
IRIS Connect - IRIS Connect is a secure, cloud-based platform that helps teachers develop their practice by recording, analyzing, and reflecting on their lessons. IRIS Connect Privacy Policy
Training
All Governors and staff have been made aware of the new GDPR regulations. New staff are given this information at their induction and are expected to read the Data Protection policy. Staff have access to the important policies and some are displayed in the staff room.
Data Security
Iver Village Junior School have a procedure to deal with any breach in data security. Any breach will be reported to and dealt with by the DPO. The breach will be recorded, investigated and steps taken to lessen any impact. The DPO will decide if the breach is significant enough to report to the ICO. This must be done within 72 hours of the data breach. The DPO will evaluate the breach, risk assess and put in any changes to data security or process as required.
Data Protection Officer/Governance
The DPO for Iver Village Junior School is turn IT on. Any enquiries about data should go to the Data Protection Officer via the e-mail address [email protected] or by calling 01865 597620 (option 3 - Data Protection Team).
They are responsible for updating policies and produces and ensuring they are kept too. All policies are agreed with the School Governors.
They are responsible for updating policies and produces and ensuring they are kept too. All policies are agreed with the School Governors.
Consent
The lawful basis for processing personal data of students and staff is that it is necessary in order for the School to discharge its legal obligations and statutory duties. In respect of this processing the Privacy Notices are sufficient to ensure lawful processing. It is not usual for Schools to process personal data solely based on written consent. Where the School takes a photograph or film of someone on school premises, events or trips and wants to use this image for educational purposes, consent is not required. However, the pupil if over 16 years old, or if younger their guardian must still be informed that photography or filming is taking place and the context in which the image will be used.
Consent will be required where there is additional processing of personal data which is not within the reasonable expectation of those involved.
Who’s consent?
Where the child is below the age of 16 years, consent must be given by the holder of parental responsibility over the child.
How we obtain consent.
When a pupil starts at Iver Village Junior School a consent form is sent out in the new starter pack. This will cover their time at Iver Village until they leave. If additional consent is required a separate form will be sent out to cover the consent for a particular event. Due to the changes in Data Protection the school will be sending out new consent forms to cover all children in Years 3 to 5 for their remaining time at Iver Village.
Guidance on consent and withdrawal.
Anything requiring consent requires a positive opt-in. If another organisation/third party is relying on the consent we will name them in the consent form.
Consent can be withdrawn at any time. We will require this in writing and given to the office. You will receive a receipt of a withdrawal of consent and it will be acted upon within a reasonable period of time and no longer than one month from the date of receipt.
Consent will be required where there is additional processing of personal data which is not within the reasonable expectation of those involved.
Who’s consent?
Where the child is below the age of 16 years, consent must be given by the holder of parental responsibility over the child.
How we obtain consent.
When a pupil starts at Iver Village Junior School a consent form is sent out in the new starter pack. This will cover their time at Iver Village until they leave. If additional consent is required a separate form will be sent out to cover the consent for a particular event. Due to the changes in Data Protection the school will be sending out new consent forms to cover all children in Years 3 to 5 for their remaining time at Iver Village.
Guidance on consent and withdrawal.
Anything requiring consent requires a positive opt-in. If another organisation/third party is relying on the consent we will name them in the consent form.
Consent can be withdrawn at any time. We will require this in writing and given to the office. You will receive a receipt of a withdrawal of consent and it will be acted upon within a reasonable period of time and no longer than one month from the date of receipt.
Updating and Reviewing
All policies and procedures will be reviewed and updated once a year. The review date is set for Jan each year. This review will be carried out by the DPO and any changes agreed with the Headteacher and Governors.
Policies and procedures will also be reviewed if there are any changes to how data is managed at the school, Government guidelines or following a breach of data security.
Policies and procedures will also be reviewed if there are any changes to how data is managed at the school, Government guidelines or following a breach of data security.
FISA Events and Fundraising
At Iver Village Junior School we are very lucky to hold events throughout the year to raise money for the school. Friends of Iver Schools Association fundraising [FISA] is a "Friends of" charity that has been set up. The committee of this group is set up of parents and staff of Iver Village Junior School and Iver Village Infants. Miss Digweed, the Headteacher sits on this committee with other members of staff. This means that she is under all of the same confidentially rules as any other staff member which enables her to have access to the school's computer.
FISA hold very little data and anything held is kept at school or on the school computer system. Data held includes:-
Class lists for discos - produced and held by school and shredded after the event.
List of volunteers for events - names are given directly to FISA.
List of external stall holders - list of email and contact details. Consent will is required for this list.
Raffle ticket stubs - all destroyed after event.
Committee member details for the Charity Commission - Consent is required for this.
All communication about events, request for help and advertising is via the school office. This is sent via Teachers2Parents in the same way as all school communication. Consent is given for this communication when an email address is given to the school or Teachers2Parents app is downloaded. You can withdraw your consent at anytime if you do not wish to receive any information from FISA. If you wish to withdraw consent then please send a letter to the school office.
As members of staff are part of the FISA committee, the data comes under the school policies / procedures such as data security, rights etc. At no time is data shared with any non staff members of the committee except in the form of simple name lists which are then destroyed.
FISA hold very little data and anything held is kept at school or on the school computer system. Data held includes:-
Class lists for discos - produced and held by school and shredded after the event.
List of volunteers for events - names are given directly to FISA.
List of external stall holders - list of email and contact details. Consent will is required for this list.
Raffle ticket stubs - all destroyed after event.
Committee member details for the Charity Commission - Consent is required for this.
All communication about events, request for help and advertising is via the school office. This is sent via Teachers2Parents in the same way as all school communication. Consent is given for this communication when an email address is given to the school or Teachers2Parents app is downloaded. You can withdraw your consent at anytime if you do not wish to receive any information from FISA. If you wish to withdraw consent then please send a letter to the school office.
As members of staff are part of the FISA committee, the data comes under the school policies / procedures such as data security, rights etc. At no time is data shared with any non staff members of the committee except in the form of simple name lists which are then destroyed.