GDPR Policy

In compliance with General Data Protection Regulation (School) effective 25 May 2018

Introduction

The Dublin Academy of Education (DAE) Data Protection Policy applies to personal data held by the school and which is protected by the General Data Protection Regulation.

This policy applies to all school staff, the board of management, parents/guardians, students and others (including prospective or potential students and their parents/guardians and applicants for staff positions within the school) insofar as the measures under the policy relate to them. Data will be stored securely so that confidential information is protected in compliance with the school and relevant legislation. This policy sets out the manner in which personal data and sensitive personal data will be protected by the school.

Article 5 of the GDPR sets out principles relating to the processing of personal data.  These include:

  1. The processing of personal data must be lawful, fair and transparent
  2. Personal data is collected for specified, explicit and legitimate purposes.
  3. Personal data held must be adequate, relevant and limited.
  4. Personal data held must be accurate.
  5. Personal data is retained and stored for no longer than is necessary.
  6. Personal data is processed in a manner that is safe, secure & confidential.

The school will process all data in compliance with these principles as outlined in the school.

Legal Obligations

Implementation of this policy takes into account the school’s legal obligations and responsibilities. Some of these are directly relevant to data protection.

  • Under Section 9(g) of the Education Act, 1998, the parents of a student, or in the case of a student who has reached the age of 18 years, the student, must be given access to records kept by the school relating to the progress of the student in their education
  • Under Section 20 of the Education (Welfare) Act, 2000, the school must maintain a register of all students attending the school
  • Under section 20(5) of the Education (Welfare) Act, 2000, a principal is obliged to notify certain information relating to the child’s attendance in school and other matters relating to the child’s educational progress to the principal of another school to which a student is transferring
  • Under Section 21 of the Education (Welfare) Act, 2000, the school must record the attendance or non-attendance of students registered at the school on each school day
  • Under Section 28 of the Education (Welfare) Act, 2000, the school may supply Personal Data to certain prescribed bodies (the Department of Education and Skills, the Child and Family Agency (Tusla), the National Council for Special Education, other schools, third level institutions or other centres of education) provided the school is satisfied that it will be used for a ‘relevant purpose’
  • Under Section 14 of the Education for Persons with Special Educational Needs Act, 2004, the school is required to furnish to the National Council for Special Education (and its employees, which include Special Educational Needs Organisers (SENOs) such information as may from time to time reasonably requested

The Freedom of Information Act 1997, 2014 (and subsequent amendments) provides a qualified right to access to information held by public bodies.  While schools are not currently subject to freedom of information legislation if a school has furnished information to a body covered by the Freedom of Information Act (such as the Department of Education and Skills), these records could be disclosed if a request is made to that body.

For the purposes of clarity, standard school Reports issued by the school are considered to be ‘records kept by the school relating to the progress of the student in their education.’  State examination results, issued directly to students, and other standardised test scores may be considered data requiring the consent of data subjects once they are capable of understanding their own rights to privacy and data protection as indicated by the Irish Office of the Data Protection Commissioner in its publication, ‘Access Rights and Responsibilities – A Guide for Individuals and Organisations’.

  • Under Section 26(4) of the Health Act, 1947 a school shall cause all reasonable facilities (including facilities for obtaining names and addresses of pupils attending the school) to be given to a health authority for the purposes of general health provision
  • Under the Children First Act 2015 and Department of Education and Skills Child Protection Procedures for Primary and Post Primary schools 2017, the school is obliged to report suspected child abuse or neglect to TUSLA (or in the event of an emergency to An Garda Síochána).
  • The school may make returns to the Department of Education and Skills (‘DES’) referred to as ‘October Returns’ using the Post Primary On-line Database. These October Returns will include sensitive personal data regarding personal circumstances which are provided by parents/guardians on the Pupil Details Form.

The October Returns contain individualised data (such as an individual student’s PPS number) which acts as an ‘identifier’ for the DES to validate the data that belongs to a recognised student. The DES also transfers some of this data to other government departments and other State bodies to comply with legislation, such as transfers to the Department of Social Protection pursuant to the Social Welfare Acts, transfers to the State Examinations Commission, transfers to the Educational Research Centre, and transfers to the Central Statistics Office pursuant to the Statistics Acts.

Irish Office of the Data Protection Commissioner Guidance

Implementation of this policy also takes into account the school’s obligations and responsibilities to students who are data subjects.  In particular, the Irish Office of the Data Protection Commissioner’s guidance is that:

‘Legal guardians can make an access request on behalf of a child. However, once a child is capable of understanding their rights to privacy and data protection, the child should normally decide for himself or herself whether to request access to data and make the request in his or her own name.

Where an organisation receives an access request from a legal guardian on behalf of a child who has had direct interaction with that organisation, and/or where that child is capable of understanding his or her own rights to privacy and data protection, the organisation must take account of child’s rights in deciding how to respond to the access request.

Personal Data

The Personal Data records held by the school may include:

Staff records:

Categories

As well as existing and former members of staff, these records may also relate to applicants for positions within the school and student teachers.

These staff records may include:

  • Name, address, contact details and PPS number
  • Original records of application and appointment to posts
  • Details of approved absences
  • Details of work record
  • Details of any accidents/injuries sustained on school property or in connection with the staff member carrying out their school duties
  • Records of any reports the school (or its employees) may have made in respect of the staff member to state departments and/or other agencies under mandatory reporting legislation and/or child- safeguarding procedures (subject to the DES Child Protection Procedures for Primary and Post Primary Schools 2017).

Purposes:

Staff records are kept for the purposes of:

  • The management and administration of school business (now and in the future)
  • Facilitating the payment of staff, and calculations other benefits/entitlements
  • Human resources management
  • Recording promotions made (documentation relating to promotions applied for) and changes in responsibilities
  • Enabling the school to comply with its obligations as an employer including the preservation of a safe, efficient working and teaching environment (including complying with its responsibilities under the Safety, Health and Welfare at Work Act, 2005)
  • Enabling the school to comply with requirements set down by the Department of Education and Skills, the Revenue Commissioners, the National Council for Special Education, Tusla, the HSE, and any other governmental, statutory and/or regulatory departments and/or agencies
  • Complying with legislation relevant to the school.

Location:

Staff records are held in both manual and electronic form. Such files are kept in secure filing cabinets that only personnel who are authorised to use the data can access or in electronic form that is password protected.  Employees are required to maintain the confidentiality of any data to which they have access.

Pupil Records:

Categories

These may include:

  • Information sought and filed on a Registration Form, Application Form or Pupil Details form (completed on admission)

These records may include:

  • Name, address, contact details and PPS number
  • Date and place of birth
  • Names and addresses of parents/guardians and contact details (including any special arrangements with regard to guardianship, custody or access)
  • Religious affiliation
  • Whether pupils (or their parents) are medical card holders
  • Academic records – subjects studied, class assignments, examination results, official school reports, records of significant achievements, previous academic record or references
  • Information collated and compiled during the course of the student’s time in the school including:
  • Psychological, psychiatric and/or medical assessments
  • Attendance records
  • Photographs and recorded images of student
  • Records of significant achievements
  • Subject exemptions or special student needs
  • Records of disciplinary issues/investigations and/or sanctions imposed
  • Records of meetings or interactions with teachers for the purposes of pastoral care or general welfare
  • Records of meetings or interactions with boarding staff
  • Medical records
  • Photographs and articles recording student endeavour and success which may appear in school publications or on the website
  • Records of any reports the school (or its employees) have made in respect of the student to state departments and/or other agencies under mandatory reporting legislation and/or child safeguarding guidelines (subject to the DES Child Protection Procedures)

Purposes

The purposes for keeping student records are:

  • To enable each student to develop to their full potential
  • To comply with legislative or administrative requirements
  • To ensure that eligible students can benefit from the relevant additional teaching or financial supports
  • To enable parents/guardians to be contacted in the case of emergency or in the case of school closure, or to inform parents of their child’s educational progress or to inform parents of school events etc.
  • To meet the educational, social, physical and emotional requirements of the student
  • To ensure that the student meets the school’s admission criteria
  • To ensure that students meet minimum age requirements courses
  • To ensure that any student seeking an exemption from Irish meets the criteria in order to obtain such an exemption from the authorities
  • To furnish documentation and/or information about the student to the Department of Education and Skills, the National Council for Special Education, Tusla, and other schools in compliance with law and directions issued by government departments
  • To furnish, when requested by the student (or their parents/guardians in the case of a student under 18 years) documentation/information/ references to third-level educational institutions and/or prospective employers.
  • To celebrate school and pupil achievements, compile publications, yearbooks, update the school website, record school events, and to keep a record of the history of the school.

Location:

Pupil records are held in both manual and electronic form. Such files are kept in secure filing cabinets that only personnel who are authorised to use the data can access or in electronic form that is password protected.  Employees are required to maintain the confidentiality of any data to which they have access.

Parent Records

The school does not keep personal files for parents or guardians. However, information about, or correspondence with, parents may be included in the files for each student. This information shall be treated in the same way as any other information in the student file and may be accessed similarly.

The school keeps financial records which include records of fees paid. These records are administered by The DAE and are treated as strictly confidential. Parents are entitled to contact the school to seek details of their financial record, and shall be facilitated in such a way that the financial record of no other parent or family is divulged.

The Dublin Academy of Education Board Records:

Minutes of Board meetings shall record attendance, items discussed and decisions taken, and will be kept safely and securely.  Board business shall be considered confidential to the members of the Board.

Purposes:

To enable the Board to operate in accordance with the Education Act 1998 and other applicable legislation and to maintain a record of Board decisions.

CCTV IMAGES AND RECORDINGS:

CCTV is installed in the DAE. The CCTV systems may record images of staff, students and members of the public who visit the campus.

Purposes: 

For the safety and security of staff, students and visitors and to safeguard pupil property, school property and equipment.

Location:

Cameras are located in corridor and public areas within school buildings.

Security:

Access to images/recordings is restricted to the Principal and relevant staff. Recordings are retained for approximately 14 days, except if required for the investigation of an incident. Images/recordings may be viewed or made available to An Garda Síochána.

DATA ACCESS REQUESTS

Requests for access to personal data may be made by completing a school Data Request Form. Individuals are entitled to a copy of their personal data on written request in compliance with Article 15 of the GDPR.

Where a subsequent or similar request is made soon after a request has just been dealt with the school may charge a fee to cover administrative costs.

No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Such consent must be given in writing to the Principal of the school.

Data will be carefully redacted to omit references to any other individual and where it has not been possible to redact the data to ensure that the third party is not identifiable the school will refuse to furnish the data to the applicant.

In compliance with the GDPR, The DAE may refuse to grant an access request where such a request is deemed manifestly unfounded or excessive.

For and on behalf of The Dublin Academy of Education