The Coláiste’s Data Protection Policy applies to the personal data held by the school which is protected by the Data Protection Acts 1988 and 2003.
The policy applies to all school staff, the board of management, parents/guardians, students and others (including prospective or potential students and their parents/guardians and applicants for staff positions within the school) insofar as the measures under the policy relate to them. Data will be stored securely, so that confidential information is protected in compliance with relevant legislation. This policy sets out the manner in which personal data and sensitive personal data will be protected by the school.
Data Protection Principles
The Coaiste’s is a data controller of personal data relating to its past, present and future staff, students, parents/guardians and other members of the school community. As such, the Coláiste is obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 and 2003 which can be summarised as follows:
- Obtain and process Personal Data fairly: Information on students is gathered with the help of parents/guardians and staff. In relation to information the Coláiste holds on other individuals (members of staff, individuals applying for positions within the School, parents/guardians of students etc.), the information is generally furnished by the individuals themselves with full and informed consent and compiled during the course of their employment or contact with the School. All such data is treated in accordance with the Data Protection Acts and the terms of this Data Protection Policy. The information will be obtained and processed fairly.
- Keep it only for one or more specified and explicit lawful purposes: The Coláiste will inform individuals of the reasons they collect their data and will inform individuals of the uses to which their data will be put. All information is kept with the best interest of the individual in mind at all times.
- Process it only in ways compatible with the purposes for which it was given initially: Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered. Information will only be disclosed on a need to know basis, and access to it will be strictly controlled.
- Keep Personal Data safe and secure: Only those with a genuine reason for doing so may gain access to the information. Sensitive Personal Data is securely stored under lock and key in the case of manual records and protected with firewall software and password protection in the case of electronically stored data. Portable devices storing personal data (such as laptops) should be encrypted and password protected before they are removed from the school premises. Confidential information will be stored securely and in relevant circumstances, it will be placed in a separate file which can easily be removed if access to general records is granted to anyone not entitled to see the confidential data.
- Keep Personal Data accurate, complete and up-to-date: Students, parents/guardians, and/or staff should inform the school of any change which the school should make to their personal data and/or sensitive personal data to ensure that the individual’s data is accurate, complete and up-to-date. Once informed, the school will make all necessary changes to the relevant records. The Course Director may delegate such updates/amendments to another member of staff. However, records must not be altered or destroyed without proper authorisation. If alteration/correction is required, then a note of the fact of such authorisation and the alteration(s) to be made to any original record/documentation should be dated and signed by the person making that change.
- Ensure that it is adequate, relevant and not excessive: Only the necessary amount of information required to provide an adequate service will be gathered and stored.
- Retain it no longer than is necessary for the specified purpose or purposes for which it was given: The School will comply with DES guidelines on the storage of Personal Data and Sensitive Personal Data relating to a student. . The school may also retain the data relating to an individual for a longer length of time for the purposes of complying with relevant provisions of law and or/defending a claim under employment legislation and/or contract and/or civil law.
- Provide a copy of their personal data to any individual, on request: Individuals have a right to know what personal data/sensitive personal data is held about them, by whom, and the purpose for which it is held.
Purpose of the Policy: The Data Protection Acts 1988 and 2003 apply to the keeping and processing of Personal Data, both in manual and electronic form. The purpose of this policy is to assist the Colaiste to meet its statutory obligations, to explain those obligations to School staff, and to inform staff, students and their parents/guardians how their data will be treated.
The policy applies to all Colaiste staff, the board of management, parents/guardians, students and others (including prospective or potential students and their parents/guardians, and applicants for staff positions within the school) insofar as the school handles or processes their Personal Data in the course of their dealings with the school.
Definition of Data Protection Terms
In order to properly understand the school’s obligations, there are some key terms which should be understood by all relevant Colaiste staff:
Data means information in a form that can be processed. It includes both automated data (e.g. electronic data) and manual data. Automated data means any information on computer, or information recorded with the intention that it be processed by computer. Manual data means information that is kept/recorded as part of a relevant filing system or with the intention that it form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily, quickly and easily accessible.
Personal Data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller i.e. the school.
Sensitive Personal Data refers to Personal Data regarding a person’s
- racial or ethnic origin, political opinions or religious or philosophical beliefs
- physical or mental health or condition or sexual life
- commission or alleged commission of any offence or
- any proceedings for an offence committed or alleged to have been committed by the person, the disposal of such proceedings or the sentence of any court in such proceedings, criminal convictions or the alleged commission of an offence.
Data Controller for the purpose of this policy is the Board of Management, Coláiste Naomh Eoin.
In addition to its legal obligations under the broad remit of educational legislation, the Coláiste has a legal responsibility to comply with the Data Protection Acts, 1988 and 2003.
This policy explains what sort of data is collected, why it is collected, for how long it will be stored and with whom it will be shared. As more and more data is generated electronically and as technological advances enable the easy distribution and retention of this data, the challenge of meeting the school’s legal responsibilities has increased.
The Coláiste takes its responsibilities under data protection law very seriously and wishes to put in place safe practices to safeguard individual’s personal data. It is also recognised that recording factual information accurately and storing it safely facilitates an evaluation of the information, enabling the course director and board of management to make decisions in respect of the efficient running of the Coláiste. The efficient handling of data is also essential to ensure that there is consistency and continuity where there are changes of personnel within the school and board of management.
Relationship to characteristic spirit of the School (School’s mission/vision/aims)
Coláiste Naomh Eoin seeks to
- enable each student to develop their full potential
- provide a safe and secure environment for learning
- promote respect for the diversity of values, beliefs, traditions, languages and ways of life in society.
We aim to achieve these goals while respecting the privacy and data protection rights of students, staff, parents/guardians and others who interact with us. The Coláiste wishes to achieve these aims/missions while fully respecting individuals’ rights to privacy and rights under the Data Protection Acts.
The Personal Data records held by the school may include:
- Categories of student data: These may include:
- Information which may be sought and recorded at enrolment and may be collated and compiled during the course of the student’s time in the school. These records may include:
- name, address and contact details
- date and place of birth
- names and addresses of parents/guardians and their contact details (including any special arrangements with regard to guardianship, custody or access)
- whether English/Irish is the student’s first language
- any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply
- Psychological, psychiatric and/or medical assessments
- Attendance records
- Photographs and recorded images of students (including at school events and noting achievements). See the template “Guidance on Taking and Using Images of Children in Schools”
- Records of disciplinary issues/investigations and/or sanctions imposed
- Other records e.g. records of any serious injuries/accidents etc. (Note: it is advisable to inform parents that a particular incident is being recorded).
- Records of any reports the school (or its employees) have made in respect of the student to State departments and/or other agencies under mandatory reporting legislation and/or child safeguarding guidelines (subject to the DES Child Protection Procedures).
- Purposes: The purposes for keeping student records are:
- to enable each student to develop to their full potential
- to comply with legislative or administrative requirements
- to ensure that eligible students can benefit from the relevant additional teaching
- to enable parents/guardians to be contacted in the case of emergency or in the case of school closure, or to inform parents of their child’s educational progress or to inform parents of school events etc.
- to meet the educational, social, physical and emotional requirements of the student
- photographs and recorded images of students are taken to celebrate Coláiste achievements, compile records, establish a Coláiste website, record Coláiste events, and to keep a record of the history of the Coláiste. Such records are taken and used in accordance with the Coláiste’s “Guidance for Taking and Using Images of Pupils in Schools”
- to ensure that the student meets the school’s admission criteria
- to ensure that students meet the minimum age requirements for their course,
- to furnish documentation/ information about the student to the Department of Education and Skills, the National Council for Special Education, TUSLA, and other Schools etc. in compliance with law and directions issued by government departments
- Location: In a secure, locked filing cabinet that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access.
- Security: Paper Records are kept in a secure filing cabinet in a locked office. Computer records are kept on password protected PCs and cloud based storage is protected by state of the art security and enhanced data protection and controlled password protected access to information, relevant to each staff member’s role/duties.
Board of management records:
- Categories of board of management data: These may include:
- Name, address and contact details of each member of the board of management (including former members of the board of management)
- Records in relation to appointments to the Board
- Minutes of Board of Management meetings and correspondence to the Board which may include references to particular individuals.
- Purposes: To enable the Board of Management to operate in accordance with the Education Act 1998 and other applicable legislation and to maintain a record of board appointments and decisions.
- Location: In a secure, locked filing cabinet and that only personnel who are authorised to use the data can access it. Employees are required to maintain the confidentiality of any data to which they have access.
- (d) Security: Paper Records are kept in a secure filing cabinet in a locked office. Computer records are kept on password protected PCs and cloud based storage is protected by state of the art security and enhanced data protection and controlled password protected access to information, relevant to each staff member’s role/duties.
Processing in line with data subject’s rights
Data in this school will be processed in line with the data subjects’ rights.
Data subjects have a right to:
(a) Request access to any data held about them by a data controller
(b) Prevent the processing of their data for direct-marketing purposes
(c) Ask to have inaccurate data amended
(d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.
Dealing with a data access requests
Section 3 access request
Under Section 3 of the Data Protection Acts, an individual has the right to be informed whether the Coláiste holds data/information about them and to be given a description of the data together with details of the purposes for which their data is being kept. The individual must make this request in writing and the data controller will accede to the request within 21 days.
The right under Section 3 must be distinguished from the much broader right contained in Section 4, where individuals are entitled to a copy of their data.
Section 4 access request
Individuals are entitled to a copy of their personal data on written request.
– The individual is entitled to a copy of their personal data (subject to some exemptions and prohibitions set down in Section 5 of the Data Protection Act)
– Request must be responded to within 40 days
– Where a subsequent or similar request is made soon after a request has just been dealt with, it is at the discretion of the Coláiste as data controller to comply with the second request (no time limit but reasonable interval from the date of compliance with the last access request.) This will be determined on a case-by-case basis.
– No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable would the school refuse to furnish the data to the applicant.
Providing information over the phone
In our Coáiste, any employee dealing with telephone enquiries should be careful about disclosing any personal information held by the school over the phone. In particular the employee should:
- Check the identity of the caller to ensure that information is only given to a person who is entitled to that information
- Suggest that the caller put their request in writing if the employee is not sure about the identity of the caller and in circumstances where the identity of the caller cannot be verified
- Refer the request to the course director for assistance in difficult situations. No employee should feel forced into disclosing personal information.
Implementation arrangements, roles and responsibilities
In our Coláiste the board of management is the data controller and the course director will be assigned the role of co-ordinating implementation of this Data Protection Policy and for ensuring that staff who handle or have access to Personal Data are familiar with their data protection responsibilities.
The following personnel have responsibility for implementing the Data Protection Policy:
Board of management: Data Controller
Course Director: Implementation of Policy
Teaching personnel: Awareness of responsibilities
Administrative personnel: Security, confidentiality
IT personnel: Security, encryption, confidentiality
Ratification & communication
When the Data Protection Policy has been ratified by the board of management, it becomes the school’s agreed Data Protection Policy. It should then be dated and circulated within the school community. The entire staff must be familiar with the Data Protection Policy and ready to put it into practice in accordance with the specified implementation arrangements. It is important that all concerned are made aware of any changes implied in recording information on students, staff and others in the Coláiste’s community.
Parents/guardians and students should be informed of the Data Protection Policy from the time of enrolment of the student.
Monitoring the implementation of the policy
The implementation of the policy shall be monitored by the course director and the board of management.
At least one annual report should be issued to the board of management to confirm that the actions/measures set down under the policy are being implemented.
Reviewing and evaluating the policy
The policy should be reviewed and evaluated at certain pre-determined times and as necessary. On-going review and evaluation should take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills or the NEWB), legislation and feedback from parents/guardians, students, colaiste’s staff and others. The policy should be revised as necessary in the light of such review and evaluation and within the framework of school planning.