UK General Data Protection Regulation (UK GDPR)

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

As a Trust, we are committed to protecting all the personal data and special category personal data for which we are a data controller for.  The Learning for Life Education Trust (LFLET) is the Data Controller and responsible for compliance under UK GDPR.

Data Protection governs how information about living people (such as pupils and staff) is collected and used.

UK GDPR (UK General Data Protection Regulation) is about personal data. This means data which relates to an individual who can be identified from that information. It does not affect all the records the school or academy trust holds because much of it will not contain personal data.

A main feature of data protection under the UK GDPR is an accountability principle, meaning that the organisation does not only have to comply, but it has to be able to demonstrate that it complies.

The Information Commissioner’s Office (ICO) is the national regulator of data protection legislation. If there is something that we, as an academy trust, are doing that is not quite as it should be, a complaint can be made to the ICO.

You can find further information on UK GDPR by visiting the ICO website.

LFLET has audited all of its schools and is responsible for creating and maintaining Information Processing Audits (IPA).

The IPA is a list of the main types of information the Trust has (and this, therefore, includes all the information schools in the Trust have), stating key details about the data, such as:

• Why we have it;
• What it is used for;
• Where it is stored;
• Who it is shared with (if it is); and
• How long we keep it for.

Privacy Notices

Privacy Notices are what we use to explain to people why we collect information and what we are going to do with it, such as if we are going to share it with anyone else.

• Privacy notice for pupils
• Privacy notice for parents and carers
• Privacy notice for staff
• Privacy notice for governance and volunteers
• Privacy notice for visitors
• Privacy notice for recruitment
• Privacy notice for suppliers

Data Protection Officer (DPO)

UK GDPR makes it a requirement for all public authorities (including schools) and large organisations to have a designated DPO. LFLET’s DPO can be contacted by emailing dpo@iflt.org.uk or calling 01933 654921.

Procedures for individuals to exercise their rights

The UK GDPR gives individuals various rights around their data. The main one is being able to request a copy of the information held about them, but it also gives them the right to do things like request that information is corrected (if inaccurate).

Policies

• Data Protection Policy
• Freedom of Information Policy
• Records Management Policy

Rights of Individuals

Individuals have the following rights:

• Right of access (to receive copies of their personal data);
• Right to rectification (correcting data if inaccurate);
• Right to erasure (to request that data is deleted);
• Right to restrict processing (to request you do not use their data in a certain way);
• Right to data portability;
• Right to object;
• Right to have explained if there will be any automated decision-making, including profiling, based on the data and that they have the right to meaningful information about the logic behind this.

Policy Documents

Data Protection and the GDPR – January 2021

As the UK transitional arrangements expired on 31 December 2020, there are some practical changes for Data Protection and the GDPR.

To comply with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 please note that every policy, notice and procedural guide that refers to ‘GDPR’ shall now be read as ‘UK GDPR’.

The rights, responsibilities and data protection that the Data Protection Act 2018 and the GDPR are not changed. Our procedures and arrangements will not change.

If you have any queries please contact dpo@iflt.org.uk