St. Mary’s National School’s data protection policy sets out in writing the manner in which personal data on Board of Management members, staff, students and parents is kept and how the data concerned is protected.
This policy was formulated with reference to:
The policy was formulated by the Principal and members of the Board of Management. This policy applies to the keeping and processing of personal data, both in manual form, on computer, and in the cloud and includes personal data on Board members, staff, parents and pupils of St. Mary’s National School. The school understands data to include any information that is kept relating to a living individual who is or can be identified from the data, or from the data in conjunction with other information that is in or is likely to come into the possession of the data controller. In order to properly understand the school’s obligations, there are some key terms which should be understood by all relevant parties.
Definition of Data Protection Terms
Data means information in a form that can be processed. It includes both automated data (e.g. electronic data) and manual data.
Automated data means any information on computer, or information recorded with the intention that it be processed by computer.
Manual data means information that is kept/recorded as part of a relevant filing system or with the intention that it form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily, quickly and easily accessible.
Personal Data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller i.e. the school.
Sensitive Personal Data refers to Personal Data regarding a person’s
Data Controller for the purpose of this policy is the Board of Management of St. Mary’s National School who delegate the responsibility for overseeing data protection on a day to day basis to the Principal.
To Whom this Policy Applies:
This policy applies to all school staff, the Board of Management, parents/guardians, students and others insofar as the measures in this policy relate to them.
St. Mary’s National School understands that:
Aims of this Policy
The objectives of developing this policy include the following:
Transfer of Personal Data
The data controller, (normally the Principal of the school or another person designated by the Principal or Chairperson of the Board) may supply data kept by him/her, or information extracted from such data, to the data controller of another prescribed body if satisfied it will be used for a relevant purpose only.
Examples of this are as follows:
Information required by other government bodies so that resources may be obtained for use by children with Special Educational Needs e.g. National Council for Special Education (N.C.S.E.) or National Education Psychological Service (N.E.P.S.).
The policy content is divided into two sections as follows:
The personal data records held by the school may include:
Staff records are kept for the following purposes:
In a secure, locked filing cabinet and on the administration laptops /computers in the office.
These records are kept as manual records in a secure /lockable filing cabinet in the Principal’s office that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. Some information is also stored on the office computers which are password protected and have firewall software such as Norton installed or downloaded. Such protective software is regularly updated. Information is also regularly backed up.
Each staff member has a personal file maintained in a locked filing cabinet in the office. Personal Contact details, PPS numbers, class records, duty lists and reports are stored on the office/Principal’s computer and in the cloud by Aladdin Systems. The School Accounting.ie system is used to facilitate the payment of ancillary staff and payments for extracurricular actitivies or visiting teachers.
Records of promotions, career breaks, leave taken, illness etc, is available through the Department of Education and Skills On line Claims System (OLCS/Esinet).
These may include:
The information on students is stored in two formats: both manual files containing hard copy of forms signed etc. and on computer files backed up and stored via the Aladdin system or on the office administration computers.
The purpose for keeping student records includes the following:
Board of Management records maintained include:
The purpose for keeping Board of Management records include:
Other Information that may be retained by the school includes:
The school will hold other records relating to individuals. The format in which these records will be kept are manual record (personal file within a relevant filing system), and/or computer record (database). Some examples of the type of other records which the school will hold are set out below (this list is not exhaustive):
Categories of data:
The school may hold some or all of the following information about creditors (some of whom are self-employed individuals):
Purpose: This information is required for routine management and administration of the school’s financial accounts and complying with audits and investigations by the Revenue Commissioners.
Location: In a secure, locked office that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. We use on-line banking in the school where possible so much of this detail is stored on this system. This is regulated by AIB online banking regulations.
(a) Categories: CCTV is installed in the schools, externally i.e. perimeter walls/fencing and internally as detailed in the CCTV Policy. These CCTV systems may record images of staff, students and members of the public who visit the premises.
(b) Purposes: Safety and security of staff, students and visitors and to safeguard school property and equipment.
(c) Location: Cameras are located externally and internally as detailed in the CCTV Policy. Recording equipment is located in the reception office of school.
(d) Security: Access to images/recordings is restricted to the principal & deputy principal of the school. Tapes, DVDs, hard disk recordings are retained for 28 days, except if required for the investigation of an incident (eg: vandalism, break-in). Images/recordings may be viewed or made available to An Garda Síochána pursuant to section 8 Data Protection Acts 1988 and 2003.
Local Contribution Payments/Donations
Categories of data:
The school may hold the following data in relation to donors who have made charitable donations to the school:
Purpose: The school may be entitled to avail of the scheme of tax relief for donations of money they receive.
Location: In a secure, locked office that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. Information is also stored electronically on the school’s administration computers.
Garda Vetting Information
All adults working with children in any capacity within the school must be Garda vetted. Completed vetting forms are sent to the Education Secretariat in Archbishop’s House and the results of vetting process are stored manually in a locked filing cabinet in the Principal’s office to which only authorised personnel may have access. Teachers are vetted through the Teaching Council and the vetting outcome is available through the Digitary Core which is password controlled by each individual teacher.
Rules of Data Protection
All personal data records held by the school are obtained, processed, used and retained in accordance with the following eight rules of data protection based on the Data Protection Acts.
The minimum age at which consent can be legitimately obtained for processing and disclosure of personal data under rules 1 and 3 above is not defined in the Data Protection Acts. However, guidance material published on the Data Protection Commissioner’s website states the following:
“As a general rule in the area of education, a student aged eighteen or older may give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice.”
Appendix 1 has our data protection statement which is included with relevant forms when personal information is being requested.
Note: The statute of limitations in relation to personal injuries is currently two years. The limitation period for other causes of action varies, but in most cases is not greater than six years. A limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim. In the case of minors, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge postdates their 18th birthday. The school adheres to the retention schedule for schools which has been supplied via the Catholic Primary Schools Management Association.
Links to other Policies and to Curriculum Delivery
Relevant school policies already in place or being developed or reviewed, are examined with reference to the data protection policy and any implications which it has for them shall be addressed. The following policies may be among those considered:
Data in this school will be processed in line with the data subjects’ rights. Data subjects have a right to:
Providing Information over the Phone
In our school, any employee dealing with telephone enquiries is careful about disclosing any personal information held by the school over the phone. In particular the employee will:
Implementation Roles and Responsibilities
In our school the Board of Management is the data controller and the Principal will be assigned the role of co-ordinating implementation of this Data Protection Policy, and for ensuring that staff who handle or have access to Personal Data are familiar with their data protection responsibilities. The following personnel have responsibility for implementing the Data Protection Policy:
|Board of Management||Data Controller|
|Principal||Implementation of Policy|
|Teaching personnel||Awareness of responsibilities|
|Administrative personnel||Security, confidentiality|
|IT personnel||Security, encryption, confidentiality|
Ratification and Communication
This Data Protection Policy has been ratified by the Board of Management of St. Mary’s National School, Croom, on__________________
Parents/guardians and students will be informed of the Data Protection Policy at the time of enrolment of the student (by inclusion of a statement…see Appendix1).
The policy will be available via the school’s website.
Monitoring the Implementation of the Policy
The implementation of the policy shall be monitored by the Principal. At least one annual report shall be issued to the board of management to confirm that the actions/measures set down under the policy are being implemented.
Reviewing and evaluating the policy
The policy should be reviewed and evaluated as the need arises but at least every second year. On-going review and evaluation will take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills), legislation and feedback from parents/guardians, students, school staff and others.
The policy should be revised as necessary in the light of such review and evaluation and within the framework of school planning.
Signed: Cn. Wm Fitzmaurice Chair Board of Management
Data Protection Statement for inclusion on relevant forms when personal information is being requested.
The information collected on this form will be held by St. Mary’s National School in manual and in electronic format. The information will be processed in accordance with the Data Protection Act, 1988 and the Data Protection (Amendment) Act, 2003.
The purpose of holding this information is for administration needs and to facilitate the school in meeting the student’s educational needs and legal commitments etc.
Disclosure of any of this information to statutory bodies such as the Department of Education and Skills or its agencies will take place only in accordance with legislation or regulatory requirements.
Explicit consent will be sought from Parents/Guardians or students aged 18 or over if the school wishes to disclose this information to a third party for any other reason.
Parents/Guardians of students and students aged 18 or over have a right to access the personal data held on them by the school and to correct it if necessary.
I consent to the use of the information supplied as described.
Signed Parent/Guardian: _________________________