1) Data Breach Policy Aug 2021
A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This will include breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. It is a security incident that has affected the confidentiality, integrity or availability of personal data. Whenever a security incident takes place, it should be quickly established whether a personal data breach has occurred and, if so, promptly take steps to address it, including informing the ICO if required. The ICO must be informed if the breach has resulted in a risk to people’s rights and freedoms; if this is unlikely then it does not have to be reported. However, if the breach has not been reported then We All Beam should be able to justify this decision. In assessing if a data breach has created a risk to people’s rights and freedoms then Recital 85 of the GDPR should be consulted. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
We All Beam will ensure full investigations and actions against any staff member who caused a data breach would depend on the circumstances of the breach and would be considered in line with relevant HR policies
2) GDPR Individual Rights Policy Aug 2021
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right of erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
We All Beam will ensure that all school staff are aware of these rights via the We All Beam privacy notices.
We All Beam will ensure that should any member of school staff request to invoke any of the rights listed above that we will treat the request in the correct manner and assist the individual anyway it can. However, some of the rights listed will not apply due to other conditions set. An example would be the right to erasure, as if the individual requested this to happen to a record, then this could hamper We All Beams ability to perform its public task. As such, any requests that are made will be treat on a case-by-case basis, and the requester will be kept informed around the decisions that We All Beam make regarding their request.
You will find below is a brief guide to what each of the rights are:
- The right to be informed – The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
- The right of access – Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
- The right to rectification – The GDPR gives individuals the right to have personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.
- The right to erasure – The right to erasure is also known as the ‘right to be forgotten’. The broad principal underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- The right to restrict processing – Individuals have the right to ‘block’ or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
- The right to data portability – The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object – Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise or official authority (including profiling). Direct Marketing, and processing for purposes of scientific/historical research and statistics.
- Rights related to automated decision-making including profiling – This is not applicable to We All Beam. However, should an individual challenge the We All Beam in any way regarding automated decision making, then the school will carry out an investigation.
3) Privacy Impact Assessment Aug 2021
Privacy Impact Assessments (PIA’s) are an integral part of taking a privacy by design approach. PIA’s are a tool that We All Beam can use to identify and reduce the privacy risks of a project. A PIA can reduce the risk of harm to individuals through misuse of their personal information. It can also help We All Beam to design a more efficient and effective process for handling personal data. You can integrate the core principals of the PIA process with your existing project and risk management policies. This will reduce the resources necessary to conduct the assessment and spreads awareness of privacy throughout We All Beam. An effective PIA will allow We All Beam to identify and fix problems at an early stage and PIA’s are an integral part of privacy by design. PIAs are often applied to new projects. However, a PIA can also be used if We All Beam are planning changes to an existing process. We All Beam have a process and guidance on how they will approach PIAs. Privacy Risk PIA’s should assist We All Beam in identifying privacy risk, which is the risk of harm through an intrusion into privacy.
This is the risk of harm through use or misuse of personal information. Some ways that this risk can arise are through personal information being:
- Inaccurate, insufficient, or out of date.
- Excessive or irrelevant.
- Kept for too long.
- Disclosed to those who the person it is about does not want to have it;
- Used in ways that are unacceptable to or unexpected by the person it is about; or
- Not kept securely.
The outcome of a PIA should be to minimise privacy risk. We All Beam should develop an understanding of how it will approach the broad topics of privacy and privacy risk. The benefits of a PIA are that it allows individuals to be reassured that We All Beam uses their information and have followed best practice. A project which has been subject to a PIA should be less privacy intrusive and therefore less likely to affect individuals in a negative way. A PIA should also improve transparency and make it easier for an individual to understand why their information is being used. We All Beam should also benefit from using PIA’s. The process of conducting the assessment will improve how We All Beam use information which impacts on individual privacy. This should in turn reduce the likelihood that We All Beam will fail to meet its legal obligations. Conducting and publishing a PIA will help We All Beam to build trust with the people using their services. The actions taken during and after the PIA process can improve, We All Beams understanding of its stakeholders. Consistent use of PIA’s will increase the awareness of privacy and data protection within We All Beam and ensure that all staff involved in designing projects think about privacy at the early stages.
When should we use PIAs?
The core principals of PIA can be applied to any project that involves the use of personal data, or any other activity which could have an impact on the privacy of individuals. A PIA should be used on new projects or when making an amendment to a current project. The PIA should be built into the project management structure.
Who should carry out the PIA?
We All Beam will decide who is best placed to carry out the PIA. The Data Protection Officer (DPO) is well placed to have a significant role in a PIA. However, the PIA is designed to be used by anyone within We All Beam. For the PIA to be effective it should include some involvement from various people within We All Beam, who will each be able to identify different privacy risks and solutions.
What should the PIA do?
The PIA should be flexible so that it can be integrated with We All Beams existing approach to managing projects. The PIA should incorporate the following:
- Identify the need for a PIA
- Describe the information flows
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Consult with internal and external stakeholders as needed throughout the process.
4) Privacy Impact Process Identifying & Logging Aug 2021
Screening questions to assess if a PIA is required. If the answer is yes to any of the questions below, then using a PIA may be useful.
- Will the project involve the collection of new information about individuals?
- Will the project compel individuals to provide information about themselves?
- Will information about individuals be disclosed to organisations or people who have not previously had routine access to this information?
- Are you using the information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
- Does the project involve using new technology which might be perceived as being privacy intrusive?
- Will the project result in the school making decisions or acting against individuals in ways which can have a significant impact on them?
- Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, use of special category data within GDPR.
- Will the project require you to contact individuals in ways which they may find intrusive?
Identify the need for a PIA
Explain what the project aims to achieve.
What the benefits will be to the organisation, to individuals and to other parties.
Identify any other relevant documents related to the project, for example a project proposal.
Summarise why the need for a PIA was identified (this can draw on your answers to the screening questions).
- How is the information collected?
- How is the information stored?
- How is the information used?
- How is the information deleted?
Identify and describe the information flows.
The collection, use and deletion of personal data should be described here, and it may also be useful to refer to a flow diagram or another way of explaining data flows. You should also say how many individuals are likely to be affected by the project
Identify any privacy Risks
- Are there any privacy risks to individuals?
- Are there any compliance risks to the We All Beam, such as fines for non-compliance?
- Are there any level of risks?
It’s important to explain what practical steps We All Beam will take to ensure that we identify and address privacy risks. Who should be consulted, internally and externally? How will you carry out the consultation? You should link this to the relevant stages of your project management process. Consultation can be used at any stage of the PIA process.
Identify the privacy and related risks.
Identify the key privacy risks and the associated compliance and corporate risks. Log any risk on a formal risk register. The categories would include:
Risk to individuals
Level of risk
5) Privacy Notice Pupil Data Aug 2021
The categories of pupil information that we collect, hold and/or share include:
- Personal information (such as name, unique pupil number and address, adult emergency contact information)
- Characteristics (such as free school meal eligibility, Pupil Premium Information)
- Special Categories (such as Ethnicity, Language, Nationality, Country of birth & Religion)
- Attendance information (such as sessions attended, number of absences and absence reasons)
- Assessment information
- Relevant medical information (Special Category Data)
- Special Educational Needs information
- Exclusions and Behavioural information.
- Financial Information (such as dinner money transactions, trip transactions)
Why we collect and use this information
- to support pupil learning
- to track the mental health of pupils
- to monitor and report on pupil progress
- to provide appropriate pastoral care
- to assess the quality of our services
- to comply with the law regarding data sharing
The lawful basis on which we use this information
We collect and use pupil information under the Education Act 1996/ Data Protection Act 1998 and EU General Data Protection Regulation (GDPR) Article 6, and Article 9 -from 25 May 2018. (excluding (f) legitimate interests). Special category data from article 9 is processed under condition (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purpose, except where Union of Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject.
Collecting pupil information
Whilst most of the pupil information you provide to us is mandatory, some of it is provided to us on a voluntary basis. To comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain pupil information to us or if you have a choice in this.
Storing pupil data
We hold pupil data if it is lawful for us to do. Any data that we are no longer required to hold lawfully is deleted/destroyed in accordance with the We All Beam GDPR Data document.
Who we share pupil information with:
Data Safety process data on our behalf will have a data processing agreement with We All Beam.
Why we share pupil information
We do not share information with anyone without consent unless the law and our policies allow us to do so.
Please see the schools subject access request policy for further information.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, restrict processing, erased, or destroyed
- Data portability
- claim compensation for damages caused by a breach of the Data Protection regulations.
- Withdraw consent for special categories
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance.
Alternatively, you can contact the Information Commissioner’s Office:
- Report a concern online at https://ico.org.uk/concerns/
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
6) Subject Access Request Policy
If We All Beam receive a subject access request from an individual, they will follow the procedure listed below.
1. We All Beam will contact the Data Protection Officer in the event of a subject access request and the Data Protection Officer will assist the school or college throughout the process.
2. We All Beam will first establish who the individual is making the request on behalf of. Is it access to their own personal data or is it on behalf of someone else?
3. We All Beam will then establish if the individual has a valid reason for accessing the data. ICO guidelines state that they are not entitled to the information just because they may be interested.
4. If a valid reason is forthcoming, then the individual will be asked to make the request in writing or email
5. We All Beam may be allowed to charge a fee for the subject access request, and this will be communicated back to the individual if this is the case.
6. We All Beam are not required to respond to verbal request. However, depending on the circumstances, it could be reasonable to do so, if We All Beam are satisfied about the person’s identity.
7. Should the individual requesting the data be disabled and they find it impossible or unreasonably difficult to make the request in writing, then We All Beam will make reasonable adjustments under the equality act of 2010.
8. Even if the subject access request does not mention that it is a subject access We All Beam will treat it as such, if it is clear that the individual is asking for their own personal data (or on behalf of someone else).
9. The subject access request will be treated as valid by We All Beam regardless of who it has been sent to within We All Beam
10. We All Beam will then establish if the information requested falls within the definition of personal data.
11. Once a valid subject access request has been received. We All Beam will determine the nature of the request, and a decision will be made on what information can be provided if the subject access request relates to a child, and the time scales to adhere too. GDPR states 1 month for a request. However, ICO guidelines state 15 school days for a child’s educational records.
12. We All Beam will provide the data as it was at the time of the request. Unless the routine use of the data has led to it being amended or even deleted. In this case We All Beam would supply the information that it holds when the response is sent to the individual even if this is different to that held at the time of the request.
13. However, We All Beam will not amend or delete any data during a subject access request that it would not have otherwise done so.
14. We All Beam will provide the information to the individual in an ‘intelligible form’. This means that it will be provided in a way that is capable of being understood by the average person.
15. We All Beam may request more information about the subject access request if they are not satisfied that the person making the request is the individual to whom the personal data relates (or on behalf of), or We All Beam may ask for information that We All Beam reasonably needs to find the personal data covered by the request.
16. If the subject access request is made on behalf of a child, then We All Beam will consider whether the child is mature enough to understand their rights and if so, We All Beam will respond to the child not the parent. However, when considering borderline cases other factors will be considered.
17. We All Beam will not comply with a subject access request if by doing so would mean disclosing information about another individual who could be identified from the information provided. Unless, the other individual has given consent, or it is reasonable in the circumstances to comply with the request without the individual’s consent.
7) We All Beam Privacy Notice Aug 2021
1. Introduction: This Privacy Notice explains types of personal information we may collect about you when you interact with us. It also explains how we will store and handle that information, as well as keep it safe and secure. We will keep our privacy notice under regular review and will advise you of any updates on our website.
2. Who we are: For the purposes of Data Protection legislation, We All Beam is the Data Controller. As Data Controller we must:
• use your personal information fairly and lawfully
• only use your personal information for the purposes it has been provided for, unless required to by law
• only collect as much personal information as needed for the services you require
• keep your personal information accurate and up to date
• only keep your information for as long as necessary
• use your personal information in accordance with your rights
• keep your personal information safe and secure
• not transfer your personal information outside the European Economic Area unless adequate levels of protection are in place
3. What is personal information? Personal information is defined as any information which relates to a living individual who can be identified either:
from the information we hold, or
from the information combined with any other information which is already in the possession of, or likely to come into the possession of, the person or organisation holding the information Personal information also includes any expression of opinions about an individual, and any indication of the intentions of the data controller (We All Beam) or any other person in respect of the individual.
4. What type of personal information do we collect? We may collect the following types of personal information:
Personal details such as names, addresses, telephone numbers
Date of birth
Categories to include special data such as FSM, LAC, ECHP,
Education and training details
Physical health or mental condition
Sounds and visual images (such as CCTV images)
Address of usual residence of parent or guardian
5. How do we collect personal information? We may collect your personal information in several ways, for example:
Using the expression of interest form
Communication through email, or verbally
We may also take photographs at our events, our properties and in our communities to use for general marketing and publicity. However, photographs of individuals will only be used for these purposes with consent.
6. Why do we collect your personal information? We All Beam has notified the Information Commissioner that personal information will be held and used for the following purposes:
School staff administration purposes
Advertising, marketing, and public relations
Accounts and records of mental health tracking
Administration of membership records/ subscription
Information and administration
7. Who might we share your personal information with? We obtain and share personal information with Group Call only as they manage the transfer of data from the current IT system used within your school or college.
Language translation services, where it is necessary to translate any information into or from a foreign language for your school or college may share your personal information with other organisations which are relevant to provide the service they are carrying out on your behalf. In these instances, the service area should inform you who they intend to share your personal information with.
8. How long will we keep your personal information? We will only keep your personal information for as long as necessary. We All Beam is required to hold certain types of information for a statutory period. In other cases, We All Beam may keep personal information for historical, statistical or research purposes. At the end of the retention period, or the life of a particular record, it will be reviewed and deleted, unless there is any special reason for keeping it. When We All Beam collect your personal information, they should inform you how long they will keep it for.
9. What is our legal basis for using your personal information? To use your personal information there must be a lawful basis to do this, such as, through a contract, performing a public task or where there is a legal obligation. The GDPR sets a high standard for consent to use people’s information. Consent requires a positive opt-in. Pre-ticked boxes or any other consent method by default is no longer allowed. Whilst most of the information you provide to us is a mandatory requirement for us to provide services to you, some of it is provided to us on a voluntary basis. To comply with data protection legislation, we will inform you whether you are required to provide certain information to us or if you have a choice about whether you need to provide the information and how your data is used. However, if you choose not to share your personal data with us in these circumstances, this may affect our ability to improve our services and our service offer to you as a customer. If consent is the only legal basis used to process your personal information, you can withdraw your consent at any time. Consent can be withdrawn by email, telephone or face-to-face.
10. Direct Marketing We All Beam may occasionally want to use your name and contact details to inform you of upcoming events, offers and services. If We All Beam wishes to use your personal information for these purposes, we will always ask for your explicit consent before doing so. Unless you are told otherwise, this information will not be shared with third parties, and you can unsubscribe at any time by emailing firstname.lastname@example.org or email@example.com you will always be asked to opt-in to direct marketing and this should always be a clear, affirmative action, such as ticking an opt-in box. Any information you provide us for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information.
11. How do we keep your personal information secure? We recognise the professional responsibility we must safeguard the information of individuals. The security of your personal information is important to us, and we follow a range of security policies and procedures to ensure that access to and use of your information is controlled and appropriate. Some examples of our security measures include:
Controlling access to We All Beam systems and networks preventing any unauthorised access to your personal information
Using encryption methods such as passwords so that only people with specific access rights can view it
Our staff are regularly trained in data protection to make them aware of their responsibilities when using personal information and how and when to report if something goes wrong
We regularly test our technology and working practices to keep up to date on the latest security update
12. What are your rights? Your individual rights are set out in law. Subject to some legal exemptions, you have the following rights:
Right to be informed
You have the right to know about the collection and use of your personal information, including Why it is collected
How it is used
Who it is shared with.
How long it is kept for Right of access
You have the right to obtain a copy of your personal information and supplementary information to understand how and why we have your information and that we are using it lawfully. This is commonly known as a Subject Access Request (SAR).
Right to rectification – You have the right to have inaccurate personal information rectified. You also have the right to have incomplete personal information completed – although this may depend on the reasons for using your personal information.
Right to erasure in certain circumstances – You have the right to have your personal information erased. This is also known as the ‘right to be forgotten’. The right to erasure does not apply to all cases such as complying with a legal obligation, performing a task set out in the public interest or for the establishment, exercise, or defence of legal rights. Right to restrict processing You have the right to request We All Beam to restrict using your personal information in some circumstances. This may be because you are challenging the accuracy of the information and we are verifying the accuracy of the data. In most cases we will not need to restrict using your personal information indefinitely but will need to have the restriction in place for a certain period.
Right to data portability – You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format. Individuals also have the right to request that a controller transmits this data directly to another controller – this is commonly used for banking and insurance purposes when wanting to switch providers and is not commonly used by; We All Beam.
Right to object – You have the right to object to We All Beam using your personal information. The right to object only applies in certain circumstances and requests to object using personal information will be considered on an individual basis. We All Beam will be unable to stop using personal information if it is needed to carry out a statutory function.
Rights in relating to automated decision making and profiling – Automated individual decision-making is a decision made by automated means without any human involvement. An example of this would be an online decision to award a loan. Profiling can be used to find out about individuals’ preferences, predict behaviour or make decisions about people. We All Beam will not make any solely automated decisions on you that have any legal or similarly significant event on you.
13. Contact us: If you would like to exercise your rights in relation to your personal information, or you feel that something has gone wrong with your personal information, you can contact us by emailing: firstname.lastname@example.org or email@example.com or telephone: 07936 037939
If you feel that We All Beam has not handled your information correctly you can contact them on the above, contact details or the Information Commissioner’s Office (ICO).
The ICO is the Government’s Independent Body responsible for overseeing data protection. In most cases the ICO will only review cases that have exhausted We All Beam internal procedures. The ICO’s contact details are as follows: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF. More information can be found on the ICO’s website at www.ico.org.uk