RMDS POLICY ON DATA PROTECTION
Appendix A: Data Protection (Location and Storage of Records)
Appendix B: Glossary
Appendix C: Implementing the Data Processing Principles
Appendix D: Categories of Recipients
Appendix E: Reference sites
The RMDS Data Protection Policy applies to the processing of personal data held by the school which is protected by the Data Protection Acts 1988 -2018. This policy was substantially reviewed in 2021 and will be reviewed periodically to incorporate any changes as to how RMDS treats data that it collects and relevant legislative changes.
The Data Protection Acts 1988 -2018 apply to the keeping and processing of personal data, both in manual and electronic form. The purpose of this policy is to assist the school to meet its statutory obligations, to explain those obligations to school staff, and to inform staff, pupils and their parents/guardians how their data will be treated.
Relationship to characteristic spirit of school:
Ranelagh Multi Denominational School seeks to
We aim to achieve these goals while respecting the privacy and data protection rights of pupils, staff, parents/guardians and others who interact with us.
The policy applies to all school staff, the Board of Management, parents/guardians, pupils (past and present) and others, including but not limited to prospective or potential pupils and their parents/guardians and applicants for staff positions within the school, in so far as the measures under the policy relate to them and in so far as the school handles or processes their personal data in the course of their dealings with the school.
Data will be stored securely, so that confidential information is protected in compliance with relevant legislation. This policy sets out the way personal data and sensitive personal data will be protected by the school.
The school is a data controller of personal data relating to its past, present and future staff, pupils, parents/guardians and other members of the school community. As such, the school is obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 -2018. The legislative framework can be summarised as follows:
The principles of data protection may be summarised as follows:
1.1 Obtain and process personal data fairly, lawfully, and transparently:
Information on pupils is gathered with the help of parents/guardians and staff. Information is also transferred from pupils’ previous schools. In relation to information the school holds on other individuals (members of staff, individuals applying for positions within the school, parents/guardians of pupils, etc.), the information is generally furnished by the individuals themselves with full and informed consent and compiled during the course of their employment or contact with the school. All such data is treated in accordance with the Data Protection Acts and the terms of this Data Protection Policy. The information will be obtained lawfully and processed fairly. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
1.2 Keep it only for one or more specified and explicit lawful purposes:
Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.
RMDS will inform individuals of the reasons they collect their data and will inform individuals of the uses to which their data will be put. All information is kept with the best interest of the individual in mind.
1.3 Process it only in ways compatible with the purposes for which it was given initially:
Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered. Information will only be disclosed on a need to know basis, and access to it will be strictly controlled.
1.4 Keep personal data safe and secure:
Only those with a genuine reason for doing so may gain access to information. Sensitive personal data is securely stored under lock and key in the case of manual records and protected with firewall software and password protection in the case of electronically stored data. It is our practice not to store data on portable devices, in rare cases where it is, the data is encrypted and password protected before the devices are removed from the school premises. Confidential information is stored securely, and, in relevant circumstances, will be placed in a separate file which can easily be removed if access to general records is granted to anyone not entitled to see the confidential data.
1.5 Keep personal data accurate, complete and up to date:
The school will send an annual form requesting data updates to parents. Pupils, parents/guardians, and/or staff should inform the school of any change which the school should make to their personal data and/or sensitive personal data to ensure that the individual’s data is accurate, complete and up to date. Once informed, the school will make all necessary changes to the relevant records. The Principal may delegate such updates/amendments to another member of staff. However, records must not be altered or destroyed without proper authorisation. If alteration/correction is required, then a note of the fact of such authorisation and the alteration to be made to any original record/documentation should be dated and signed by the person making that change.
1.6 Ensure that it is adequate, relevant and not excessive:
Only the necessary amount of information required to provide an adequate service will be gathered and stored.
1.7 Retain it no longer than is necessary for the specified purpose or purposes for which it was given:
Generally, the information will be kept for the duration of the individual’s time in the school. Thereafter, the school will comply with DES guidelines on the storage and retention of personal data and sensitive personal data relating to a pupil. Data retention timeframes relating to a pupil, as set out in the Data Retention Schedules, will be followed. The Data Retention Schedules are available on request from the school office.
In the case of members of staff, the school will comply with both DES guidelines and the requirements of the Revenue Commissioners regarding the retention of employee records. The school may also retain the data relating to an individual for a longer length of time for the purposes of complying with relevant provisions of law and/or defending a claim under employment legislation and/or contract and/or civil law.
1.8 Provide a copy of their personal data to any individual, on request:
Individuals have a right to know what personal data/sensitive personal data is held about them, by whom, and the purpose for which it is held.
2.1 Whenever the school is processing personal data, all of the principles listed in the previous section(s), must be obeyed. In addition, at least one of the following bases (GDPR Article 6) must apply if the processing is to be lawful,
2.2 When processing special category personal data, the school will ensure that it has additionally identified an appropriate lawful basis under GDPR Article 9. Special categories of personal data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
In addition to its legal obligations under the broad remit of educational legislation, RMDS has a legal responsibility to comply with the Data Protection Acts, 1988 -2018.
This policy explains what sort of data is collected, why it is collected, for how long it will be stored and with whom it will be shared. As more and more data are generated electronically, and as technological advances enable the easy distribution and retention of this data, the challenge of meeting the school’s legal responsibilities has increased.
The school takes its responsibilities under data protection law very seriously and wishes to put in place safe practices to safeguard individual’s personal data. It is also recognized that recording information accurately and storing it safely facilitates evaluation of the information when necessary, enabling the Principal and Board of Management to make decisions in respect of the efficient running of the school. The efficient handling of data is also essential to ensure that there is consistency and continuity where there are changes of personnel within the school and Board of Management.
Implementation of this policy considers the school’s other legal obligations and responsibilities. Some of these are directly relevant to data protection. For example:
Storage of Personal Data
Personal data is stored in secure, locked filing cabinets or electronic databases that only personnel who are authorised to use the data can access. Electronic records are stored with appropriate password protection, with appropriate electronic security measures in place.
Employees are required to maintain the confidentiality of any data to which they have access.
A) Staff records:
(i) Categories of staff data: As well as existing members of staff (and former members of staff), these records may also relate to applicants applying for positions within the school, trainee teachers and teachers under probation. These staff records may include:
Name, address and contact details, PPS number
Original records of application and appointment to promotion posts
Details of approved absences (career breaks, parental leave, study leave, etc.)
Details of work record (qualifications, classes taught, subjects, etc.)
Details of any accidents/injuries sustained on school property or in connection with the staff member carrying out their school duties
Records of any reports the school (or its employees) have made in respect of the staff member to State departments and/or other agencies under mandatory reporting legislation and/or child-safeguarding guidelines (subject to the DES child protection procedures)
Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.
(ii)Purposes: The purposes of keeping staff records are:
B) Pupil records:
(i) Categories of pupil data: These may include information which may be sought and recorded at enrolment and may be collated and compiled during the course of the pupil’s time in the school. These records may include:
The purposes for keeping pupil records are:
C ) Board of Management records:
(i)Categories of Board of Management data:
These may include:
(b)Purpose: To enable the Board of Management to operate in accordance with the Education Act 1998 and other applicable legislation and to maintain a record of board appointments and decisions.
D ) Other records
Some examples of the type of other records which the school will hold are set out below:
(i) Categories of data: the school may hold some or all of the following information about creditors (some of whom are self-employed individuals):
(b) Purpose: This information is required for routine management and administration of the school’s financial affairs, including the payment of invoices, the compiling of annual financial accounts and complying with audits and investigations by the Revenue Commissioners.
Charity tax-back form;
(a) Categories of data: the school may hold the following data in relation to donors who have made charitable donations to the school:
(b) Purpose: Schools are entitled to avail of the scheme of tax relief for donations of money they receive. To claim the relief, the donor must complete a certificate (CHY3 or 4) and forward it to the school to allow it to claim the grossed-up amount of tax associated with the donation. The certificate is retained by the school in the case of audit by the Revenue Commissioners.
(a) Categories: The school holds data comprising examination results in respect of its students. These include continuous assessment and class, annual, screening and standardised tests.
(b) Purpose: The main purpose for which these results and other records are held is to monitor a pupil’s progress and to provide a sound basis for advising them and their parents/guardians about their progress. The data may also be aggregated for statistical/reporting purposes, such as to compile results tables. The data may be transferred to the Department of Education and Skills, the National Council for Curriculum and Assessment and such other similar bodies.
6.1 Recipients are defined as organisations and individuals to whom the school transfers or discloses personal data. Recipients may be data controllers, joint controllers or processors. A list of the categories of recipients used by the school is provided in the appendices (Appendix C). This list may be subject to change from time to time.
6.2 Data Sharing Guidelines
7.1 Definition of a Personal Data Breach A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
7.3 Responding to a Data Breach
Personal Data will be processed by the school in a manner that is respectful of the rights of data subjects. Under GDPR these include
You are entitled to information about how your personal data will be processed. We address this right primarily through the publication of this Data Protection Policy. We also publish additional privacy notices/statements which we provide at specific data collection times, for example, our Website Data Privacy Statement is available to all users of our website. Should you seek further clarification, or information that is not explicit in our Policy or Privacy Statements, then you are requested to forward your query to the school.
You are entitled to see any information we hold about you. The school will, on receipt of a request from a data subject, confirm whether or not their personal data is being processed. In addition, a data subject can request a copy of their personal data. The school in responding to a right of access must ensure that it does not adversely affect the rights of others.
If you believe that the school holds inaccurate information about you, you can request that we correct that information. The personal record may be supplemented with additional material where it is adjudged to be incomplete.
Data subjects can ask the school to erase their personal data. The school will act on such a request providing that there is no compelling purpose or legal basis necessitating retention of the personal data concerned.
Data subjects have the right to seek a restriction on the processing of their data. This restriction (in effect requiring the controller to place a “hold” on processing) gives an individual an alternative to seeking erasure of their data. It may also be applicable in other circumstances such as where, for example, the accuracy of data is being contested.
This right facilitates the transfer of personal data directly from one controller to another. It can only be invoked in specific circumstances, for example, when processing is automated and based on consent or contract.
Data subjects have the right to object when processing is based on the school’s legitimate interests or relates to a task carried out in the public interest (e.g. the processing of CCTV data may rely on the school’s legitimate interest in maintaining a safe and secure school building). The school must demonstrate compelling legitimate grounds if such processing is to continue.
This right applies in specific circumstances (as set out in GDPR Article 22).
In cases where the school is relying on consent to process your data, you have the right to withdraw this at any time, and if you exercise this right, we will stop the relevant processing.
While the school will always facilitate the exercise of your rights, it is recognised that they are not unconditional: the school may need to give consideration to other obligations.
Telephone +353 57 8684800
+353 (0)761 104 800
Lo Call Number 1890 252 231
Fax +353 57 868 4757
Post Data Protection Commission
Canal House, Station Road
Portarlington, Co. Laois
9.1.1 The school will log the date of receipt and subsequent steps taken in response to any valid request. This may include asking the data subject to complete an Access Request Form in order to facilitate efficient processing of the request. There is no charge for this process.
9.1.2 The school is obliged to confirm the identity of anyone making a rights request and, where there is any doubt on the issue of identification, will request official proof of identity (e.g. photographic identification such as a passport or driver’s licence).
9.2 Format of Information supplied in fulfilling a request
9.3 Providing information over the telephone:
In RMDS, any employee dealing with telephone enquiries should exercise caution about disclosing any personal information held by the school over the phone. In particular the employee should:
10.1 Communication during Periods of School Closure
10.2 Distance Learning
Children’s work is stored electronically on teachers’ Google Drive. Devices are password–protected.
In circumstances where teaching cannot be conducted on the school premises, teachers and ISAs, acting under the direction of teachers, may use a range of online platforms including Google Classroom, Google Meet, Zoom, Seesaw, Padlet, Skype, Microsoft Teams, Class Dojo and other platforms approved by the principal to assist with distance teaching and learning. Parental permission is received prior to using any of these platforms.
The school has signed up to the terms of service of the online platforms in use by the school.
The school has enabled the most up to date security and privacy features which these online platforms provide.
Staff members adhere to school guidelines on the use of platforms for live engagement.
10.3 Data protection pertaining to website:
See ICT Acceptable Usage Policy, including section on Distance Learning.
Relevant school policies already in place or being developed or reviewed shall be examined with reference to the data protection policy and any implications which it has for them shall be addressed.
The following policies may be among those considered:
In RMDS, the Board of Management is the data controller and the Principal is assigned the role of coordinating implementation of this Data Protection Policy and for ensuring that staff who handle or have access to personal data are familiar with their data protection responsibilities.
The following personnel have responsibility for implementing the Data Protection Policy:
Name and Responsibility
Board of Management: Data controller
Principal: Implementation of policy
Teaching staff: Awareness of responsibilities
Administrative staff: Security, confidentiality
ICT personnel: Security, encryption, confidentiality
When the Data Protection Policy has been ratified by the Board of Management, it becomes the school's agreed Data Protection Policy. The entire staff must be familiar with the Data Protection Policy and ready to put it into practice in accordance with the specified implementation arrangements. It is important that all concerned are made aware of any changes implied in recording information on pupils, staff and others in the school community.
Parents/guardians and pupils should be informed of the Data Protection Policy from the time of enrolment of the pupil, for example, by including the Data Protection Policy as part of the enrolment pack, or by enclosing it or incorporating it as an appendix to the enrolment form.
The implementation of the policy shall be monitored by the Principal and the Board of Management.
The policy shall be reviewed and evaluated at certain times and as necessary. Ongoing review and evaluation shall take cognisance of changing information or guidelines, for example, from the Data Protection Commissioner, Department of Education and Skills or the NEWB, legislation and feedback from parents/guardians, pupils, school staff and others. The policy shall be revised as necessary following such reviews / evaluation and, also, within the framework of school planning.
Signed: Will Connor
Chair of RMDS Board of Management
Date: April 2021
Appendix A: Data Protection (Location and Storage of Records)
|Aladdin||Aladdin is the school’s official digital depository. A GDPR- compliant data processing agreement with Aladdin has been signed and is available on request. Access to Aladdin is password protected and staff only have access to data which is relevant to their work.|
|DATA COLLECTED||NATURE OF DATA||STORAGE/ACCESS|
|SECTION 1||DATA AND THE SCHOOL OFFICE|
|Pupil enrolment information||This includes name, address, date of birth, PPS number, details of parents/ guardians – home address, email address, phone number, medical information, religion, ethnicity||Enrolment form – completed online
Aladdin (permissions set for access to data)
Personal data collected and stored on Aladdin
Hard copy on pupil’s file
Archived material in secure storage
Medical information shared with school staff when necessary and with medical personnel in emergency situation. Could be shared with NCSE with permission of parents
|Standardised test results||Aladdin
Shared with parents in all class reports and with DES in 2nd, 4th & 6th
|Updating Contacts and Permissions Form||The data here is submitted on an annual basis to the school for the purposes of safety re dropping to and collecting from school, access to children by parents/guardians and nominated others, and updates parents/guardians permissions for various school protocols (trips) and medical-updates.||This data is retained for the full duration of the child’s time in school.
Parents are requested to update this information during their time in school using hard copies and Aladdin Connect
|Financial Information||Account files
|Electronic files (access is password protected) and hard copies
Paper copies – stored in locked cabinet
|Service Providers: repairs, builders, maintenance contractors, tradespeople||Names, addresses, phone numbers, email addresses||Electronic database – shared with principal
Kept on file for future use
|School supplies, company representatives||Names, addresses, phone numbers, email addresses||Shared with staff|
|Data Processor e.g. school admin software, school accounting, school photographer||Names, addresses, phone numbers, email addresses||Electronic and / or hard copy files
Shared with principal
Kept as long as data is processed on behalf of BoM
|Emergency services – Garda (including Community Garda), fire brigade||Phone numbers of local services||Shared with principal and staff|
|SECTION 2||DATA AND THE PRINCIPAL|
|Teacher / employee data||The school holds teacher, ISA and all employee data in hardcopy-files. Data for teachers and ISAs is also inputted into the OLCS system. The data collected are all necessary for the governance of the school in keeping with BOM governance protocols. These include:
On a voluntary basis staff members may also provide their bank details (for the purposes of remuneration and refund of expenses)
|The hardcopy files are kept in a locked cabinet in the principal’s office. Only personnel who are authorized to use the data can access the data. Employees are required to maintain the confidentiality of any data to which they have access.
Some information is held on AladdinShared with DES and BoM
Information on accidents may be shared with medical personnel, school insurers, HSA
|The Principal and Deputy Principal are authorised approvers of all school data held on the DES’s OLCS system||This access is password protected for Principal and Deputy Principal as approvers, and for the secretary as data- inputter.|
|Pupil Data||Pupils’ psychological and other assessments – occupational therapist, speech and language therapist, psychiatrist||Locked filing cabinet, copy kept in locked filing cabinet in secure room
Shared with NCSE, DES with parental permission
|Irish exemptions||Locked filing cabinet|
|Legal / custody orders||Locked filing cabinet|
|Child protection files||Details recorded at time of concern, Locked filing cabinet, identified using code kept in separate locked drawer
Shared with Túsla if considered to reach threshold (advice may be sought), Garda in emergency situation, parents/ guardians
|Accident forms||Recorded in yard book and on Aladdin. Serious incidents are recorded in the accident book in the office.|
|Yard incidents||Recorded in yard book and aladdin, more serious incidents reported to principal
Shared with parents/ guardians and when necessary: medical personnel, insurers, HSA
|Correspondence and meetings with parents/ guardians||Pupil’s file – hard copy and / or electronic file|
|BoM members||Names, email addresses||Electronic file
Shared with: Patron, Charities Regulator, DES
|SECTION 3||DATA AND TEACHERS|
|Teachers and Aladdin||Teachers’ records; Pupil progress report card, attendance, relevant medical information and standardised test scores on Aladdin.
SETs record IEPs on Aladdin
|Aladdin - Teachers should not divulge their Aladdin password to any other person, and passwords should not be stored by default on the class computer. Aladdin should be closed down when not in use.
Hard copies of school reports are also stored in the child’s individual file in the locked filing cabinet and archived under the stairs when the child leaves the school.
Shared with parents
Data such as standardised test results shared with school to which pupils transfer
Data can be shared with NCSE and DES with parental permission
Roll books are no longer used but used roll books kept in secure storage
|Any documentation generated by a teacher, or shared with the teacher by a parent / guardian, that refers to issues of a medical nature or school attendance should be kept on the child’s file in a locked filing cabinet.
Reports concerning child protection concerns remain in principal’s office
|Relevant documentation is accessed by staff as necessary. Children’s files are archived when the child leaves the school.|
|Correspondence between teachers and parents/ guardians on educational matters||Most communication is electronic, when deemed necessary they are added to the Pupil file||Shared with principal and BoM when deemed necessary – kept until issue is dealt with|
|Record of complaints made by parents / guardians||Securely stored
Shared with BoM, school insurers and legal advisor when deemed necessary
|Pupils’ Support Plans||Produced by support teacher in collaboration with parents and class teacher||Recorded on Aladdin – hard copies in pupil’s file|
|Medical Files||Medical Files are kept in the child’s individual file in the classroom. This is shared with staff as necessary.||Archived material is locked under the stairs.|
|Teaching/Learning data and ICT||When the teacher is setting up ICT programmes (e.g. reading eggs/matific) she/he should establish a coded or school-generated identity that will be deleted and disposed of once the programme has been completed. Teachers shall ensure not to cause or facilitate the children in inputting any data to third-party sources that are personal or identifying.|
|Website and social media||No personal data of any child in the school community ever to be shared or posted - SEE AUP||
|SECTION 4||DATA AND ANAs|
|ISAs keep a digital journal or hard copy for recording of incidents, observations and reflections but these entries are understood as aide memoires. Any important or ongoing concern recorded in this aide memoire should be brought to the principal for formal discussion and recording. The ISA’s journal should be stored securely and handed to the Principal at the end of the school year and archived securely||Formal records in journals or on school
templates or NCSE templates recorded by the ISA are handed to the school Principal at the end of the year for storing and archiving These records are kept indefinitely.
|SECTION 5||DATA AND BOARD OF MANAGEMENT||Location:|
|The BOM documents are stored securely. Hard copies of the minutes are stored securely.||Manual records are stored securely|
|Staff Training||The BOM authorises the principal to direct all staff to undergo training and briefings on data protection on an ongoing basis, and breaches of GDPR will be dealt with under the school’s Complaint and Grievance procedure|
|The financial records of the school are treated as confidential and are only disclosed to the school’s authorised accountant.||Stored securely
Annual audited accounts to be kept indefinitely
|SECTION 6||DATA AND OTHER AGENCIES|
|Tusla and Tusla authorised services, Garda, Revenue Commissioners, Department of Social Protection, Applications on foot of court order||The school will comply fully with all authorised and lawful requests from these statutory agencies||All correspondence relating to these matters will remain in a locked cabinet
Emails of a confidential nature are printed and kept in a locked cabinet
|Family Solicitors||Requests for school data from a family solicitor, whether via a parent/guardian, or independently delivered to the school, will be dealt with on a case by case basis and may require legal advice or consultation with the National Data Protection Office.||All correspondence relating to these matters will be stored securely|
Public Relation Exercises,
Student teachers/TY and ANA students
|The principal, in consultation with the Board when deemed necessary, will on an ongoing basis approve research projects, public relations exercises and access to the school by student-teachers, TY and ISA students etc. which are deemed to be of benefit to the school community. The principal will inform the parents/guardians of such placements.||When engaging in these projects, the principal will ensure the highest ethical standards apply and that there is no potential harm and indeed a particular educational gain for the school community.|
|HSE and private health professionals||Any data requested by a health professional can only be released with the explicit permission of the child’s parent.|
|Community Organisations||Community organisation may not collect data from children on their visits to the school, nor will the school facilitate the sharing of any such data.|
|Department of Education and Skills and DES officers||The DES is the Data Protection controller of the POD and OLCS systems, and are responsible for any breaches of this data. The school complies with any sharing of data to the Inspectorate that may arise during school evaluation (e.g. access to IEPs, teacher-folders, anti-bullying data, child safeguarding data etc.)|
Child - a person under the age of 18 years. Children are deemed as vulnerable under GDPR and merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Controller or Data Controller - an entity or person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In this policy, the data controller is the School.
Consent - any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Protection Commission - the national supervisory authority responsible for monitoring the enforcing the data protection legislation within Ireland. The DPC is the organisation to which schools as data controllers must notify data breaches where there is risk involved.
Data Protection Legislation – this includes (i) the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and (ii) the Irish Data Protection Act (2018). GDPR is set out in 99 separate Articles, each of which provides a statement of the actual law. The regulation also includes 171 Recitals to provide explanatory commentary.
Data Subject - a living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly.
Data concerning health - personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. This is an example of special category data (as is data concerning special education needs).
Personal data - any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor or Data Processor - a person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract (but does not include an employee of a controller who processes such data in the course of his or her employment).
Profiling - any form of automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.
(Relevant) Filing System - any set of information that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.
Special categories of data - personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Appendix C: Implementing the Data Processing Principles
As part of its decision to collect, use or share personal data, the school as Controller will identify which of the lawful bases is applicable to each processing operation. In the absence of a lawful basis the personal data cannot be processed.
Where consent is relied upon as the appropriate condition for lawful processing, then that consent must be freely given, specific, informed and unambiguous. All of these conditions must be satisfied for consent to be considered valid. There are a significant number of restrictions around using consent.
Some personal data is defined as Special Category Data and the processing of such data is more strictly controlled. In a school context this will occur whenever data that relates to Special Needs or Medical Needs is being processed. GDPR Article 9 identifies a limited number of conditions, one of which must be applicable if the processing of special category data is to be lawful. Some of these processing conditions, those most relevant in the school context, are noted here.
The school as Controller is obliged to act with Transparency when processing personal data. This requires the communication of specific information to individuals in advance of any processing of their personal data.
As Controller, the school must ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In practice, this principle has a number of important implications illustrated in the examples below.
Personal data is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which it is being processed. Some personal data may be stored for longer periods insofar as the data is being processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Whenever personal data is processed by the school, technical and organisational measures are implemented to safeguard the privacy of data subjects. The school as controller is obliged to take its security responsibilities seriously, employing the most appropriate physical and technical measures, including staff training and awareness. These security procedures should be subject to regular review.
Appendix D: Categories of Recipients
Department of Education and Skills (DES) The school is required to provide student data to the Department of Education and Skills (DES). This transfer of data is primarily made at the beginning of each academic year (“October Returns”) using a secure Primary Online Database (POD) system. The October Returns contain individualised data such as PPS number which acts as an identifier to validate that the data belongs to a recognised student. The DES has published a “Fair Processing Notice” to explain how the personal data of students is processed.
Student support and welfare student data may be shared with a number of public state bodies including National Educational Psychological Service (NEPS psychologists support schools and students); National Council for Special Education (the NCSE role is to support schools and students with special education needs); National Education Welfare Board (the school is required to share student attendance with the NEWB).
Legal requirements where appropriate, particularly in relation to Child Protection and safeguarding issues, the school may be obliged to seek advice and/or make referrals to Túsla. The school may share personal data with An Garda Síochána where concerns arise in relation to child protection. The school will also report matters of alleged criminal acts, criminal behaviour, criminal damage, etc., to allow prevention, detection and investigation of offences. Where there is a lawful basis for doing so, personal data may also be shared with the Revenue Commissioners and the Workplace Relations Commission.
Insurance data may be shared with the school’s insurers where this is appropriate and proportionate. The school may also be obliged to share personal data with the Health and Safety Authority, for example, where this is required as part of an accident investigation.
Professional Advisors some data may be shared with legal advisors (solicitors, etc.), financial advisors (pension administrators, accountants, etc.) and others such as school management advisors; this processing will only take place where it is considered appropriate, necessary and lawful.
Other schools and Universities/Colleges/Institutes where the student transfers to another educational body, or goes on an exchange programme or similar, the school may be asked to supply certain information about the student, such as academic record, references, etc.
Voluntary Bodies some personal data may be shared as appropriate with bodies such as the school’s Parents Association. This data sharing will only take place where consent has been provided.
Other not-for-profit organisations limited data may be shared with recognised bodies who act to promote student engagement with co-curricular and other activities, competitions, recognition of achievements, etc. This would include bodies promoting participation in sports, arts, sciences, environmental and outdoor activities, etc. This data sharing will usually be based on consent.
Service Providers in some circumstances the school has appointed third parties to undertake processing activities on its behalf. These Data Processors have provided guarantees that their processing satisfies the requirements of the General Data Protection Regulation. The school has implemented written contractual agreements with these entities to ensure that the rights of data subjects receive an appropriate level of protection. Third party service providers include the following categories:
Transfers Abroad In the event that personal data may be transferred outside the European Economic Area (EEA) the school will ensure that any such transfer, and any subsequent processing, is carried out in strict compliance with recognised safeguards or derogations (i.e., those approved by the Irish Data Protection Commission).
Appendix E: Reference sites
Data Protection Act 2018 http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/html
General Data Protection Regulation (GDPR official text) 2016 https://eur-lex.europa.eu/eli/reg/2016/679/oj
General Data Protection Regulation (GDPR unofficial web version) 2016 https://gdpr-info.eu/
GDPR for Schools website https://gdpr4schools.ie/
Data Protection for Schools http://dataprotectionschools.ie/en/
Irish Data Protection Commission https://www.dataprotection.ie/
Data Breach Report https://forms.dataprotection.ie/report-a-breach-of-personal-data
European Data Protection Board (EDPB) https://edpb.europa.eu/
EDPB Guidelines, Recommendations and Best Practices on GDPR https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en
PDST Technology in Education https://www.pdsttechnologyineducation.ie
Cyber Security Centre (Ireland) https://www.ncsc.gov.ie/