The General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 came into force on 25 May 2018. They are new data protection laws designed to keep people’s personal information safe.
Our academy is part of Northern Education Trust (the Trust) and the Trust is the data controller of the personal information you provide in relation to your employment. This means the Trust determines how and why we collect and use your personal data. We may hold your personal information on paper, electronically or otherwise.
Under the new law, we must tell you:
This privacy notice explains how we collect, store and use personal data about individuals we employ, or otherwise engage, to work within the Trust.
Which data do we collect?
We process personal data relating to those who work in the Trust. The personal information that the Trust collects, holds and shares includes, but is not limited to, the following:
We may also collect, store and use information about you that is classed as special category personal data. This includes information about a person’s:
Criminal data is not included within the definition of special categories of data but we will process criminal data using the same safeguards we operate in respect of special categories of data.
Ensuring your personal data is accurate
We will keep the personal data we store about you accurate and up to date. We will take every reasonable step to erase or rectify inaccurate data immediately. Please tell us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you. We will also contact you if we become aware of any event that is likely to result in a change to your personal data.
Why do we collect it?
The law requires us to collect and process employees’ personal data. The purpose of processing your personal data is to enable us to run the Trust, which includes:
If you fail to provide us with certain personal data, you may not be paid and the Trust may not be able to comply with its statutory obligations.
We will only process your personal data to the extent that it is necessary for the specific purposes we tell you about.Whenever we collect information from you, we will tell you if you must provide the information or if you can choose not to do so.
Our lawful basis for processing your personal data
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:
Less commonly, we may also use personal information about you where:
Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds that justify the Trust’s use of your personal data.
We will only process special category personal data where a further processing condition is met. Usually this will mean that:
What are our legitimate interests (or the legitimate interests of a third party)?
We consider that in some circumstances, the processing of your personal data is necessary for our (or a third party’s) legitimate interests, which include:
Profiling and automated processing
The processing of your personal data may include profiling. Examples of profiling may include the monitoring and analysis of emails you send and receive using a Trust email account (including the patterns of use of emails and their content), or the monitoring and analysis of websites that you visit whilst at work. We use software to perform this task and the software is capable of sending alerts to managers when certain thresholds are met, for example attempts to access inappropriate websites or emails sent with inappropriate content. Such alerts may be used to consider disciplinary action but the decision will be taken by a senior manager based on all available evidence.
Storing your personal data
We will ensure we take appropriate steps against unlawful or unauthorised processing of your personal data, and against the accidental loss of, or damage to, personal data.
We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction or deletion. We will only transfer personal data to a third party if that third party agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.
Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
Who do we share data with?
We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data or we are required to provide the personal data by law. Where we do disclose your personal data to a third party, we will have regard to the data protection principles.
Northern Education Trust is required to share data with the Department for Education. This includes personal and special category data relating to all staff in academies, including their characteristics, pay and sickness absence information. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) go to https://www.gov.uk/government/publications/school-workforce-census-2017-guides
We share your data with HMRC in the form of statutory tax and national insurance returns. We also share your data with Gateshead Metropolitan Borough Council as they deliver our payroll service.
We sometimes need to share information with other organisations that provide systems for managing data and information within Academies. Where this is the case, those organisations will act as Data Processors on behalf of Northern Education Trust and they will need to comply with all current Data Protection legislation to keep personal information safe.
If we provide your personal data to any third parties, you are entitled to request details of the recipients of your personal data or the categories of recipients of your personal data.
Transferring personal data internationally
We will not transfer your personal data outside the European Economic Area (“EEA“) unless such transfer is compliant with the GDPR. This means that we cannot transfer any of your personal data outside the EEA unless:
We may occasionally transfer personal data outside the EEA as some personal data is stored on cloud systems, the servers for which are based outside the EEA
How long will we keep information for?
We keep information on computer systems and in paper files. We will not keep your personal data for longer than is necessary for the purpose(s) for which we process it. This means that we will destroy or erase data from our systems when it is no longer required. We use the Information and Records Management Society Toolkit to determine how long we keep records. You can download a copy here.
What are your rights?
The GDPR provides the following rights for individuals:
Your right to object
You have the right to object, at any time to the processing of your personal data which is necessary for:
If you object to the processing set out above, we must no longer process that personal data unless we can demonstrate:
For more information on your rights, please see the Information Commissioner’s Website.
Breaches of data protection principles
If you consider that the data protection principles have not been followed in respect of personal data about yourself or others, you should raise the matter with your line manager. Any breach of the GDPR will be taken seriously and may result in disciplinary action being taken.
If you have any questions or concerns relating to how we collect and use your information, please contact us.
If you are unhappy with the response, you can contact Northern Education Trust’s Data Protection Officer:
Northern Education Trust
Cobalt Business Exchange Central, Unit 5, Silver Fox Way, Cobalt Business Park
Newcastle upon Tyne
+44 (0)191 594 5070
You have the right to lodge a complaint with a supervisory authority. Please contact:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number