The General Data Protection Review
Changes in legislation came into force on the 25th May 2018. Many of the main concepts and principles have remained the same, but there are new elements and significant enhancements.
Key GDPR definitions
It is useful to understand a few key terms.
Data Protection Officer
The data protection officer (DPO) is responsible for overseeing the implementation of this policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable. They will provide an annual report of their activities directly to the governing board and, where relevant, report to the board their advice and recommendations on school data protection issues. The DPO is also the first point of contact for individuals whose data the school processes, and for the ICO. Full details of the DPO’s responsibilities are set out in their job description.
Our DPO is Mr Ian Hampson (School Support Officer - Northumberland County Council) and is contactable via the school office. Personal data is information about a living person. This includes names, addresses, health information, and so on. It covers any information that can be linked to a living person, such as email addresses and ID numbers. Some personal data is called ‘special category data’, which refers to sensitive types of information about things like health, ethnicity, religion, etc.
Data subjects are living people. The GDPR isn’t interested in data about companies or dead people.
Processing is nearly anything you do with personal data. This includes things like storing it somewhere, putting bits of data together (like recording marks next to a student’s name), entering the data into a spreadsheet and deleting the data. The GDPR is only interested in data processing activities relating to personal data.
Controllers are the organisations that use the personal data. They are responsible for deciding what to do with the personal data and how to process it to achieve that. Nearly every organisation is a controller because they have data about their employees. A lot of organisations are controllers because they want to process the personal data of other people. Schools are controllers because they want to process the personal data of staff and students.
Processors are organisations that do processing on behalf of a controller.