GDPR

General Data Protection Regulation (GDPR)

On 25th May 2018, the General Data Protection Regulation (GDPR) will become law in all European member states, including the United Kingdom who will still be a member at that time.

The new Regulation will replace the Data Protection Act 1998 (DPA) which was developed at a time when most data processing was still paper-based. There was also a limited understanding of the impact that technology would have on the way we process data.

Data Controller

 Ormiston Academies Trust is the organisation which is in charge of personal information – Data Controller

 The postal address of the Academy Trust is:

Ormiston Academies Trust

Ormiston House

144, Newall Street

Birmingham

B3 1RY

 The Data Protection Officer (DPO) for the Trust is James Miller. He can be contacted via [email protected] / 0121 262 4725

 The Data Protection Lead (DPL) at the Academy is Ro Johnson – Data and Admin Officer

 General Data Protection Regulation (GDPR)

Introduction

On 25th May 2018, the General Data Protection Regulation (GDPR) will become law in all European member states, including the United Kingdom who will still be a member at that time.

The new Regulation will replace the Data Protection Act 1998 (DPA) which was developed at a time when most data processing was still paper-based. There was also a limited understanding of the impact that technology would have on the way we process data.

The purpose of the GDPR is to:

  • harmonise the EU’s laws surrounding data protection
  • protect all EU citizens’ data privacy
  • re-shape the way organisations across the region approach data privacy

In drafting it, the EU’s aim was to design it as a living document and future-proof the wording. They have also made it ‘technology neutral’ which means that the same regulatory principles apply regardless of the technology used.

If you hold information which falls within the scope of the Data Protection Act 1998, it will also fall within the scope of GDPR. The GDPR principles are similar to the DPA, but there is a new accountability requirement – you will have to demonstrate how you comply.

Terminology

The following terminology will be used in this course.

Data subject means the person whose personal data is being processed.

Personal data means any information relating to a natural person or data subject that can be used directly or indirectly to identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking sites or a computer IP address. Sensitive personal data includes information about racial or ethnic origin, political opinions, medical information and genetic and biometric data where it is used to uniquely identify an individual.

Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is to be processed.

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Processing information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organising, adapting, or altering it
  • retrieving, consulting, or using the information or data
  • disclosing the information or data by transmission, dissemination, or otherwise making it available
  • aligning, combining, blocking, erasing, or destroying the information or data

Data Protection Policies

Privacy Notice for Pupils/Parents, detailing how we use information and what we do with it can be found by clicking here

Files