BISHOPSLAND
EDUCATIONAL TRUST

Data Protection Policy

Bishopsland Educational Trust, September 2021

The Data Protection Act 2018 (DPA) 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It sits alongside the GDPR, and tailors how the GDPR applies in the UK – for example by providing exemptions.

The Data Protection Act 2018 regulates the use of automatically processed information relating to individuals and the provisions of services in respect of such information. Bishopsland Educational Trust (BET) is a not for profit organisation that does not make a profit other than to offset the costs of its charitable activity and is fully compliant with the DPA. The following policy sets out BET’s commitment to good practice.

Everyone sent an email campaign has the option to unsubscribe if the information has been sent by email or for updates sent to Friends of Bishopsland the charity’s address is on the Assistant Administrators email signature.

This Policy covers all four of the relevant Codes and relates to all personal information that is or will be held electronically or recorded in a filing system:

  • Recruitment and selection – dealing with job application

  • Records – dealing with the collection, storage, disclosure and deletion of personal records

  • Information about staff health – dealing with occupational health, medical testing, drug and genetic testing

The extent of Policy Coverage

This policy covers job applicants (successful and unsuccessful), freelance and PAYE staff (current and former), contract staff (current and former), and year group on the Programme.

Information covered by the Policy

  • Personal information – information which relates to a living person, and identifies an individual. Examples would be: details of an individuals’ salary, an email about an incident involving a named employee

  • Sensitive information – concerning an individuals’ ethnic origin; political opinions; religious beliefs; trade union membership; physical or mental health or condition; sexual life; committing or alleged committing of any offence

  • Processing – personal information that is subject to processing, eg, activity concerned with obtaining, retaining, accessing, disclosure and disposal of information

Compliance with Sensitive Data Rules

Where information about someone’s health is to be processed, BET will ensure that one of the Act’s sensitive data conditions as listed below is satisfied:

  • that the processing necessary to enable the Trust to meet legal obligations

  • that the processing for medical purposes and undertaken by a health professional

  • that the person has given consent explicitly to the processing of their medical information

Standards

  • BET will consult employees about practices and procedures that involve them.

  • BET will ensure that staff who process information about other people understand their data protection responsibilities and if necessary, amend their working practices.

  • BET will assess what personal information about employees exists and who is responsible for it.

  • BET will eliminate the collection of irrelevant or excessive personal information.

  • BET will ensure that staff are aware of the consequences of unauthorised disclosure of personal information. Serious breaches of data protection rules will constitute a disciplinary matter.

 

1. Recruitment and Selection covering job applications and pre-employment vetting

a) Managing Data protection

  • The Board of Trustees has overall responsibility for compliance and the Company Secretary is accountable to the Board of Trustees for ensuring that compliance is met.

  • All staff who process information about applicants and employees will be trained to understand their data protection responsibilities.

  • A regular (annual) assessment will be undertaken on what personal data is held, where it is held, whether it should be kept or eliminated and if sensitive personal data is collected then a check will be made to ensure compliance with Sensitive Data Rules are met (see above).

b) Advertising

  • Applicants responding to advertisements will be informed of BET’s name, as employer, and how the information they provide with their application will be treated.

c) Applications

  • Application forms or application guidance will state to whom the information is being provided, how it will be used and – if that is to be verified – how that will be verified.

  • Only information which is relevant to the recruitment decision will be sought, and information on criminal convictions will be requested only if justified by the role.

d) Verification

  • If and how verification will take place that will be explained to the applicant beforehand.

  • If information or documents are required from a third party, the applicant will be asked to give that information with their prior consent.

  • Should any checks produce discrepancies, the applicant will be given an opportunity to make representations.

e) Interviews

  • BET will ensure that only information necessary to the recruitment process is recorded and retained following interview.

g) Retention of Recruitment Records

  • Recruitment records will not be retained for any longer than is necessary. A record of the result may be retained.

  • Information regarding criminal records will be deleted unless in exceptional circumstances the information is relevant to the on-going employment relationship.

  • Unsuccessful applicants whose recruitment information is to be kept will be informed of this fact and their details deleted once the recruitment process is completed.

 

2. Records covering collection, storage, disclosure and deletion of records

a) Managing Data Protection

  • The Company Secretary, reporting to the Board of Trustees, has overall responsibility for compliance.

  • All staff who process information about employees and other private individuals will be trained to understand their data protection responsibilities.

  • An annual assessment will be undertaken on what personal data is held, where it is held, whether it should be kept or eliminated.

b) Collecting and Keeping Records

  • BET will ensure that people are aware of the type and source of information kept about them, how it will be used and that it will not be disclosed to others except in the course of BET work.

c) Security

  • BET will ensure secure and confidential storage of manual and electronic files and that staff who have access to personal records understand and recognise this.

d) Staff Sickness and Accident Records

  • Sickness and accident records (recording details of an illness) for members of staff will be kept separately from staff absence records. Access to sickness and accident records will only be available to those staff who require the information to carry out their management role.

e) Recruitment – Reference Requests

  • BET’s recruitment process may require up to 3 references, detailed to be supplied by the applicant. BET will establish, prior to the ending of a member of staff’s employment, whether or not that person wishes references to be provided by BET thereafter.

f) Requests to BET from third parties to disclose information

  • When receiving a request from a third party for a member of staff’s or other person’s details, BET will not disclose those details unless under a legal obligation to do so. Confidential information about staff will only be disclosed when the member of staff has given their prior consent.

g) Discipline, grievance and dismissal

  • BET outlines clear procedures on how ‘spent’ disciplinary records are handled within its Grievance and Disciplinary Policy.

h) Retention of records

  • BET will ensure that personal data is not kept for longer than is necessary. Information will not be kept merely because it might be useful one day. All information to be disposed of will be securely destroyed.

 

3. Information about Staff Health

a) Compliance with Sensitive Data Rules
Where information about an employees’ health is to be processed, the Company Secretary (CS) will check that one of the Act’s sensitive data conditions is satisfied, as follows:

  • that the processing is necessary to enable SPPHPT to meet its legal obligations

  • that the processing is for medical purposes and undertaken by a health professional

  • that the processing is in connection with legal proceedings.

  • that the employee has given consent explicitly to the processing of their medical information

b) Impact Assessments

  • Once a sensitive data condition is satisfied, the CS will assess whether the benefits of gaining the information justifies the privacy intrusion or has any other adverse impact on the employee.

c) Good Practice

BET will uphold and work to maintain the following general principles:

  • The CS and/or Chair will authorise or carry out the collection of information about employees’ health and ensure they are aware of their responsibilities under the Act.

  • If medical information is to be collected, ensure a sensitive data condition has been satisfied.

  • Identify clearly the purposes behind the collection of information about employee’s health and the specific business benefits which it is likely to bring.

  • Protect information about employee’s health with appropriate security measures. Ensure that wherever practicable only health professionals have access to medical details about employees.

  • Will not collect more information than necessary for the purpose(s) behind the collection.

Management and updating of this policy
The Vice Principal and Finance Director are responsible for overseeing the effective management and day-to-day implementation of this policy by BET staff.