Friday, 29 May 2020 10:30

General Data Protection Regulations (GDPR)

Fair Processing Notice

This policy is to let you know how the Derby Diocesan Board of Education ('the DDBE', 'we', 'us' or 'our') will collect, use and process personal data.

You can download a PDF copy here.

It is also designed to let you know your rights and what you can do if you have questions about personal data.

The DDBE is the controller for the purposes of data protection laws.

This document sets out the types of personal data (meaning information about an individual from which that individual can be personally identified) we handle, the purposes of handling those personal data and any recipients of it.

You can also download our GDPR General Policy [PDF] and our Subject Access Request Form [PDF]
1. Our details

We are: Derby Diocesan Board of Education Address: Derby Diocesan Board of Education, Church House, Full Street, Derby, Derbyshire, DE1 3DR Web site: http://derby.anglican.org/education/
Information Commissioner's Office Registration Number: Z7571311
Our Data Protection Officer is: Jason Hampton and their contact details are:   ddatadmin@derby.anglican.org


2. Why we collect data

We collect and hold personal information relating to our members, volunteers, employees, trustees/ directors and others.  

We may share personal data with other agencies as necessary under our legal duties or otherwise in accordance with our duties/obligations as a DDBE.

Whilst the majority of personal data we are provided with or collect is mandatory, some of it is provided to us on a voluntary basis.  We will inform you whether you are required to provide certain information to us or if you have a choice in this.

Below are set out the reasons why we collect and process personal data, as well as the legal basis on which we carry out this processing:

  • to promote and assist in the promotion of Christian education and training in the diocese which is consistent with the faith and practice of the Church of England: we will process personal data to enable us to provide a service for the benefit of education within the Diocese of Derby, to promote church schools in the diocese and to advise governors of such schools. 
  • to enable and support the work of Church of England schools within the diocese: we will process personal data to appoint officers to support the work of church schools, children’s and youth work in the parish and the development of the ministry of lay people.

We will process personal data to appoint staff for the officers and to retain the services of a finance officer.

  • assess the quality of our services: we will process personal data so that we may reflect on our own practices to help us improve and provide the highest quality service that we can to all Church of England schools.  
  • to promote and protect health and safety: in order to protect volunteers and staff in their involvement at the DDBE, we must process Personal Data relating to matters such as incidents and responses to incidents.
  • to enable individuals to be paid: to assist in the running of the DDBE and to enable individuals to be paid, we will process Personal Data of those employed to work at the DDBE.
  • to assist with the continuing development of our recruitment and retention policies and practices: to enable us to better our recruitment and retention policies and practices, we will process Personal Data of those currently employed by the DDBE.
  • to develop our understanding of our workforce and how employees are deployed:  to help us create a fully informed, comprehensive picture of the make-up of our workforce and how each employee is utilised as a member of our workforce, we will process Personal Data of those employed to teach or otherwise engaged to work at the DDBE.

3. Legal basis for processing

The lawful basis for us to collect/process this personal data is in order to promote or assist in the promotion of education for the public benefit in the diocese in accordance with statute law (such as the Education Act 1996, the Diocesan Boards of Education Measure 1991 and other legislation), our memorandum and articles of association and other guidance provided for in law.

We process personal data where processing is necessary for the performance of tasks carried out in the public interest. It is in the public interest to offer activities such as youth clubs with both church and school groups to benefit the personal, spiritual and academic growth of children within the diocese.

An additional lawful basis for us to collect/process employees' personal data is by reason of necessity for the performance of a contract of employment to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade  union aim provided that the processing relates only to members or former members (or those  who have regular contact with it in connection with those purposes) and there is no disclosure to a third party without consent except as set out set out in 5 below.

We do not process any special categories of personal data except where necessary for reasons of substantial public interest in complying with legal obligations including under the Equality Act 2010 or where necessary to protect the vital interests of the data subject or of another natural person and where safeguards are in place to ensure that this personal data is kept secure.  For the avoidance of doubt where special categories of personal data are collected it shall not be used for the purposes of automated decision making and/or profiling.

Special categories of data means personal data revealing:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs or trade union membership; 
  • genetic or biometric data that uniquely identifies you; 
  • data concerning your health, sex life or sexual orientation; or 
  • data relating to criminal convictions or offences or related security measures.

Further personal data including special categories of personal ata may be collected and/or processed where consent has been given If consent is the only legal basis for processing and has been given then this may be revoked in which case the personal data will no longer collected/processed.


4. Categories of information we collect

We may collect the following types of personal data (please note this list does not include every type of personal data and may be updated from time to time):

  • name and contact details;
  • date of birth; 
  • national insurance number; 
  • health and/or other medical information; 
  • information in connection with education (included but not limited to unique pupil numbers, test results, post 16 learning information and other records); 
  • information received in connection with any complaint; 
  • personal characteristics, such as: 
    • their nationality and ethnic group;
    • their religion;
    • their first-language;
    • any special educational needs they may have;
    • any relevant protected characteristics.
  • employees' qualifications and contractual information, such as:
    • right to work information;
    • employee position and/or role; 
    • salary; 
    • employment start date; 
    • remuneration details (including national insurance and other financial details).


5. Who will have access to your data

Personal data will be accessible by members of staff.  Where necessary, volunteers, trustees/ directors and governors will also have access to personal data.

We will not share information with third parties without consent unless we are required to do so by law or our policies.

We will disclose personal data to third parties:

  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
  • in order to enforce any agreements with you;
  • in order to perform contracts with third party suppliers. Our third party suppliers include:
    • The Derby Diocesan Board of Finance Ltd
    • Derby Diocesan Academy Trust o Derby Diocesan Academy Trust 2
    • Derby City Council
    • Derbyshire County Council
    • Ecclesiastical Insurance Group plc 
    • FFT Education Limited
    • Geldards LLP
    • Google LLC
    • HBP Systems Ltd 
    • IRIS Software Group Ltd  
    • Lee Bolton Monier-Williams 
    • Mazars LLP 
    • Microsoft 
    • Milner Commercial Property Limited 
    • J H Powell & Co 
    • Strictly Education Ltd 
    • The Peak Centre at Champion House 
    • YMD Boon Ltd
  • to protect the rights, property, or safety of the DDBE, or others.  This includes exchanging information with other organisations for the purposes of child welfare.

The above listed third party suppliers will process data on our behalf.  Therefore, we investigate these third party suppliers to ensure their compliance with relevant data protection laws and specify their obligations in written contracts.


6. How data will be processed

Personal data may be processed in a variety of ways; this will include but is not limited to:

  • maintaining written records for educational or employment purposes; 
  • medical or allergy information displays; 
  • identification; 
  • sending by e-mail; 
  • adding to spreadsheets, word documents or similar for the purposes of assessing personal data.


7. Where we store data and how we keep data secure 

Paper copies of personal data are kept securely at the DDBE; for example, in secure filing cabinets.

Electronic copies of personal data are kept securely and information will only be processed where we are satisfied that it is reasonably secure.

All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential.  You must not share your password with anyone.

When giving personal data to third parties (for example, software providers) it is possible that this personal data could be stored in a location outside of the European Economic Area. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this privacy policy. In particular, any transfer of your personal data made by us to a location outside of the EEA will be governed by clauses in a written contract in order to keep these secure.


8. Retention periods

We will only retain personal data for as long as is necessary to achieve the purposes for which they were originally collected. 

As a general rule, personal data will be kept for the entire period that an employee is employed at the DDBE. 

Other records (for example, safeguarding or in relation to special educational needs) will be kept for longer in accordance with guidance from the Information and Records Management Society. 

Further information on retention periods can be obtained by contacting us via the details in Section 1 of this Notice.

Once the retention period concludes the data is securely and safely destroyed/ deleted.


9. Your data rights 

The General Data Protection Regulation and associated law gives you rights in relation to personal data held about you. These are:

  • Right to be informed: you have the right to be informed about the collection and use of your data. This policy contains information in relation to the collection of your Personal Data, however, if we collect additional data for other purposes, we will inform you about this. 
  • Right of Access: if your personal data is held by the DDBE, you are entitled to access your personal data (unless an exception applies) by submitting a written request. We will aim respond to that request within one month. If responding to your request will take longer than a month, or we consider that an exception applies, then we will let you know. You are entitled to access the personal data described in Section 10.
  • Right of Rectification: you have the right to require us to rectify any inaccurate personal data we hold about you. You also have the right to have incomplete personal data we hold about you completed. If you have any concerns about the accuracy of personal data that we hold then please contact us.
  • Right to Restriction: you have the right to restrict the manner in which we can process personal data where:
    • the accuracy of the personal data is being contested by you; 
    • the processing of your personal data is unlawful, but you do not want the relevant personal data to be erased; or 
    • we no longer need to process your personal data for the agreed purposes, but you want to preserve your personal data for the establishment, exercise or defence of legal claims.

Where any exercise by you of your right to restriction determines that our processing of particular personal data are to be restricted, we will then only process the relevant personal data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.

  • Right to Erasure: you have the right to require we erase your personal data which we are processing where one of the following grounds applies:
    • the processing is no longer necessary in relation to the purposes for which your personal data were collected or otherwise processed;
    • our processing of your personal data is based on your consent, you have subsequently withdrawn that consent and there is no other legal ground we can use to process your personal data; 
    • the personal data have been unlawfully processed; and 
    • the erasure is required for compliance with a law to which we are subject.
  • Right to Data Portability: you have the right to receive your personal data in a format that can be transferred. We will normally supply personal data in the form of e-mails or other mainstream software files. If you want to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format, please contact us via the details in Section 1 of this Notice.
  • Right to object: you have the right to object to the processing of your Personal Data where one of the following grounds apply: 
    • the processing is based on legitimate interests or the performance of a task in the public interest; 
    • the processing is for direct marketing; or  
    • the processing is for the purposes of scientific/ historical research and statistics.

You can find out more about the way these rights work from the website of the Information Commissioner's Office (ICO).


10. Requesting your data
Where the DDBE holds personal data concerning you, you are entitled to access that personal data and the following information (unless an exception applies):
  • a copy of the personal data we hold concerning you, provided by the DDBE;
  • details of why we hold that personal data; 
  • details of the categories of that personal data;
  • details of the envisaged period for which that personal data will be stored, if possible;
  • information as to the source of personal data where that personal data was not collected from you personally.

If you want to receive a copy of the information about your son/daughter that we hold, please contact us via the details in Section 1 of this Notice.


11 Making a complaint

If you are unhappy with the way we have dealt with any of your concerns, you can make a complaint to the ICO, the supervisory authority for data protection issues in England and Wales. 

We would recommend that you complain to us in the first instance, but if you wish to contact the ICO on the details you can do so on the details below. 

The ICO is a wholly independent regulator established in order to enforce data protection law.

ICO Concerns website: www.ico.org.uk/concerns

ICO Helpline:    0303 123 1113

ICO Email:   casework@ico.org.uk

ICO Postal Address:  Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF


12. Changes to this notice

Any changes we make to this notice in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.
This privacy notice was last updated on 24th May 2018

Last modified on Friday, 29 May 2020 11:48