Design note 4 - what do we mean?
In addition to the similarities between our new icon and the real Northern Lights, we particularly liked some of the themes the Northern Lights icon represented, namely:
In addition to the similarities between our new icon and the real Northern Lights, we particularly liked some of the themes the Northern Lights icon represented, namely:
To complement our dynamic new Northern Lights icon, we needed a strong colour pallette and confident, contemporary font.
The contrasting yet complimentary colours in our logo symbolises our value of diversity and unity. We often talk about 'the same but different' at Beckfoot Trust to acknowledge that whilst we have a very clear One Trust identity and clarity on what remarkable means, we also know that one size does not always fit all.
Perhaps the most important part of our new Beckfoot Trust logo is the icon, shown to the right here.
We call it our Northern Lights.
In nature, the Northern Lights are seen as something unique and truly Remarkable that are associated with the North.
Our Northern Lights icon represents The Beckfoot Trust which is also on a constant journey to Remarkable and is strongly associated with the North of England.
As part of our ongoing Journey to Remarkable we felt it was important to give The Beckfoot Trust a strong, confident and contemporary logo and brand that was worthy of an organisation with such high standards and aspirations.
The new Trust logo was a departure from the previous logo style and was definitely designed with the future in mind.
Beckfoot Trust is required to keep and process certain information about its staff and students in accordance with its legal obligations under the General Data Protection Regulation (UKGDPR).
This policy is in place to ensure the Trust Board and all Trust staff are aware of their responsibilities and it outlines how the Trust and Trust schools comply with the following core principles of the UKGDPR.
Organisational and technical methods for keeping data secure are imperative, therefore Beckfoot Trust have implemented a Trust Privacy Compliance Framework – see Appendix 1.
This policy has due regard to legislation, including, but not limited to the following:
This policy will also have regard to guidance produced by the Information Commissioner’s Office (ICO)
This policy will be implemented in conjunction with the following Trust policies, procedures;
Beckfoot Trust and Trust schools are both a “Controller” and “Processor” of personal data. Beckfoot Trust are registered as a “Controller” with the Information Commissioner’s Office.
Applicable data For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual e.g. employee, job applicant, student, parent/carer, volunteer, contractor, freelancer, board member, and LSC member. The UKGDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria:-
In accordance with the requirements outlined in the UKGDPR, personal data must be:-
The UKGDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”. Beckfoot Trust is both a Data Controller and a Data Processer.
Beckfoot Trust, as a publicly funded organisation, has to appoint a Data Protection Officer (DPO), this is the Risk and Compliance Manager. Their duties will include:
The DPO will update Beckfoot Trust Board on UKGDPR compliance, UKGDPR compliance will be overseen by the Audit and Risk Committee.
The legal basis for processing data will be identified and documented prior to data being processed. Processing is the collection, recording, organisation structuring, storage, adoption or alteration, retrieval, consultation or use, disclosure, destruction or erasure of personal data.
Under the UKGDPR, data will be lawfully processed under the following conditions:
Special Categories of Data “Sensitive data” will only be processed under the following conditions:
Processing is necessary for:
Consent must be: | Consent cannot be obtained from the following: |
1.0 Freely given (a positive indication) 2.0 Specific 3.0 Informed 4.0 An unambiguous indication of an individual’s wishes 5.0 A form of firm confirmation or positive opt-in, such as ticking boxes on a webpage 6.0 Easily able to be withdrawn | 7.0 Silence 8.0 Pre-ticked boxes 9.0 Inactivity |
Where consent is given, a record will be kept documenting how and when consent was given on student records and staff files or other storage mechanism. This information must be readily available for staff to check that consent has been obtained e.g. use of student photographs.
Beckfoot Trust and Trust schools must ensure that consent mechanisms meet the standards of the UKGDPR. Where the standard of consent cannot be met, an alternative legal basis for processing the data must be found, or the processing must cease.
NOTE: Where processing is deemed to require “Consent”, Beckfoot Trust and Trust Schools are aware that this “Consent” can be withdrawn by the individual at any time. It is therefore extremely important that schools consider any processing activities whereby data is shared or processed and becomes outside the control of Beckfoot Trust and Trust schools, in these instances, specific “informed” consent will need to be obtained.
Where a child is under the age of 16 [or younger if the law provides it (up to the age of 13)], the consent of parent/carer (person with legal responsibility)/legal guardian) will be sought prior to the processing of their data, except where the processing is related to preventative, or counselling services offered directly to a child.
The UKGDPR requires us to inform individuals if we collect, process, or share personal information about them. We are also required to share personal information about its staff or students with other organisations, mainly with the local authority, other schools, and educational bodies, and potentially children’s services and various contracted school services and systems.
We will issue Privacy Notices as outlined below. Copies can also be obtained on school websites and upon request from the school.
Beckfoot Trust adopt the DfE Model Privacy Notices for schools as the basis of our Privacy Notices and wherever possible will ensure that the privacy notice is written in a clear, plain manner.
Individuals have the right to obtain confirmation that their data is being processed and the right to submit a data subject access request (DSAR) to gain access to their personal data in order to verify the lawfulness of the processing or obtain copies of their records for other purposes.
Trust staff should follow the Trust Data Subject Access Request Procedure. See Flowchart at Appendix 2.
The Trust SharePoint Data Protection and UKGDPR Page has guidance for individuals wishing to make a data subject access request.
Although individuals are entitled to submit a DSAR to any member of staff, they should be made (if possible) to the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444).
Responses to SARs shall normally be made within one calendar month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed. Any extension will be dependent upon the terms of the UKGDPR, the Data Protection Act (2018) and associated ICO guidance.
Individuals are entitled to have any inaccurate or incomplete personal data rectified and can do this through a request to the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444). Upon receiving a request for rectification, the Trust or Trust school should take the following action immediately:-
Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If an individual wishes to exercise this right they should contact the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444).
Individuals have the right to erasure in the following circumstances:
The school has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request.
Individuals have the right to block or suppress the Trust or Trust school’s processing of personal data. If an individual wishes to exercise this right, they should contact the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444)
Such a restriction may affect the Trust or Trust school carrying out their legal and contractual obligations. It may also be believed that the data is being processed under the public interest, vital Interest or legitimate interest conditions of processing. In these circumstances guidance from the DPO and/or the Information Commissioner’s Officer to determine that the request is valid should be sought.
In the event that request is valid and the processing is restricted, the school will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.
The school will restrict the processing of personal data in the following circumstances:
The school will inform individuals when a restriction on processing has been lifted.
Individuals have the right to obtain and reuse their personal data for their own purposes across different services. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability.
The right to data portability only applies in the following cases:
Personal data will be provided in a structured, commonly used and machine-readable form.
The school will provide the information free of charge, and;
The school will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information. If an individual wishes to exercise this right they should contact the Cluster Business Manager for the school or the Data Protection Officer ([email protected] or 01274 771444).
Individuals will have the right to object to the following:
Where personal data is processed for the performance of a legal task or legitimate interests:
Where personal data is processed for direct marketing purposes:
Where the processing activity is outlined above, but is carried out online, the school will offer a method for individuals to object online.
Individuals have the right not to be subject to a decision when:
When automatically processing personal data for profiling purposes, the school will ensure that the appropriate safeguards are in place, including:
Automated decisions must not concern a child or be based on the processing of sensitive data, unless:
The key aims of Privacy by Design are:
The school will act in accordance with the UKGDPR by adopting a privacy by design approach and implementing technical and organisational measures, which demonstrate how the Trust and Trust schools have considered and integrated data protection into their processing activities.
Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with the school’s data protection obligations and meeting individuals’ expectations of privacy.
DPIAs will allow the school to identify and resolve problems at an early stage, thus reducing associated costs and preventing damage from being caused to the school’s reputation, which might otherwise occur.
A DPIA will be carried out when using ‘new technologies’ or when the processing is likely to result in a high risk to the rights and freedoms of individuals.
Where a DPIA indicates high-risk data processing, the school will consult the ICO to seek its opinion as to whether the processing operation complies with the UKGDPR.
Trust employees should follow the Trust Data Protection Impact Assessment (DPIA) Procedure.
Trust employees should following the Trust Data Breach Management Procedure – see flowchart at Appendix 3.
The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Please refer to the Trust Breach Management Procedure for further information.
Failure to report a breach when required to do so may result in a fine, as well as a fine of up to €20 million, or 4% of an organisations global turnover for the breach itself.
The Trust requires all third party processors who have access to or process personal data on behalf of the Trust, to provide written confirmation that they will comply with the requirements of the UKGDPR and maintain adequate physical and IT security controls to protect our data.
We will request contractors, suppliers, and system providers who may process our personal data to provide written assurance/contract terms to confirm that:
We will seek written confirmation from other authorised persons e.g. job applicants, students, volunteers, contractors, freelancers, board members, LSC members that they will comply with Trust and School policies and procedures and that we expect appropriate physical and IT data security controls to be exercised if given access to personal data and systems.
Beckfoot Trust will obtain and maintain Cyber Essentials Accreditation to demonstrate our IT Security Management Systems are effective. We also comply with the RPA requirements regarding offline back-ups, National Cyber Security Centre training. registration with the police scheme ‘Cyber Alarm’ and having a Cyber Response Plan.
Schools will ensure that the physical security of the school’s buildings and storage systems, and access to them, is reviewed on a regular basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place.
Beckfoot Trust, its employees and others with authorised access to personal data will ensure that appropriate IT and physical data security controls are used to protect unauthorised access to confidential records e.g.
The Trust and Schools understand that recording images of identifiable individuals constitutes as processing personal information, so it is done in line with data protection principles.
Trust staff will follow the Trust CCTV Protocol for information in relation to the use and purpose of CCTV monitoring in schools.
The Trust will request consent for taking photographs and recording/videoing of students, staff and others and will only use them for the purposes covered on the appropriate Trust Privacy Notices. If the Trust or Schools require to use images for any other purpose, permission will obtained from the individual or for students, the parent/carer (person with legal responsibility/legal guardian) if under the age of consent.
Precautions will be taken, as outlined in the Trust Online Safety, ICT and Social Media Policy in relation to the taking and publishing photographs of students, in print, video or on the school website.
For clarification, Images captured by individuals for recreational/personal purposes, and videos made by a parent/carer for family use, are exempt from the GDPR, however, the Trust and Schools do require that permission be obtained from the Trust/school beforehand.
Under the GDPR, Data must not be kept for longer than is necessary. It is therefore extremely important that the Trust and schools have effective policies and procedures in place to ensure the timely secure disposal or deletion of data e.g. paper records disposed of via confidential waste bins and appropriate IT controls for electronic data.
Some records relating to former students or employees of the school may be kept for an extended period for legal reasons, but also to enable the provision of references or academic transcripts.
Trust employees will follow the guidance set out in the Trust Records Management Protocol.