Creative Mindset “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be processed
Scope of policy
This policy applies to all Creative Mindset staff, all contractors, suppliers and other people working on behalf of Creative Mindset. It applies to all the data we hold relating to identifiable individuals. “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Policy operational date
September 2022
Policy prepared by
Mary Sharon Collins and Danielle Barker
Date approved by Directors
13/06/2022
Policy reviewed:
13/06/2022, 22/05/23, 22/05/2024 ,22/05/2025
Policy renewal date
22nd May 2026
All Staff
MUST agree to ‘read, understand and adhere to the following:
Introduction
Purpose of policy
Creative Mindset: needs to gather and use certain information about individuals. This can include children and young people, parents/carers, staff, visitors, commissioners and other people we have a relationship with and may need to contact. This policy describes how this personal data is collected, handled and stored to meet our data protection standards and to comply with the law. This policy ensures that we are: complying with the law following good practice protecting young people, staff and other individuals protecting the organisation
Types of data
Creative Mindset and Danielle Barker. The data we process is both personal and sensitive. Personally Identifiable Information ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Sensitive Personal Data the racial or ethnic origin of the data subject political opinions religious beliefs or other beliefs of a similar nature whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992) physical or mental health or condition sex life the commission or alleged commission by them of any offence any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Policy statement
Creative Mindset has a commitment to: comply with both the law and good practice respect individuals’ rights be open and honest with individuals whose data is held provide training and support for staff who handle personal data, so that they can act confidently and consistently notify the Information Commissioner voluntarily, even if this is not required
Key risks
This policy aims to protect Creative Mindset from data security risks, including: Breaches of confidentiality: for instance, information being given out inappropriately. Failing to offer choice: for instance, all individuals should be free to consent to how their data is used Reputational damage: For instance, Creative Mindset could suffer if hackers gained access to sensitive data
Responsibilities Everyone who works for or with Creative Mindset has some responsibility for ensuring data is collected, stored and handled appropriately.
The Board / Company Directors
We have overall responsibility for ensuring that Creative Mindset complies with its legal obligations.
Data Protection
Creative Mindset is responsible for: Briefing the staff on Data Protection responsibilities Reviewing Data Protection and related policies Advising other staff on complex Data Protection issues Ensuring that Data Protection induction and training takes place Notification to the ICO Approving unusual or controversial disclosures of personal data Approving contracts with Data Processors Dealing with requests from individuals to see the data Creative Mindset holds about them.
Management
Ongoing monitoring of their own compliance with GDPR and reporting back to the Data Protection Officer.
Staff
All staff will read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. (From now on, where ‘employees’ is used, this includes both paid employees and volunteers.) ‘Teacher’ refers to all teaching staff including Learning mentors and Tutors.
Security
Scope
Data Security is not wholly a Data Protection issue. Business Continuity is also important to data integrity.
Setting security levels
The greater the consequences of a breach of confidentiality, the tighter the security should be.
Security measures
For each confidentiality level we will set out the security measures to be followed, such as password protection, clear desk policy, entry control.
Business continuity
See Business Continuity Policy.
Specific guidelines
The only people able to access data covered by this policy should be those who need it for their work. Data should not be shared informally. When access to confidential information is required, staff can request it from their line managers. Creative Mindset will provide training to all employees to help them understand their responsibilities when handling data. Staff should keep all data secure, by taking sensible precautions and following guidelines below. In particular, strong passwords must be used and they should never be shared. Personal data should not be disclosed to unauthorised people, either within Creative Mindset or externally. Data should be reviewed and updated, if it is found to be out of date. If no longer required, it should be deleted and disposed of. Staff should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection. Special precautions when information is used in high-risk situations for example when staff are working at home or in meetings etc. All devices will have a strong password that is not shared any papers containing personal or sensitive data will be stored securely contact details may only be given over the phone if the explicit consent of the individual has been gained or if it is paramount to a child’s welfare that the details are shared. All written information that is no longer required will be shredded. Information pertaining to staff or young people obtained through supervision, assessment or other means is confidential to Creative Mindset. However, if we feel an adult or child is at risk, then we will need to communicate with statutory agencies outside of Creative Mindset in line with CP procedures. Creative Mindset employees strive to minimise non-essential transfers of information between staff. Information will be shared on a need-to-know basis and using Creative Mindset data systems only. However, from time to time, Creative Mindset staff may need advice or guidance from their colleagues and this will inevitably involve some sharing of information otherwise regarded as non-essential. All information shared with Creative Mindset will be recorded. We WILL NOT hold ‘off the record’ discussions. Creative Mindset recognises that every child / young person has the right to privacy and confidentiality with regards to information about their origins and their past experiences. We recognise that some children/young people may decide not to share personal information with Creative Mindset, whilst others may share these details very openly with their teacher. Creative Mindset staff do not share confidential information about children/young people placed with them with anyone (including friends, neighbours, extended family). Creative Mindset staff do not share confidential information with one another unless there is a specific purpose such as determining what course of action should be take next Any serious breach of confidentiality by Creative Mindset staff will be taken up by the Manager immediately. Information from commissioners and/or education establishments regarding a child / young person will be shared with their teacher on a regular basis. Information about children /young people will be shared with other professionals (e.g. teachers, educational psychologists, therapists) at local authority’s discretion. All information communicated to other parties will be done with care and respect for the subject and on need-to-know basis. Staff must lock their computers when away from their work stations for any length of time (e.g. going for lunch). Care must be taken when discussing confidential information not to be overheard by others not entitled to know the information. Care must be taken when positioning work stations to ensure confidentiality can be maintained. Any paper records within Creative Mindset premises are locked into filing cabinets and accessed only by Danielle Barker
Data recording and storage
Overview
These rules describe how and where data should be safely stored. Questions about storing data can be directed to the Data Protection Officer.
Updating
Data will be checked on an annual basis and any data that no longer needs to be stored storing will be deleted or shredded.
Storage
The most secure place to store Creative Mindset data is electronically on the Creative Mindset Portal. Paper records should be avoided where possible. When data is stored on paper it should be kept in a secure place where unauthorised people cannot access it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason, although this should be avoided: When not required, the paper or files should be kept in a locked drawer or filing cabinet. Staff should make sure paper and printouts are not left where unauthorised people could see them, for example on a printer. Data printouts should be shredded and disposed of securely when no longer required. When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts: Data should be protected by strong passwords that are changed regularly and never shared between staff. If data is stored on removable media (like a cd or USB drive), these should be encrypted with a password and kept locked away securely when not being used. Data should only be stored on designated NT&AS drives and servers (Creative Mindset Google account Drive, Creative Mindset office account – One Drive, the Creative Mindset Portal) and should only be uploaded to our approved cloud computing services of Creative Mindset Google account Drive, Creative Mindset office account – One Drive and the Creative Mindset Portal. Data should never be saved directly to laptops or other mobile devices like tablets or smart phones. Staff desks: Desks should be cleared of all records, reports and letters pertaining to staff or children at the end of each work session and shredded or stored in locked cabinets or drawers.
Retention periods
Principle 5 of the GDPR requires us to retain personal data for no longer than is necessary. We will hold data on: Attendance registers: date of register + 3 years Pupil files: DOB of pupil + 25 years SEN files, reviews and Individual Education Plans: DOB of pupil + 25 years EHCP maintained under the Education Act 1996: DOB of pupil + 30 years Proposed EHCP or amended EHCP: DOB of pupil + 30 years Advice and information to parents regarding educational needs: Closure + 12 years Accessibility Strategy: Closure + 12 years Children’s SEN Files: DOB of pupil + 25 years then review Parental permission slips for school trips (no major incident): conclusion of trip Examination results: Year of examination + 6 years Any other records created in the course of contact with the pupil: current year + 3 years
Archiving
We archive data that is no longer relevant to be viewed using the Creative Mindset Portal archive library. This data is reviewed and destroyed when no longer required.
Right of Access
Responsibility
The Data Protection Officer is responsible to ensure that right of access requests are handled within the legal time limit which is one month
Procedure for making request
Right of access requests must be in writing. All individuals who are subject of personal data held by NT&AS are entitled to: Ask what information NT&AS holds about them and why. Ask how to gain access to it. Be informed how to keep it up to date. Be informed how NT&AS is meeting its data protection obligations. If an individual contacts Creative Mindset requesting information, this is called a subject access request. They should be made by email, addressed to the data controller [email protected] We aim to provide the relevant data within 30 days.
Provision for verifying identity
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Charging
Information is provided free of charge.
Transparency
Commitment
Creative Mindset has a commitment to ensuring that you are aware that data is being processed and for what purpose it is being processed what types of disclosure are likely, and how to exercise their rights in relation to the data
Procedure
We will inform people through: the handbook for employees consent forms on referral during the initial discussions and meeting our privacy notice on the web site
Lawful Basis
Underlying principles
From GDPR
Opting out
Staff and other data subjects can opt out of specific information being shared.
Withdrawing consent
We acknowledge that, once given, consent can be withdrawn. However, there may be occasions where we have no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.
Employee training & Acceptance of responsibilities
Induction
All employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.
Continuing training
Opportunities to raise Data Protection issues during employee training, team meetings, supervisions, etc. will be utilised.
Procedure for staff signifying acceptance of policy
All staff and carers will sign a data agreement to signify they have read and understood this policy.
Policy review
Responsibility
Danielle Barker
Procedure
Annual review or in line with any changes to legislation
