Tomlinscote School is committed to maintaining the confidentiality of information held within its systems about staff, students, finances and operations. The School updated it's Data Protection Policy in May 2018 to reflect the importance of providing privacy and security for our students, staff, and parents.
Whilst we take all measures possible to ensure the protection of data, the School has put in place procedures to mitigate and reduce the impact of any data privacy issues. These are outlined below:
The Risk Register
Tomlinscote’s Risk Register lists the areas of potential data breaches, how they may occur and what steps can be taken to avoid a breach.
Definition of a data breach
A data breach can be defined as the unintended loss of personal data relating to students, parents, staff or anyone connected to the school whose details are held on the school systems. Examples of possible breach scenarios are shown below:
- Loss or theft of equipment on which data is stored
- Inappropriate access controls allowing unauthorised use
- Equipment failure
- Poor data destruction procedures
- Human error, including accidental deletion
- Cyber attack/hacking
- “blagging” – where information is obtained by deception
In the event of a breach
Should a data breach occur, the Data Protection Officer and Head of School/Executive Principal will investigate the cause, nature and severity of the breach and complete the attached three-part form. The ICO (Information Commissioner’s Office), the Police and school stakeholders will be informed if deemed relevant.
You can contact the School Data Protection Officer via email at firstname.lastname@example.org
The Data Protection Officer and Head of School/Executive Principal will examine the school’s Risk Register and identify if any further action can be taken to prevent further data loss and recover lost or damaged data.
This procedure is designed to be read in conjunction with the school’s Data Protection and e-Safety Policies and the following legal framework:
The Data Protection Act 1988
The Computer Misuse Act 1990
The General Data Protection Regulations (GDPR) which come into effect from 25th May 2018.