One important responsibility bestowed upon any data controller is the duty to communicate what data they process, how they process that data, and who has access to that data. This communication is best done with a fair processing notice (FPN) or more commonly known as a privacy notice. The FPN should be easy to understand, clear, and should avoid ‘technical jargon’. It is suggested that schools have three separate FPNs. One for parents and pupils, a second for school employees, and a third for CCTV use – if relevant.
[3.1] Fair Processing Notice for Pupils and Parents
It is the right of every data subject, and their guardians if younger than twelve years of age, to understand what data is being collected, how this data is being used, and who has access to this data. A good FPN should therefore map out all of this information in a clear and concise format. FPNs must be issued for all new learners at a school, to the parents of younger children, and to pupils aged 12 or more themselves. Notices can be issued at the same time as other communications. The DfE advises that, for example, a learner might receive the FPN as part of a school brochure, or induction pack, or in a school diary, and/or it could be posted on the school notice board. It is recommended that the FPN is also posted to your website and clearly signposted.
As well as listing how your organisation uses a pupil’s data it is crucial to detail which other organisations you share this data with and why. The FPN should refer the data subjects to the County Council website to see how the local authority will store and use the data. That www.northyorks.gov.uk/schoolrecords [new window] web page includes details of local bodies with which NYCC shares data. Likewise, the FPN should also refer data subjects to the DfE's website to see how the Department will store and use the data and similarly includes details of organisations with whom data will be shared. Hard copies of information on web pages should be provided on request for parents without internet access.
If schools intend to share data outside the parameters of the FPN then they should ensure that they have the sanction of their own legal advisers to do so, and that such sharing complies with the DPA.
A school’s FPN should also include the rights of parents or pupils, under the Learning and Skills Act 2000, to opt out from the provision of information to the local Youth Support Services (formerly the 'Connexions' service). It is expected that by age 16 pupils themselves will have the capacity to exercise this right. Accordingly NYCC advises that it is good practice for schools to re-issue the Notice to pupils attaining that age to enable them to exercise this right if desired. Schools should inform Alison.email@example.com in writing of any such opt-outs.
North Yorkshire County Council
A model FPN has been produced for your school to adapt and modify according to your own policies, see Useful Documents.
[3.2] Fair Processing Notice for School Employees
All new and current employees have the right to know how their employers will process their data, for what purpose, and who else will access that data. This fair processing notice should be included as an attachment to the employee’s contract or statement of particulars or included in the new employee’s starter pack. Employees working at North Yorkshire maintained schools should expect to follow NYCC’s own employment fair processing notice and therefore only academies and private schools need to have their own employee fair processing notices in place.
[3.3] CCTV Notice
If you have CCTV at your school then you will need to ensure that you have adequate notices posted in the area that is being monitored. These signs need to state who owns the CCTV, who operates the CCTV (if not the school), a contact number and address (so members of the public can request footage), and the reason why you have CCTV (i.e for the detection and prevention of crime). The school should also ensure that it has an extended CCTV privacy notice which details why the school has CCTV, what it is being used for, who has access, and how members of the public can request footage.
The ICO’s CCTV Code of Practice is a comprehensive guide to managing CCTV and you should follow this when you are writing your own CCTV policy and privacy notices. Appendix 2 of the Code has a checklist which is very useful to ensure you have complied fully with the law.