GDPR and Data Protection
Ormiston Academies Trust is the organisation which is in charge of personal information – Data Controller.
The postal address of the Academy Trust is:
Ormiston Academies Trust
144, Newall Street
The Data Protection Officer (DPO) for the Trust is James Miller. He can be contacted via firstname.lastname@example.org.
The Data Protection Lead (DPL) at the Academy is Teresa Smith – Director of Finance & Operations.
Data Protection Policies
General Data Protection Regulation (GDPR)
On 25th May 2018, the General Data Protection Regulation (GDPR) will become law in all European member states, including the United Kingdom who will still be a member at that time.
The new Regulation will replace the Data Protection Act 1998 (DPA) which was developed at a time when most data processing was still paper-based. There was also a limited understanding of the impact that technology would have on the way we process data.
The purpose of the GDPR is to:
- harmonise the EU’s laws surrounding data protection
- protect all EU citizens’ data privacy
- re-shape the way organisations across the region approach data privacy
In drafting it, the EU’s aim was to design it as a living document and future-proof the wording. They have also made it ‘technology neutral’ which means that the same regulatory principles apply regardless of the technology used.
If you hold information which falls within the scope of the Data Protection Act 1998, it will also fall within the scope of GDPR. The GDPR principles are similar to the DPA, but there is a new accountability requirement – you will have to demonstrate how you comply.
The following terminology will be used in this course.
Data subject means the person whose personal data is being processed.
Personal data means any information relating to a natural person or data subject that can be used directly or indirectly to identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking sites or a computer IP address. Sensitive personal data includes information about racial or ethnic origin, political opinions, medical information and genetic and biometric data where it is used to uniquely identify an individual.
Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is to be rocessed.
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Processing information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
- organising, adapting or altering it
- retrieving, consulting or using the information or data
- disclosing the information or data by transmission, dissemination or otherwise making it available
- aligning, combining, blocking, erasing or destroying the information or data