«Fair Processing Notice to explain how some of the personal data of pupils in primary and special schools will be recorded on the proposed Primary ...»
Circular Letter 0017/2014
To the Boards of Management of Primary and Special Schools
Fair Processing Notice to explain how some of the personal data of pupils
in primary and special schools will be recorded on the proposed Primary
Online Database (POD) and how this data will be processed by the
Department of Education and Skills, in compliance with the Data
Protection Act 1988 and the Data Protection (Amendment) Act 2003.
The Department of Education and Skills is currently in the process of developing an individualised database of primary school pupils, known as the Primary Online Database (POD). This database will also contain individualised information on pupils in special schools. With regard to the storage and processing of individualised data, the Department is
abiding by the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003;
respecting individuals rights to confidentiality and privacy;
The obligations placed on users of data under the Data Protection Acts can be categorised under the Eight Rules of Data Protection. This circular outlines how the Department of Education and Skills shall comply with each of these rules in relation to data stored on the Primary Online Database.
1- Obtain and process information fairly The Primary Online Database (POD) is a database of pupils enrolled in primary and special schools, which are recognised by the Department. While the database is hosted by the Department, the pupils’ data will be maintained by the schools in which the students are enrolled.
There will be three categories of pupil personal data stored on POD o Category 1 - personal data shared between the school and the Department o Category 2 - sensitive personal data shared between the school and the Department o Category 3 - personal data, including sensitive data, which is only accessible to the school The Department will request all recognised primary and special schools to record specific details of the pupils who are enrolled in their schools on POD. The Department, through this Fair Processing Notice and the individual schools through their own Data Protection Policies, provide information on how the schools should meet their data protection obligations regarding pupil data. The Department will also agree a protocol on data handling and data management in relation to POD with the relevant school management bodies. A copy of this protocol will be made available once agreed.
Full details of the type of data stored in POD are provided in Appendix A.
In relation to Category 1 and Category 2 data held on POD, there are two distinct types of
consent required, and the approaches to be adopted are as follows:
Category 1 refers to data which is non-sensitive personal data such as name, address, Personal Public Service Number (PPSN), etc.
In respect of these data fields, the parents/guardians are advised by way of this notice:
Category 2 refers to data which is sensitive personal data, in the context of POD. This data includes the ethnic\cultural background of the pupil, and the pupil’s religion. In relation to these fields, the express written consent of the parents/guardians or students (over 18 years) is required, before this data can be recorded for a student on POD and accessed by the Department of Education. A suggested consent form used to collect this type of data is provided in Appendix B.
Data on ethnic or cultural background is required in some cases for the purpose of allocating appropriate resources to schools to meet the individual needs of children from these communities and to comply with a number of international reporting requirements for children from these communities. Data on religion and other ethnic or cultural origins is required for statistical analysis and in order to underpin future policy and planning within the Department. Primary school authorities are required to gain the written consent from the relevant parents/guardians or students, as appropriate, before data on these two data fields is recorded on POD. Schools do not need to return the written consent to the Department but should retain it for any inspection by either the Department or the Office of the Data Protection Commissioner.
Both the school and the Department are data controllers1 for data in Category 1 and Category 2.
Data Controller – means a person who, either alone or with other, controls the contents and use of personal data For Category 3 the school is the data controller with the Department acting as a data processor2 on behalf of the school. The Department will provide the functionality and means of recording the information for Category 3, but will not be able to view the data. The data in Category 3 will be defined by the schools and could include, for example, data on family contacts and details of any medical conditions for a pupil. It is open to schools to decide whether or not they wish to record data in Category 3 for students on POD. The data in Category 3 will be encrypted and therefore it is only visible to school users.
For all the above categories, under Data Protection legislation, parents/guardians have the right to object to the processing of their child’s (or their own) personal data, if they feel that the data is not being processed in a fair manner or used for a valid reason. They also have the right to block certain uses of the data and correct errors, in the unlikely event that they identify any errors in this data held about their child (or themselves).
2- Keep it only for one or more specified, explicit and lawful purposes The Department of Education and Skills will use pupils’ data on POD in Category 1 and some Category 2 data to establish the teaching posts and core funding to be allocated to each recognised primary school, for the following school year. For a pupil to be included in this calculation, they must be validly enrolled in a recognised school, in accordance with the requirements as specified in departmental circulars.
The Department also will use pupil data in categories 1 and 2 stored in POD for planning, policy and statistical purposes. In general, it does not use individual data for these purposes, but rather aggregates this data to meet its business needs. A small proportion of the data recorded by schools on POD is required for these purposes only.
For the purposes for which the school will use the data held on POD, please refer to the Data Protection Policy of the school.
3- Use and disclose it only in ways compatible with these purposes.
Schools may only access the data of students currently enrolled in their schools.
It is Departmental policy that only a small number of Departmental staff, who have a specific requirement which is related to their work, have access rights to view the personal data in Category 1 and Category 2 of students.
Personal data stored on POD and only accessible by the school, i.e. Category 3, is encrypted and no staff member of the Department will have access to this data.
The Department also proposes to share some of the personal data stored on POD with other
State bodies. These are:
Data Processor – means a person who processes personal data on behalf of a data controller Central Statistics Office, under the Statistics Acts to assist with the compilation of national statistics. 3 The National Council for Special Education, under the Education Welfare Act, in order to assist in supporting resource allocation in relation to pupils with special educational needs.4 The Child and Family Agency, under the Education Welfare Act, to ensure that each child of compulsory school age is in receipt of an education.
To meet the Department’s business needs in regard to the allocation of resources to schools, the Department will share a limited amount of each pupil’s personal data, including a child’s PPS number with the Department of Public Expenditure and Reform PPSN validation service, or directly with the Department of Social Protection Client Identity Database area, in order to validate the identity of each pupil and ensure that the correct resource allocation is granted to each school. The legal basis for this sharing of data is set out in Social Welfare Acts5 The Department will put in place a data user agreement with each of these bodies, which includes the purpose for which the body requires the data, its storage, security and retention.
Details of similar existing data user agreements already in place at post primary level are available on the Department’s website at www.education.ie (and search for P-POD).
Schools within the POD system may also exchange data in Categories 1 and 2 for the purposes of facilitating inter-school transfer of the pupil. Explicit parental consent must be given for sensitive personal data (i.e. Category 2 data) to be transferred from one school to another. In the case of other personal data (i.e. Category 1 data), schools may only access pupil data on POD in the case where they have already enrolled the pupil in their school.
4- Keep it safe and secure POD will be hosted by the Department and accessed by schools through the esinet portal. The esinet portal is a secure network managed and controlled by the Department. It may only be accessed through password controlled accounts. The Department will maintain audit records of users who access the POD system.
The Statistics Act, 1993 gives the CSO the authority to assess the statistical potential of the records maintained by other public authorities and to ensure that this potential is realised; therefore, the CSO has indirect access on a statutory basis to data on individuals and businesses collected for administrative purposes Section 28 of the Education Welfare Act 2000 allows for personal data to be transferred between the Minister for Education and Skills, recognised schools, the National Council for Special Education, and the Child and Family Agency, if it is used for a relevant purpose only, including “recording a person's educational or training history or monitoring his or her educational or training progress in order to ascertain how best he or she may be assisted in availing of educational or training opportunities or in developing his or her full educational potential” Section 266 of the Social Welfare Consolidation Act 2005 states that “Notwithstanding anything contained in any other enactment, a specified body may share any information that may be prescribed with (a) the Minister for Education and Skills, where the Minister requires the information for the purposes of enabling him or her to provide education in accordance with section 6(b) of the Education Act 1998” A recognised school within the meaning of section 2 of the Education Act has been designated a specific body for these purposes. Regulation 189 of the Social Welfare(Consolidated Claims, Payments and Control) Regulations 2007 (S.I. No. 142 of
2007) lists the prescribed information for the purposes of section 266 in relation to a pupil that may be shared.
The agreed protocol between the Department and the management bodies for schools, and to which schools are required to adhere, will oblige schools to segregate the various users who have access to POD by duties and responsibilities. Access at school level is through password controlled accounts. Where data is exported by schools from POD to local software, schools will be required to encrypt the data during transfer and store the resultant data on secure local systems.
For information on the safety and security measures in place in a particular school, please refer to the school’s Data Protection Policy.
5- Keep it accurate, complete and up-to-date The pupil data on POD shall be maintained by the school in which the student is enrolled.
The school is obliged to ensure that the data of its pupils is accurately maintained.
6- Ensure that it is adequate relevant and not excessive.
The Department, in consultation with the management bodies for schools, the Irish Primary Principals Network, the National Parents’ Council and other key stakeholders in the education system will review from time to time the data on pupils required to manage and administer the education system.