General Data Protection Regulation policy (exams) - James Hornsby School
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
General Data Protection
Regulation policy (exams)
Appendix 6
2017/18
This policy is annually reviewed to ensure compliance with current regulations
Approved/reviewed by
SLT
Date of next
May 2019
review
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
1Key staff involved in the General Data Protection Regulation policy
Role Name(s)
Head of centre Jason Carey
Exams officer Steevie Montford
Exams officer line Louise Dwyer
manager (Senior
Leader)
Data Protection Lauri Almond
Officer
IT manager Rebecca Kemp
Data manager Steevie Montford
Purpose of the policy
This policy details how The James Hornsby School in relation to exams management and administration,
ensures compliance with the regulations as set out by the Data Protection Act (DPA) and General Data
Protection Regulation (GDPR).
Students are given the right to find out what information the centre holds about them, how this is protected, how
this can be accessed and how data breaches are dealt with.
All exams office staff responsible for collecting and sharing candidates’ data are required to follow strict rules
called ‘data protection principles’ ensuring the information is:
used fairly and lawfully
used for limited, specifically stated purposes
used in a way that is adequate, relevant and not excessive
accurate
kept for no longer than is absolutely necessary
handled according to people’s data protection rights
kept safe and secure
not transferred outside the European Economic Area without adequate protection
To ensure that the centre meets the requirements of the DPA and GDPR, all candidates’ exam information –
even that which is not classified as personal or sensitive – is covered under this policy.
Section 1 – Exams-related information
There is a requirement for the exams office(r) to hold exams-related information on candidates taking external
examinations. For further details on the type of information held please refer to Section 5 – Candidate
information, audit and protection measures.
Candidates’ exams-related data may be shared with the following organisations:
Awarding bodies
Joint Council for Qualifications
Multi Academy Trust – Zenith Multi Academy Trust
Local Authority – Essex Country Council
Press releases concerning exceptional grades. Students would consent to this being published
Department for Education
This data may be shared via one or more of the following methods:
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
2 hard copy
email
secure extranet site(s) – eAQA; OCR Interchange; Pearson Edexcel Online; City & Guilds Walled
Garden; NCFE Portal, Access Arrangements Online etc.
Management Information System (MIS) provided by Capita SIMS sending/receiving information via
electronic data interchange (EDI) using A2C (https://www.jcq.org.uk/about-a2c) to/from awarding body
processing systems; etc.
SISRA Analytics – information is exported from Capita SIMS and imported into SISRA Analytics
This data may relate to exam entries, access arrangements, the conduct of exams and non-examination
assessments, special consideration requests and exam results/post-results/certificate information.
Section 2 – Informing candidates of the information held
The James Hornsby School ensures that candidates are fully aware of the information and data held.
All candidates are:
informed via letters which include information on examination dates, access arrangements and how
results are issued
given access to this policy via centre website, written request, etc.
Candidates are made aware of the above throughout the year leading up to their final examination.
Section 3 – Hardware and software
The table below confirms how IT hardware, software and access to online systems is protected in line with DPA
& GDPR requirements.
Date of purchase and protection
Hardware Warranty expiry
measures
Desktop Computer May 2012 Expired
Computers checked at least once a year
for faults (HDD checked for errors,
General check for speed and usability)
Anti-virus is updated via a central
orchestrator.
All Internet browsing takes place on a
controlled connection, based on rules
set for education.
Software/online system Protection measure(s)
SIMS (Capita Software) Access controlled by username and password
Accounts have specified access rights
SISRA Analytics Access controlled by username and password
Accounts have specified access rights
Awarding body secure extranet Access controlled by username and password
site(s): eAQA; OCR Interchange; Accounts have specified access rights
Pearson Edexcel Online; City & Centre administrator has to approve the creation of new user
Guilds Walled Garden; NCFE accounts and determine access rights
Portal, Access Arrangements
Online.
A2C Access controlled by username and password for computer login
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
3and SIMS login
Google Chrome All Internet browsing takes place on a controlled connection, based on
rules set for education.
Mozilla Firefox All Internet browsing takes place on a controlled connection, based on
rules set for education.
Microsoft Internet Explorer All Internet browsing takes place on a controlled connection, based on
rules set for education.
Section 4 – Dealing with data breaches
Although data is handled in line with DPA/GDPR regulations, a data breach may occur for any of the following
reasons:
loss or theft of data or equipment on which data is stored
inappropriate access controls allowing unauthorised use
equipment failure
human error
unforeseen circumstances such as a fire or flood
hacking attack
‘blagging’ offences where information is obtained by deceiving the organisation who holds it
If a data protection breach is identified, the following steps will be taken:
1. Containment and recovery
The Data Protection Officer will lead on investigating the breach.
It will be established:
who needs to be made aware of the breach and inform them of what they are expected to do to assist in
the containment exercise. This may include isolating or closing a compromised section of the network,
finding a lost piece of equipment and/or changing the access codes
whether there is anything that can be done to recover any losses and limit the damage the breach can
cause. As well as the physical recovery of equipment, this could involve the use of back-up hardware to
restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to
access accounts
which authorities, if relevant, need to be informed
2. Assessment of ongoing risk
The following points will be considered in assessing the ongoing risk of the data breach:
what type of data is involved?
how sensitive is it?
if data has been lost or stolen, are there any protections in place such as encryption?
what has happened to the data? If data has been stolen, it could be used for purposes which are
harmful to the individuals to whom the data relates; if it has been damaged, this poses a different type
and level of risk
regardless of what has happened to the data, what could the data tell a third party about the individual?
how many individuals’ personal data are affected by the breach?
who are the individuals whose data has been breached?
what harm can come to those individuals?
are there wider consequences to consider such as a loss of public confidence in an important service we
provide?
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
43. Notification of breach
Notification will take place to enable individuals who may have been affected to take steps to protect themselves
or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.
4. Evaluation and response
Once a data breach has been resolved, a full investigation of the incident will take place. This will include:
reviewing what data is held and where and how it is stored
identifying where risks and weak points in security measures lie (for example, use of portable storage
devices or access to public networks)
reviewing methods of data sharing and transmission
increasing staff awareness of data security and filling gaps through training or tailored advice
reviewing contingency plans
Section 5 – Candidate information, audit and protection measures
For the purposes of this policy, all candidates’ exam-related information – even that not considered personal or
sensitive under the DPA/GDPR – will be handled in line with DPA/GDPR guidelines.
An information audit is conducted yearly.
The table below details the type of candidate exams-related information held, and how it is managed, stored and
protected
Protection measures may include:
password protected area on the centre's intranet
secure drive accessible only to selected staff
information held in secure area
updates undertaken every12 months or as necessary (this may include updating antivirus software,
firewalls, internet browsers etc.)
Section 6 – Data retention periods
Details of retention periods, the actions taken at the end of the retention period and method of disposal are
contained in the centre’s Exams archiving policy which is available/accessible from the school website or by
written request.
Section 7 – Access to information
Current and former candidates can request access to the information/data held on them by making a subject
access request to Data & Exams by email on Admin@jameshornsby.essex.sch.uk. Photo identification may be
requested if a former candidate is unknown to current staff. All requests will be dealt with within 40 calendar
days. In cases of complaint, please contact the Data Protection Officer by email on DPO@essex.gov.uk or call
on 03330322970.
Third party access
Permission should be obtained before requesting personal information on another individual from a third-party
organisation.
Candidates’ personal data will not be shared with a third party unless a request is accompanied with permission
from the candidate and appropriate evidence (where relevant), to verify the ID of both parties, provided.
In the case of looked-after children or those in care, agreements may already be in place for information to be
shared with the relevant authorities (for example, the Local Authority). The centre's Data Protection Officer will
confirm the status of these agreements and approve/reject any requests.
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
5Section 8 – Table recording candidate exams-related information held
For details of how to request access to information held, refer to section 7 of this policy (Access to information)
For further details of how long information is held, refer to section 6 of this policy (Data retention periods)
What personal/sensitive data
Information description Where information is How information
Information type is/may be contained in the Retention period
(where required) stored is protected
information
Stored by exams: To
Access arrangements Candidate name Access arrangements In secure area
be returned to SENCo
information online solely assigned to
Candidate DOB as records owner at
exams or
MIS end of the candidate’s
Gender SENCo/SEN team.
final exam series.
SENCo’s office which
Data protection notice (candidate Stored by SENCo:
is locked at all times in
signature)
her absence. 3 years- from 9 to 11-
Diagnostic testing outcome(s) then files sent for
Specialist report(s) (may also include archives.
candidate address) Electronic copies kept
for longer.
Evidence of normal way of working
Teachers’ feedback
Medical evidence
Samples of work
Attendance registers Candidate name On SIMS Examination Secure user name To be retained until
copies Organiser Module and password after the deadline for
Candidate number
EARs or until any
appeal, malpractice or
Physical copies – in Exam office is other results enquiry
metal filing cabinet in locked when the has been completed,
the lockable Data & Manager and whichever is later.
Exams office. Assistant are [Reference ICE 6,15]
absent.
Candidates’ work Exam papers Candidate name In safe within the exam In secure area Exam papers are
cupboard when not solely assigned to retained until the end
Candidate number
being completed by exams. of the exam day, or
Exam answers candidates. next working day,
When being
where they are then
transferred to the
posted to the exam
exam board from
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
6What personal/sensitive data
Information description Where information is How information
Information type is/may be contained in the Retention period
(where required) stored is protected
information
centre, is sent via board,
the courier service
Parcelforce. If the
courier service is
not used then they
are sent by Royal
Mail Special
Delivery.
Certificates Candidate name Metal filing cabinet in In secure area Unclaimed/uncollected
exam cupboard solely assigned to certificates to be
Candidate DOB
exams. If a student retained securely for a
Grade achieved wants to collect minimum of 12
their certificate(s) months from date of
from the centre, issue.
they must present
[Reference GR 5]
photo identification
to reception/exam
team if they cannot
be identified on the
MIS (SIMS).
Certificate destruction A record of unclaimed Candidate name Exam office Exam office is To be retained for 4
information certificates that have been locked when the years from the date of
destroyed. Manager and certificate destruction.
Assistant are
[Reference GR 5]
absent.
Certificate issue A record of certificates that Candidate name Exam office Exam office is [Reference GR 5]
information have been issued to locked when the
candidates. Manager and
Assistant are
absent.
Entry information Any hard copy information Candidate name Exam office Exam office is To be kept until next
relating to candidates’ locked when the exam season.
Candidate number
entries. Manager and
Registration group Assistant are
absent.
UCI number
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
7What personal/sensitive data
Information description Where information is How information
Information type is/may be contained in the Retention period
(where required) stored is protected
information
Exam room incident Logs recording any Candidate name Exam cupboard within In secure area To be kept until next
logs incidents or irregularities in exam room boxes solely assigned to exams or until log
exam rooms. exams. book needs replacing
Overnight supervision Copy of JCQ form Candidate name Exam office Exam office is To be retained for
information Timetable variation and locked when the JCQ inspection
Candidate number
confidentiality declaration Manager and purposes for the
for overnight supervision for Reason for timetable variation Assistant are relevant exam series.
any candidate eligible for absent.
these arrangements.
Post-results services: Hard copy or email record Candidate name Exam office Exam office is EAR consent to be
confirmation of of candidate consent for an locked when the retained for at least
Candidate number
candidate consent EAR or ATS request to be Manager and six months following
information submitted to an awarding Assistant are the outcome of the
body absent. enquiry or any
subsequent appeal.
ATS consent to be
retained for at least six
months from the date
consent given.
[Reference PRS 4,
appendix A and B]
Post-results services: Any hard copy information Candidate name Exam office Exam office is Records for current
requests/outcome relating to a post-results locked when the year plus previous 6
Candidate number
information service request (EARs, Manager and years to be retained
appeals, ATS) submitted to Outcome Assistant are as a minimum.
an awarding body for a absent.
[Reference Records
candidate and outcome Management Toolkit for
information from the Schools]
awarding body.
Post-results services: Copies of exam scripts (or Candidate name Passed to the Head of Head of Faculty to Where copies of
scripts provided by ATS an electronic image of the Faculty once received. keep secure. scripts are retained by
Candidate number
service script) returned to the the centre, they must
When student has
centre by the awarding Exam answers be securely stored
requested access to
body/copies downloaded by (including any
their script, once
the centre where the electronic versions)
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
8What personal/sensitive data
Information description Where information is How information
Information type is/may be contained in the Retention period
(where required) stored is protected
information
awarding body provides received the student is until they are no
online access to scripts. informed and is longer required.
informed to collect as
[Reference PRS 6]
soon as possible.
Post-results services: A log tracking to resolution Candidate name Exam office Exam office is To be kept for 1 year
tracking logs all post-results service locked when the
Candidate number
requests submitted to Manager and
awarding bodies. Assistant are
absent.
Private candidate Any hard copy information Candidate name Exam office Exam office is To be kept for 1 year
information relating to private locked when the
Candidate number
candidates’ entries. Manager and
Date of birth Assistant are
absent.
Address and contact details
Resolving clashes Any hard copy information Candidate name Exam office Exam office is To be kept until next
information relating to the resolution of locked when the exam season starts
Candidate number
a candidate’s clash of exam Manager and
papers or a timetable Assistant are
variation. absent.
Results information Broadsheets of results Candidate name Metal filing cabinet in In secure area Records for current
summarising candidate exam cupboard solely assigned to year plus previous 6
Candidate number
final grades by subject by exams. years to be retained
exam series. Unit mark achieved as a minimum.
Grade achieved [Reference Records
Management Toolkit for
Schools]
Seating plans Plans showing the seating Candidate name Metal filing cabinet in Exam office is To be retained until
arrangements of all exam office locked when the after the deadline for
Candidate number
candidates for every exam Manager and EARs or until any
taken. Assistant are appeal, malpractice or
absent. other results enquiry
has been completed,
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
9What personal/sensitive data
Information description Where information is How information
Information type is/may be contained in the Retention period
(where required) stored is protected
information
whichever is later.
[Reference ICE 6]
Special consideration Any hard copy information Candidate name Exam office Exam office is Evidence supporting
information relating to a special locked when the an on-line special
Candidate number
consideration request and Manager and consideration
supporting evidence Information of why special Assistant are application and
submitted to an awarding consideration is being applied for absent. evidence supporting a
body for a candidate. candidate’s absence
from an exam must be
kept
until after the
publication of results.
[Reference SC 6]
Suspected malpractice Any hard copy information Candidate name Exam office Exam office is To be kept for 3 years
reports/outcomes relating to a suspected locked when the
Candidate number
malpractice Manager and
investigation/report Detail of the malpractice Assistant are
submitted to an awarding absent.
body and outcome
information from the
awarding body.
Transferred candidate Any hard copy information Candidate name Exam office Exam office is To be retained until
information relating to an application for locked when the the transfer
Candidate number
a transferred candidate Manager and arrangements are
arrangement submitted to Date of birth Assistant are confirmed by the
an awarding body for a absent. awarding body.
candidate.
Very late arrival Any hard copy information Candidate name Exam office Exam office is To be kept for 3 years
reports/outcomes relating to a very late arrival locked when the
Candidate number
report submitted to an Manager and
awarding body for a Reason for late arrival Assistant are
candidate and outcome absent.
information from the
awarding body.
GDPR policy (exams) - JHS (2017/18)
Hyperlinks provided in this document were correct as at February 2018
10You can also read
