GDPR (Exams)

Key staff involved in General Data Protection Regulation Policy

Purpose of the Policy

This policy details how Blessed John Henry Newman, in relation to exams management and administration, ensures compliance with the regulations as set out by the Data Protection Act (DPA) and General Data Protection Regulation (GDPR).

Students are given the right to find out what information the centre holds about them, how this is protected, how this can be accessed and how data breaches are dealt with.

All exams office staff responsible for collecting and sharing candidates’ data are required to follow strict rules called ‘data protection principles’ ensuring the information is:

• Used fairly and lawfully
• Used for limited, specifically stated purposes
• Used in a way that is adequate, relevant and not excessive
• Accurate
• Kept for no longer than is absolutely necessary
• Handled according to people’s data protection rights
• Kept safe and secure
• Not transferred outside the European Economic Area without adequate protection

To ensure that the centre meets the requirements of the DPA and GDPR, all candidates’ exam information – even that which is not classified as personal or sensitive – is covered under this policy.

Section 1 – Exams-related information:

There is a requirement for the exams office(r) to hold exams-related information on candidates taking external examinations. For further details on the type of information held please refer to Section 5 – Candidate information, audit and protection measures.

Candidates’ exams-related data may be shared with the following organisations:

• Awarding bodies (password protected)
• Joint Council for Qualifications (password protected)
• Department for Education (password protected)
• Local Authority
• Salford Diocese
• The local press/media coverage

This data may be shared via one or more of the following methods:

• Hard copy
• Email
• Secure extranet sites (e-AQA, OCR Interchange, Pearson Edexcel online, WJEC Secure services, Schools key to success secure site)
• Management Information Systems (Capita SIMS, A2C Data exchange)

This data may relate to exams entries, access arrangements, the conduct of exams and non-examination assessments, special consideration requests and exam results/post results/certificate information.

Section 2 – Informing candidates of the information held:

Blessed John Henry Newman ensures that candidates are fully aware of the information and data held.

All candidates are:

• Informed via whole year assembly and issue of centre specific policy
• Given access to this policy via school website and upon written request

Candidates are made aware of the above at the start of their course of study leading to all external examinations.

Section 3 – Hardware and software:

The table below confirms how IT hardware, software an access to online systems is protected in line with DPA & GDPR requirements.

Section 4 – Dealing with data breaches:

Although data is handled in line with DPA/GDPR regulations, a data breach may occur for any of the following reasons:

• Loss or theft of data or equipment on which data is stored
• Inappropriate access controls allowing unauthorised use
• Equipment failure
• Human error
• Unforeseen circumstances such as fire or flood
• Hacking attack
• ‘blagging’ offences where information is obtained by deceiving the organisation who holds it

If a data protection breach is identified, the following steps will be taken:

1. Containment and recovery:

The Data Protection Officer will lead on investigating the breach as soon as it has been identified.

It will be established:

• Who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. This may include isolating or closing a compromised section of the network, finding a lost piece of equipment and/ or changing the access codes
• Whether there is anything that can be done to recover and losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of back-up hardware to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts
• Which authorities, if relevant, need to be informed

1. Assessment of ongoing risk:

The following points will be considered in assessing the ongoing risk of the data breach:

• What type of data is involved?
• How sensitive it is?
• If data has been lost or stolen, are there any protections in place such as encryption?
• What has happened to the data? If data has been stolen, it could be used for purposes which are harmful to the individuals to whom it relates; if it has been damaged, this poses a different type of level of risk
• Regardless of what has happened to the data, what could the data tell a third party about the individual?
• How many individuals’ personal data are affected by the breach?
• Who are the individuals whose data has been breached?
• What harm can come to those individuals?
• Are there wider consequences to consider such as loss of public confidence in an important service we provide?

1. Notification of breach:

Notification will take place to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.

1. Evaluation and response:

Once a data breach has been resolved, a full investigation of the incident will take place. This will include:

• Reviewing what data is held and where and how it is stored
• Identifying where risks and weak points in security measures lie (for example, use of portable storage devices and access to public networks)
• Reviewing methods of data sharing and transmission
• Increasing staff awareness of data security and filling gaps through training or tailored advice
• Reviewing contingency plans

Section 5 – Candidate information, audit and protection measures:

For the purposes of this policy, all candidates’ exam-related information – even that not considered personal or sensitive under the DPA/GDPR – will be handled in line with DPA/GDPR guidelines.

The Data Protection Officer will conduct an information audit annually.

The table in section 8 details the types of candidate exams-related information held, and how it is managed, stored and protected.

Protection measures may include:

• Password protected area on the centre’s intranet
• Secure drive accessible only to selected staff
• Information held in secure area
• Updates undertaken every month (includes updating antivirus software, firewalls, internet browsers etc.)

Section 6 – Data retention periods:

Details of retention periods, the actions taken at the end of the retention period and the methods of disposal are contained in the centre’s “Exams Archiving Policy” which is available/accessible from the school website.

Section 7 – Access to information:

Current and former candidates can request access to the information/data held on them by making a subject access request to the Data Protection Officer in writing/email – valid ID will be requested if a former candidate is unknown to current staff). All requests will be dealt with within 40 calendar days.

Third Party Access

Permission should be obtained before requesting personal information on another individual from a third-party organisation.

Candidates’ personal data will not be shared with a third party unless the request is accompanied with written permission from the candidate and appropriate evidence (where relevant), to verify the ID of both parties.

In the case of looked-after children or those in care, agreements may already be in place for information to be shared with the relevant authorities (e.g. The Local authority). The centre’s Data Protection Officer will confirm the status of these agreements and approve/reject any requests.

Section 8 – Table recording candidate exams-related information held:

For details of how to request/access information held, refer to section 7 of this policy (Access to Information)

For further details of how long information is held, refer to the “Exams Archiving Policy” which can be located on the schools website.