Data Protection Privacy Notice Effective
The General Data Protection Regulations ‘GDPR’ come into force in Northern Ireland/UK on 25th May 2018. This is our Privacy Notice in compliance with GDPR.
In an increasingly digital and technological age and one in which cyber crime is and data fraud is an increasing risk, we recognise that individuals are entitled to be concerned about the whereabouts and security of their personal data. Within this notice, we will set out how we collect personal information about you, how we use it, store and share it and how you can interact with us about it. This Notice is designed to give you reassurance in respect of our commitment to maintain and protect your data.
1. CCMS
The Council for Catholic Maintained Schools (CCMS) (hereinafter ‘we’, ‘us’, and ‘our’) is the advocate for Catholic Maintained Schools in Northern Ireland. We represent trustees, schools and governors on issues such as raising and maintaining standards, the school estates and teacher employment.
2. Data Protection Officer
Our Data Protection Officer (DPO) oversees how we collect, use, share and protect your information to ensure that your rights are recognised and fulfilled. Our DPO can be contacted at info@ccmsschools.com.
3. How is your personal information collected?
We hold and process personal data and sensitive personal data about its current, past or prospective staff and others who are defined as data subjects under the General Data Protection Regulations.
Please note that schools are the Data Controllers of personal data relating to teachers employed by their Boards of Governors, therefore much of the personal data relating to teachers employed on our behalf by Boards of Governors, is held by the employing school.
This information is normally initially provided to us by a prospective member of staff on an application form and is added to by us over the course of employment. Information about staff and prospective staff is retained and disposed of in accordance with our Records Retention Schedule. Some information may be passed to our Archives for long term historical preservation.
4. What personal information do we collect, store and use about those employed by us?
We will collect, store and use the following categories of personal information about CCMS employees:
- Personal information (such as name, employee number, national insurance number, next of kin details and emergency contact information, photographs, bank account details, and tax status information).
- Special categories of data including characteristics information (such as gender, age, ethnic group, trade union membership, information regarding your health and Access NI Enhanced Disclosure application and outcome).
- Recruitment information (such as copies of references, information included in a CV or letter as part of the application process).
- Contact information (such as start dates, hours worked, post, roles and salary information, annual leave, leaving date and your reasons for leaving).
- Performance information (including training records and professional memberships).
- Disciplinary and grievance
- Work absence information (such as number of absences and reasons, including in respect of parental leave).
- Information about your use of our information and communications
5. Why do we collect and use this information?
CCMS collects and uses personal information primarily to allow us to perform our contract with you. For example:
- Making a decision about your recruitment or
- Determining the terms on which you work for
- Checking you are legally entitled to work in the
- Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and National Insurance contributions (NICs).
- Administering the contract CCMS has entered into with
- Business management and planning, including accounting and
- Conducting performance reviews, managing performance, and determining performance requirements.
- Making decisions about salary reviews and
- Assessing qualifications for a particular job or task, including decisions about promotions.
- Gathering evidence for possible grievance or disciplinary
- Making decisions about your continued employment or
- Making arrangements for the termination of our working
- Education, training and development
- Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at
- Ascertaining your fitness to
- Managing sickness
- Complying with heath and safety
- To monitor your use of our information and communication systems to ensure compliance with our IT
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
- To conduct data analytics studies to review and better understand employee retention and attrition
- Equal opportunities
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
We have a legal right to collect and use personal information relating to our staff, for example:
- To enable the development of comprehensive picture of our workforce and how it is deployed.
- To inform the development of recruitment and retention
- To enable individuals to be
- To administer school
- To maintain our own accounts and
- To carry out
- To support staff
- To provide appropriate pastoral
- To assess the quality of our
- To comply with the law regarding data
We may also collect and use your personal information in order to meet legal requirements set out in the General Data Protection Regulation and UK law, including:
- Education and Libraries (NI) Order
- Education Reform (NI) Order 1989.
- Education and Libraries (NI) Order
- Education (NI) Order
- Education (NI) Order
- Education (NI) Order
- Education and Libraries (NI) Order
- Special Educational Needs and Disability (NI) Order
- Education (NI) Order
- Education Act (NI)
6. Consent
Whilst the majority of the personal information you provide CCMS is required for us to comply with our legal obligations, some of that information is provided on a voluntary basis. When collecting data, CCMS will inform you whether you are required to provide this data or if your consent is needed. Where consent is required, CCMS will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.
You have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
7. How long is your personal information stored for?
We only keep your data for as long as is necessary in order to comply with our legal and regulatory obligations.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee of CCMS, we will retain and securely destroy your personal information in accordance with our Retention Policy.
8. Who we share CCMS workforce information with?
We may have to share your personal information with third parties, including third-party service providers and other bodies such as:
- Education Authority
- The Department of Education
- The Boards of Governors
- PSNI
- Information Commissioner’s Office
9. Data Security
We have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a need to know. They will only process personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator (currently the Information Commissioner’s Office) of a suspected breach where we are legally required to do so.
10. Why we share CCMS workforce information?
We will share your personal information with third parties, where required by law or where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
To be granted access to CCMS workforce information, organisations must comply with its strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.
11. Transferring information outside the EU
We will not transfer the personal information we collect about you to any country outside the EU without telling you in advance that we intend to do so and what steps we have taken to ensure adequate protection for your personal information in those circumstances.
12. Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
13. What are your rights?
Under GDPR, members of CCMS workforce have the right to request access to information about them that we hold. To make a request for your personal information, contact the Data Protection Officer, Andrew Aicken.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You also have the right to:
- Request access to personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may change a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of the personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those or a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish it accuracy or the reason for processing
- Request the transfer of your personal information to another
14. Complaints
If you have a complaint about the manner in which any of your personal information has been used or about how any request in respect of your information has been dealt with, you can contact the Data Protection Officer, Andrew Aicken. You can make a complaint in writing, by email, by telephone or in person. All complaints will be investigated in accordance with our complaints policy and in accordance with our obligations under the GDPR.
You also have the right to make a complaint, at any time, to the Information Commissioner’s Office, the UK supervisory authority for data protection issues, through their website www.ico.org.uk. The ICO’s details are as follows:
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place Belfast
BT7 2JB