Registered schools – online resources and data collection

Data Protection Authority: the relevant data protection authority in the territories where the Parties are established, here the Information Commissioner’s Office (ICO).

DPA: the Data Protection Act 1998 (DPA), the Data Protection Directive (95/46/EC), from May 25th 2018 – the General Data Protection Regulation (2016/679) (GDPR), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended) and all applicable laws and regulations relating to the processing of the Personal Data and privacy, including where applicable the guidance and codes of practice issued by the UK Information Commissioner or any other national data protection authority, and the equivalent of any of the foregoing in any relevant jurisdiction.

Data Security Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.

Data Controller, Data Processor, Data Subject and Personal Data, Sensitive Personal Data, Special Category Data and processing shall have the meanings given to them in the DPA and the GDPR.

This notification reflects the arrangements that have been agreed to facilitate the sharing of personal data relating to pupils between the Parties acting as data controllers and explains the purposes for which the personal data may be used.

Schools may use the data to:

• track the progress made by individual pupils and share this with parents
• monitor the progress made by groups of pupils, including vulnerable groups, and share this with governors and inspectors
• benchmark your school’s outcomes against national ECC outcomes and evaluate and improve the effectiveness of your ECC programmes.

EHU and ECC may use the data to:

• provide reports for schools for the above purposes
• evaluate and improve the effectiveness of ECC programmes for schools across the country and share national outcomes with schools and interested parties
• research the implementation and impact of ECC.

The shared personal data must not be irrelevant or excessive with regard to the Agreed Purpose. Processing is necessary for the performance of a task carried out for the legitimate interest pursued by the controllers or by a third party, except where such interest are overridden by the interests or fundamental rights or freedoms of the data subject which requires protection of personal data (GDPR Art 6. 1 (f))

Each school that enters pupil data has been identified as a data controller.

The online data system is currently operated on behalf of EHU by Data Architects Ltd., who are certified as meeting the ISO 27001 standard for information security management. Data Architects Ltd. is recognised as a data processor for this purpose. Data that is processed directly by EHU is governed by EHU’s Information Security Policy, which is aligned to ISO 27001.

The online system is password protected and schools can only enter and view data relating to their own pupils. Only authorised EHU staff can access the data and no hard copy records are stored. EHU will not share the data with any third party and will not transfer it outside the European Union.

The online data system is currently operated on behalf of EHU by Data Architects Ltd., who are certified as meeting the ISO 27001 standard for information security management. Data Architects Ltd. is recognised as a data processor for this purpose. Data that is processed directly by EHU is governed by EHU’s Information Security Policy, which is aligned to ISO 27001.

The online system is password protected and schools can only enter and view data relating to their own pupils. Only authorised EHU staff can access the data and no hard copy records are stored. EHU will not share the data with any third party and will not transfer it outside the European Union.