Data Protection and Privacy Policy

School Aims

• To ensure the confidentiality, integrity, and security of personal data collected, processed, and stored by the school.
• To uphold the rights of students, parents, and staff members regarding the use of their personal data.
• To comply with the requirements and principles outlined in the Personal Data (Privacy) Ordinance (PDPO) and other relevant regulations.

Rationale

The implementation of a comprehensive Data Protection and Privacy Policy is essential to safeguard the personal data of students, parents, and staff members against unauthorised access, use, or disclosure. By adhering to the principles and requirements outlined in the PDPO, the school aims to establish trust, transparency, and accountability in its data handling practices.

Purposes

1. To establish guidelines and procedures for the collection, processing, and storage of personal data in accordance with the PDPO.
2. To ensure that personal data is collected and used for lawful purposes directly related to the functions or activities of the school.
3. To protect the confidentiality, accuracy, and security of personal data against unauthorised access, use, or disclosure.
4. To provide data subjects with the right to access, correct, and request erasure of their personal data as outlined in the PDPO.

Guidelines

1. Lawful Purpose: Personal data shall be collected and processed solely for legitimate educational purposes, such as student enrolment, academic assessment, and communication with parents. For example, student contact information may be collected for the purpose of sending important school updates and announcements.
2. Accuracy and Retention: All reasonable steps shall be taken to ensure the accuracy and currency of personal data held by the school. Personal data shall be retained only for as long as necessary to fulfill the purposes for which it was collected. For example, outdated contact information for students or parents shall be promptly updated to ensure effective communication.
3. Use of Data: Personal data shall be used only for the specific purposes for which it was collected, and shall not be disclosed or used for any other purpose without the explicit consent of the data subject. For example, student academic records shall not be shared with third parties without prior consent from the student or their parent/legal guardian.
4. Data Security: Appropriate technical and organisational measures shall be implemented to protect personal data against unauthorised access, disclosure, or loss. For example, access controls and encryption protocols shall be used to secure sensitive student and staff information stored on school databases and servers.
5. Openness and Transparency: The school shall maintain transparency regarding its data protection policies and practices, including the types of personal data collected, the purposes for which it is used, and the rights of data subjects. For example, the school's Privacy Notice shall be made available to students, parents, teachers, and administration staff, outlining their rights and responsibilities regarding the handling of personal data.
6. Access and Correction: Data subjects shall have the right to request access to their personal data held by the school, and to request correction of any inaccuracies. For example, students or parents may request access to their academic records and request corrections to any errors or discrepancies found therein.

Types of Data

1. Student Academic Records:
• Retention Period: Permanently if requested by the student in the alumni information or for the duration of the student's enrolment plus 7 of years after graduation.
• Example: Grades, transcripts, exam results, standardised test scores.
2. Student Health Records:
• Retention Period: Until 7 years after graduation.
• Example: Immunisation records, medical history, allergy information.
3. Attendance Records:
• Retention Period: For the duration of the school year plus 7 years.
• Example: Daily attendance records, tardiness reports, excused absence documentation.
4. Parent/Guardian Contact Information:
• Retention Period: Until the student leaves the school or until the parent/guardian requests removal.
• Example: Phone numbers, email addresses, mailing addresses.
5. Photographs and Videos:
• Retention Period: for the duration of the student's enrolment plus 7 of years after graduation, unless consent is obtained for longer retention.
• Example: Class photos, event videos, extracurricular activity images.
6. Special Education Records:
• Retention Period: For a 7 years after the student exits the special education programme.
• Example: Individualised Education Plans (IEPs), assessment reports, progress notes.
7. Library Records:
• Retention Period: Until the end of the school year or until the materials are returned.
• Example: Borrowing history, overdue notices, book reservation records.
8. Incident Reports and Disciplinary Records:
• Retention Period: Until the student leaves the school or 7 years after graduation.
• Example: Incident reports, suspension records, disciplinary action documentation.
9. Cookies
1. Retention Period: 6 Months
2. Example: Essential cookies from DBIS sites
10. Archived Parent Bulletins
1. Retention Period: 1 Academic Year
2. Example: As part of the summer annual rollover process we will delete archived parents bulletins from two academic years ago.

Conclusion

The Data Protection and Privacy Policy aims to establish a framework for the lawful, fair, and transparent handling of personal data by the school, in compliance with the requirements of the Personal Data (Privacy) Ordinance. By adhering to the principles and guidelines outlined in this policy, the school seeks to ensure the protection of individuals' privacy rights and maintain trust in its data handling practices.

External Reference

• Personal Data (Privacy) Ordinance