MYSTICAL ROSE COLLEGE OF SCIENCE AND TECHNOLOGY

Pogonlomboy, Mangatarem, Pangasinan

Mobile No.: 0917-883-4171

DATA PRIVACY POLICY AND GUIDELINES

INTRODUCTORY STATEMENT
The school's Data Protection Policy applies to the personal data held by the school's Board of
Trustees (BoT), which is protected by the Data Protection Acts 1988 to 2018 the EU General Data
Personal Regulation (GDPR).
The policy applies to all school staff, the Board of Trustees, parents/guardians, students and others
(including prospective or potential students and their parents/guardians and applicants for staff
positions within the school) insofar as the measures under the policy relate to them. Data will be
stored securely, so that confidential information is protected in compliance with relevant legislation.
This policy sets out the manner in which personal data and special categories of personal data will
be protected by the school.
Mystical Rose College of Science and Technology operates a "Privacy by Design" method in relation
to Data Protection. This means we plan carefully when gathering personal data so that we build in
the data protection principles as integral elements of all data operations in advance. We audit the
personal data we hold in order to:
1. be able to provide access to individuals to their data;
2. ensure it is held securely;
3. document our data protection procedures; and
4. enhance accountability and transparency.

DATA PROTECTION PRINCIPLES

The school BoT is a data controller of personal data relating to its past, present and future staff,
students, parents/guardians and other members of the school community. As such, the BoT is
obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 to
2018 and GDPR, which can be summarized as follows:
1. Obtain and process personal data fairly
Information of students is gathered with the help of parents/guardians and staff.
Information is also transferred from their previous schools. In relation to information the
school holds on other individuals (members of staff, individuals applying for positions within
the school, parents/guardians of students, etc.), the information is generally furnished by
the individuals themselves with full and informed consent and compiled during the course of
their employment or contact with the school. All such data is treated in accordance with the
Data Protection legislation and the terms of this Data Protection Policy. The information will
be obtained and processed fairly.
2. Consent
Where consent is the basis for provision of personal data, (e.g., data required to join sports
team/ after-school activity or any other optional school activity) the consent must be a freely-
given, specific, informed and unambiguous indication of the data subject's wishes. Mystical
Rose College of Science and Technology will require a clear, affirmative action e.g. ticking of a
Data Privacy Policy and Guidelines 1
 box/signing a document to indicate consent. Consent can be withdrawn by data subjects in
these situations.
3. Keep it only for one or more specified and explicit lawful purposes
The BoT will inform individuals of the reasons they collect their data and the uses to which
their data will be put. All information is kept with the best interest of the individual in mind
at all times.
4. Process it only in ways compatible with the purposes for which it was given initially
Data relating to individuals will only be processed in a manner consistent with the purposes
for which it was gathered. Information will only be disclosed on a need to know basis, and
access to it will be strictly controlled.
5. Keep personal data safe and secure
Only those with a genuine reason for doing so may gain access to the information. Personal
Data is securely stored under lock and key in the case of manual records and protected with
computer software and password protection in the case of electronically stored data. Portable
devices storing personal data (such as laptops) are password-protected.
6. Keep personal data accurate, complete and up-to-date
Students, parents/guardians, and/or staff should inform the school of any change which the
school should make to their personal data and/or sensitive personal data to ensure that the
individual's data is accurate, complete and up-to-date. Once informed, the school will make
all necessary changes to the relevant records. Records must not be altered or destroyed
without proper authorization.
7. Ensure that it is adequate, relevant and not excessive
Only the necessary amount of information required to provide an adequate service will be
gathered and stored.
8. Retain it no longer than is necessary for the specified purpose or purposes for which it
was given
As a general rule, the information will be kept for the duration of the individual's time in the
school. Thereafter, the school will comply with DES guidelines on the storage of personal
data relating to a student. In the case of members of staff, the school will comply with both
DES guidelines and the requirements of the Revenue Commissioners with regard to the
retention of records relating to employees. The school may also retain the data relating to an
individual for a longer length of time for the purposes of complying with relevant provisions of
law and or defending a claim under employment legislation and/or contract and/or civil law.
See School Record Retention table
9. Provide, a copy of their, personal data to and individual on request
Individuals have a right to know and have access to a copy of personal data held about them,
by whom, and the purpose for which it is held.

SCOPE
The Data Protection legislation applies to the keeping and processing of personal data. The
purpose of this policy is to assist the school to meet its statutory obligations, to explain those
obligations to school staff, and to inform staff, students and their parents/guardians how their
data will be treated.

The policy applies to all school staff, the Board of Trustees, parents/guardians, students and
others (including prospective or potential students and their parents/guardians, and applicants
for staff positions within the school) insofar as the school handles or processes their personal
data in the course of their dealings with the school

Data Privacy Policy and Guidelines 2

 Definition of Data Protection Terms
In order to properly understand the school's obligations, there are some key terms, which should
be understood by all relevant school staff:
 Personal Data means any data relating to an identified or identifiable natural person i.e. a
living individual who is or can be identified either from the data or from the data in
conjunction with other information that is in, or is likely to come into, the possession of the
Data Controller (BoT)
 Data Controller is the Board of Trustees of the school
 Data Subject - is an individual who is the subject of personal data
 Data Processing - performing any operation or set of operations on data, including:
 Obtaining, recording or keeping the data,
 Collecting, organizing, storing, altering or adapting the data.
 Retrieving, consulting or using the data.
 Disclosing the data by transmitting, disseminating or otherwise making it available.
 Aligning, combining, blocking, erasing or destroying the data
 Data Processor - a person who processes personal information on behalf of a data controller,
but does not include an employee of a data controller who processes such data in the course
of their employment, for example, this might mean an employee of an organization to which
the data controller out-sources work. The Data Protection legislation places responsibilities
on such entities in relation to their processing of the data. Mystical Rose College of Science
and Technology uses Aladdin to process data.

Special categories of Personal Data refers to Personal Data regarding a person's

 racial or ethnic origin
 political opinions or religious or philosophical beliefs
 physical or mental health
 sexual life and sexual orientation
 genetic and biometric data
 criminal convictions or the alleged commission of an offence
 trade union membership

 Personal Data breach - a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or
otherwise processed. This means any compromise or loss of personal data, no matter how or
where it occurs.

RATIONALE
In addition to its legal obligations under the broad remit of educational legislation, the school has a
legal responsibility to comply with the Data Protection Acts 1988 to 2O18 and the GDPR.

This policy explains what sort of data is collected, why it is collected, for how long it will be stored
and with whom it will be shared. The school takes its responsibilities under data protection law very
seriously and wishes to put in place safe practices to safeguard individual's personal data. It is also
recognized that recording factual information accurately and storing it safely facilitates an
evaluation of the information, enabling the Principal and Board of Trustees to make decisions in
respect of the efficient running of the school. The efficient handling of data is also essential to
ensure that there is consistency and continuity where there are changes of personnel within the
school and Board of Trustees.

Data Privacy Policy and Guidelines 3

OTHER LEGAL OBLIGATIONS
Implementation of this policy takes into account the school's other legal obligations and
responsibilities. For example:

Under Section 9(g) of the Education Act, 1998. the parents of a student, or a student who has
reached the age of 18 years, must be given access to records kept by the school relating to the
progress of the student in their education Under Section 2A of the Education (Welfare) Act,
2000, the school must maintain a register of all students attending the School

Under Section 2O(5) of the Education (Welfare) Act,2000 , a Principal is obliged to notify certain
information relating to the child's attendance in school and other matters relating to the child's
educational progress to the Principal of another school to which a student is transferring.

Mystical Rose College of Science and Technology sends, by post, a copy of a child's Passport, as
provided by the National Council for Curriculum and Assessment, to the Principal of the Post-
Primary School in which the pupil has been enrolled

Where reports on pupils which have been completed by professionals, apart from Mystical Rose
College of Science and Technology staff, are included in current pupil files, such reports are only
passed to the Post-Primary school following express written permission having been sought and
received from the parents of the said pupils.

Under Section 21 of the Education (Welfare) Act, 2000, the school must record the attendance
or non-attendance of students registered at the school on each school day.

Under Section 28 of the Education (Welfare) Act, 2000, the School may supply Personal Data
kept by it to certain prescribed bodies (the Department of Education and Skills, TUSLA, the
National Council for Special Education and other schools). The BoT must be satisfied that it will be
used for a 'relevant purpose' (which includes recording a person's educational or training history or
monitoring their educational or training progress; or for carrying out research into examinations,
participation in education and the general effectiveness of education or training)

Under Section 14 of the Education for Persons with Special Education needs Act, 2004, the
school is required to furnish to the National Council for Special Education (and its employees,
which would include Special Educational Needs Organizers) such information as the Council may
from time to time reasonably request.

The Freedom of Information Act of 1997 provides a qualified right to access to information held
by public bodies which does not necessarily have to be "personal data", as with data protection
legislation. While most schools are not currently subject to freedom of information legislation, (with
the exception of schools under the direction of Education and Training Boards), if a school has
furnished information to a body covered by the Freedom of Information Act (such as the
Department of Education and Skills, etc.) these records could be disclosed by that body if a request
is made to that body.

Under Section 26(4) of the Health Act of 1947 a School shall cause all reasonable facilities
(including facilities for obtaining names and addresses of pupils attending the school) to be given to
a health authority who has served a notice on it of medical inspection, e.g. a dental inspection

Data Privacy Policy and Guidelines 4

Under Children First Act of 2015, mandated persons in schools have responsibilities to report
child welfare concerns to TUSI-A- Child and Family Agency (or in the event of an emergency and the
unavailability of TUSLA, to An Garda Siochiina)

RELATIONSHIP TO CHARACTERISTIC SPIRIT OF THE SCHOOL

Mystical Rose College of Science and Technology seeks to:

 enable students to develop their full potential
 provide a safe and secure environment for learning
 promote respect for the diversity of values, beliefs, traditions, languages and ways of life in
society

We aim to achieve these goals while respecting the privacy and data protection rights of students,
staff, parents/guardians and others who interact with us. The school wishes to achieve these
aims/missions while fully respecting individuals' rights to privacy and rights under the Data
Protection legislation.

PERSONAL DATA

The Personal Data records held by the school may include:

1. Staff records:
a) Categories of staff data:
As well as existing members of staff (and former members of staff), these records may also
relate to applicants applying for positions within the school, trainee teachers and teachers
under probation. These staff records may include:
 Name, address and contact details, PPS number.
 Name and contact details of next-of-kin in case of emergency.
 Original records of application and appointment to promotion posts
 Details of approved absences (career breaks, parental leave, study leave, etc.) . Details
of work record (qualifications, classes taught, subjects, etc.)
 Details of any accidents/injuries sustained on school property or in connection with
the staff member carrying out their school duties
 Records of any reports the school (or its employees) have made in respect of the staff
member to State departments and/or other agencies under Children First Act 2015
b) Purposes:
Staff records are kept for the purposes of:
 the management and administration of school business (now and in the future)
 to facilitate the payment of staff, and calculate other benefits/entitlements (including
reckonable service for the purpose of calculation of pension payments, entitlements
and/or redundancy payments where relevant)
 to facilitate pension payments in the future
 human resources management
 recording promotions made (documentation relating to promotions applied for) and
changes in responsibilities, etc.
 to enable the school to comply with its obligations as an employer, including the
preservation of a safe, efficient working and teaching environment (including
complying with its responsibilities under the Safety, Health and Welfare at Work Act
20os)

Data Privacy Policy and Guidelines 5

  to enable the school to comply with requirements set down by the Department of
Education and Skills, the Revenue Commissioners, the National Council for Special
Education, TUSLA, the HSE, and any other governmental, statutory and/or regulatory
departments and/or agencies and for compliance with legislation relevant to the
school.
c) Location and Security procedures of Mystical Rose College of Science and Technology
a. Manual records are kept in a secure, locked filing cabinet only accessible to personnel
who are authorized to use the data. Employees are required to maintain the
confidentiality of any data to which they have access.
b. Digital records are stored on password-protected computers. The school has the
burglar alarm activated during out-of-school hours.

2. Student records:
a) Categories of student data:
These may include:
 Information which may be sought and recorded at enrolment and may be collated and
compiled during the course of the student's time in the school. These records may include:
o name, address and contact details, PPS number
o date and place of birth
o names and addresses of parents/guardians and their contact details (including any
special arrangements with regard to guardianship, custody or access)
o religious belief
o racial or ethnic origin
o membership of the Traveler community, where relevant
o whether they (or their parents) are medical card holders
o whether English is the student's first language and/or whether the student requires
English language support
o any relevant special conditions (e.9. special educational needs, health issues, etc.)
which may apply.
 Information on previous academic record (including reports, references, assessments and
other records from any previous school(s) attended by the student
 Psychological, psychiatric and/or medical assessments/forms
 Permission slips/consent forms
 Attendance records
 Photographs and recorded images of students (including at school events and noting
achievements) are managed in line with the accompanying policy on school photography
 Academic record - subjects studied, class assignments, examination results as recorded on
official School reports
 Records of significant achievements
 Whether the student is exempt from studying Irish
 Records of disciplinary issues/investigations and/or sanctions imposed
 Other records e.g. records of any serious injuries/accidents, etc.
 Records of any reports the school (or its employees) have made in respect of the student to
State Departments and/or other agencies under Children First Act 2015.

b) Purposes: The purposes for keeping student records include:

 to enable each student to develop to his/her full potential
 to comply with legislative or administrative requirement’s

Data Privacy Policy and Guidelines 6

  to ensure that eligible students can benefit from the relevant additional teaching or
financial supports
 to support the provision of religious instruction
 to enable parents/guardians to be contacted in the case of emergency or in the case of
school closure, or to inform parents of their child's educational progress or to inform
parents of school events, etc.
 to meet the educational, social, physical and emotional requirements of the student
 photographs and recorded images of students are taken to celebrate school achievements,
e.g. compile yearbooks, establish a school website, record school events, and to keep a
record of the history of the school. Such records are taken and used in accordance with the
‘School Photography Policy' and ‘School Website Privacy Statement'.
 to ensure that the student meets the school's admission criteria r to ensure that students
meet the minimum age requirement for attendance at Primary School.
 to ensure that any student seeking an exemption from Irish meets the criteria in order to
obtain such an exemption from the authorities
 to furnish documentation/information about the student to the Department of Education
and Skills, the National Council for Special Education, TUSLA and other schools, etc. in
compliance with law and directions issued by government departments
 to furnish, when requested a list of names of children and contact details for parents by
HSE for screening, vaccinations etc.
 to furnish, when requested by the student (or their parents/guardians in the case of a
student under 18 years) documentation/information references to second-level educational
institutions.
c) Location and Security procedures as above

3. Board of Management records:

a) Categories of Board of Trustees data:
 name, address and contact details of each member of the Board of Trustees (including
former members of the Board of Trustees)
 Records in relation to appointments to the Board
 Minutes of Board of Trustees meetings and correspondence to the Board which may
include references to individuals
b) Purposes:
To enable the Board of Trustees to operate in accordance with the Education Act 1998 and
other applicable legislation and to maintain a record of Board appointments and decisions.

c) Location and Security procedures as above

4. Other Records: Creditors

a) Categories of Baard of Management data:

The school may hold some or all of the following information about creditors (some of whom
are self-employed individuals):
 name
 address
 contact details
 PPS number
 tax details
 bank details; and

Data Privacy Policy and Guidelines 7

  amount paid

b) Purposes:
The purposes for keeping creditor records are:
This information is required for routine management and administration of the school's
financial affairs, including the payment of invoices, the compiling of annual financial
accounts and complying with audits and investigations by the Revenue Commissioners.

c) Location and Security procedures as above

5. Other Records: Charity Tax-back Forms

a) Categories of Board of Management data:
The school may hold the following data in relation to donors who have made charitable
donations to the school:
 Name
 Address
 Telephone number
 PPS number
 Tax rate
 signature and
 The gross amount of the donation.

b) Purposes: The purposes for keeping creditor records are:

Schools are entitled to avail of the scheme of tax relief for donations of money they receive. To
claim the relief, the donor must complete a certificate (CHY2) and forward it to the school to
allow it to claim the grossed up amount of tax associated with the donation. The information
requested on the appropriate certificate is the parents' name, address, PPS number, tax rate,
telephone number, signature and the gross amount of the donation. This is retained by the
School in the event of audit by the Revenue Commissioners.

c) Location and Security procedures as above

6. Location and security of additional data

 Memory sticks and hard drives containing sensitive information must be password protected
and stored securely.
 Historical roll books will be stored securely in locked store room.

EXAMINATION RESULTS

The school will hold data comprising examination results in respect of its students. These may
include class, mid-term, annual and continuous assessment results and the results of Standardized
Tests

Purposes:
The main purpose for which these examination results are held is to monitor a student's progress
and to provide a sound basis for advising them and their parents or guardian about educational
attainment levels and recommendations for the future. The data may also be aggregated for
statistical/reporting purposes, such as to compile results tables. The data may be transferred to the

Data Privacy Policy and Guidelines 8

Department of Education and Skills, the National Council for Curriculum and Assessment and
other schools to which pupils move.

Location and Security procedures

As above

PROCESSING IN LINE WITH A DATA SUBJECT'S RIGHTS

Data in this school will be processed in line with the data subject's rights. Data subjects have a
right to:
 Know what personal data the school is keeping on them
 Request access to any data held about them by a data controller
 Prevent the processing of their data for direct-marketing purposes
 Ask to have inaccurate data amended
 Ask to have data erased once it is no longer necessary or irrelevant.

Data Processors
Our data processing agreement with Aladdin ensures Mystical Rose College of Science and
Technology third party agreement specifies the conditions under which the data may be processed,
the security conditions attaching to the processing of the data and that the data must be deleted or
returned upon completion or termination of the contract.

Personal Data Breaches

All incidents in which personal data has been put at risk must be reported to the Office of the Data
Protection Commissioner within 72 hours When the personal data breach is likely to result in a
high risk to the rights and freedoms of natural persons, the BoT must communicate the personal
data breach to the data subject without undue delay If a data processor becomes aware of a
personal data breach, it must bring this to the attention of the data controller (BoT) without undue
delay.

Dealing with a data access request

Individuals are entitled to a copy of their personal data on written request. The individual is entitled
to a copy of their personal data Request must be responded to within one month. An extension may
be required over holiday periods

No fee may be charged except in exceptional circumstances where the requests are repetitive or
manifestly unfounded or excessive

No personal data can be supplied relating to another individual apart from the data subject

PROVIDING INFORPIATION OVER THE PHONE

An employee dealing with telephone enquiries should be careful about disclosing any personal
information held by the school over the phone. In particular, the employee should:
 Ask that the caller put their request in writing
 Refer the request to the Principal for assistance in difficult situations
 Not feel forced into disclosing personal information

Data Privacy Policy and Guidelines 9

SHARING INFORMATION WITH PARENTS ASSOCIATION
 Only names and class will be shared with Parents Association on request.
 Parents Association must abide by the Data Protection Policy of the school.
 Information must be destroyed immediately after its intended purpose.

DATA AUDIT & DISCONTINUED DATA

Discontinued data will be shredded in school annually after a data audit.

IMPLEMENTATION ARRANGEMENTS, ROLES AND RESPONSIBILITIES

The BoT is the data controller and the Principal implements the Data Protection Policy, ensuring
that staff who handle or have access to Personal Data are familiar with their data protection
responsibilities

The following personnel have responsibility for implementing the Data Protection Policy:
Name Responsibility
Board of Management: Data Controller Principal:
Implementation of Policy

MONITORING THE IMPLEMENTATION OF THE POLICY

The implementation of the policy shall be monitored by the Principal, staff and the Board of
Trustees.

REVIEWING AND EVALUATING THE POLICY

The policy will be reviewed and evaluated as needed. On-going review and evaluation will take
cognizance of changing information or guidelines (e.g., from the Data Protection Commissioner,
Department of Education and Skills or TUSLA), legislation and feedback from parents/guardians,
students, school staff and others. The policy will be revised as necessary in the light of such review
and evaluation and within the framework of school planning.

Data Privacy Policy and Guidelines 10