Information systems are an essential element in the management of the school's resources and the maintenance and analysis of financial and other relevant data. These instructions seek to provide a consistent framework for the control of information systems relating to financial management and to ensure compliance with the Data Protection Act 1998. Guidance on the need for separate registration of data by school governors and/or Headteachers is set out in the attached appendix. Schools must ensure that sensitive or personal data is held securely and that access to it is restricted appropriately.
14.1 The Governing Body and the Headteacher shall be responsible for ensuring compliance with the requirements of the Data Protection Act 1998 in relation to the control of access to financial and personal data held at the school and shall register all data held at the school.
14.2 For the purpose of the Data Protection Act 1998 the Head of ICT Services shall be the nominated Data Protection Officer and be responsible for maintaining proper security, password protection, privacy and back-ups concerning information held centrally and for the implementation and compliance with all requirements of current legislation and European Community Directives. Schools seeking advice should contact the Data Protection Officer.
14.4 The Governing Body and the Headteacher shall ensure that adequate arrangements exist for maintaining proper security of information held in the school's budgetary control system through the use and regular changing of passwords and the regular taking and secure storage of back-up copies, and for the implementation and compliance with all requirements of current legislation and European Community Directives.
14.5 User access rights to the school's budgetary control and accounting system must be determined by the Headteacher so as to provide adequate separation of duties in accordance with guidance issued by the Head of Finance.
14.6 Headteachers shall be responsible for the safe custody of all computer hardware under the control of the school and shall include all equipment purchased from official budgets on an official inventory.
14.7 Headteachers shall be responsible for the safe custody of all computer application software system disks under the control of the school and shall ensure compliance with software licence agreements, and record all such software purchased from official budgets on an official inventory.
14.8 Headteachers shall be responsible for informing the Head of Finance of any development of new systems, or significant amendments to existing systems, both manual and computer-based, which involve financial operations or produce management data which forms the basis of financial decisions.
The Data Protection Act (1998) requires individuals, groups and organisations who are responsible for the contents and use of structured personal data to register as data controllers. The purpose for which the data are held must also be specified.
The Authority's notification does not cover individual schools so each school needs to register separately. The 1998 Act unlike the old Act, requires schools to register once only. The notification fee is £35 per year and schools will receive a reminder from the Data Protection Commissioners office about 6 weeks before the payment becomes due.
The Information Commissioner's office has produced a template for a typical school's notification and it is strongly recommended that schools adopt this template as the basis of their notification when their notification becomes due. In this way it is very unlikely that Commissioner would ever prosecute a school for not being registered for a particular purpose.
Personal data is defined as 'information about living, identifiable individuals'. This information need not be particularly sensitive and can be as little as a name, address or a photograph. Be aware that storing images on a school web site or the use of fingerprinting to control library usage can constitute processing personal data.
Processing is defined under the Act as all actions performed on the data from its collection to its eventual destruction.
The 1998 Data Protection Act covers manual records of personal data, which are part of a structured filing set. All schools should review their records held manually to determine whether or not their data is covered by the Act.