General Data Protection Regulation (GDPR)

1. Statement of intent

Inclusion Hampshire is required to keep and process certain information about it’s staff members and learners in accordance with it’s legal obligations under the General Data protection Regulation (GDPR) and is on the Information Commissioner’s Office (ICO) Data protection register.

Inclusion Hampshire (the ‘controller’) may be required to share information about it’s staff or learners with other organisations including but not limited to, schools, Local Authority, educational bodies and Social Services.

This policy is in place to ensure all staff and trustees are aware of their responsibilities and outline how we comply with the following core principles of the GDPR.


2. Legal Framework

This policy has due regard to legislation, including, but not limited to the following:

– The General Data Protection regulation (GDPR)

– The Freedom of Information Act 2000

– The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004

3. Applicable Data

For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual. The GDPR applies to both electronically stored personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as chronologically ordered data and pseudonymised data, eg key – coded.

Sensitive personal data, known as ‘Special categories of personal data’ (Article 9 GDPR) processing should be kept extra secure, these include: racial and ethnic origin, political opinions, religious and philosophical beliefs, trade unions, genetic or biometric data, health, sexual life and sexual orientations.

4. Principles

In accordance with the requirements outlined in the GDPR, personal data will be:

The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.


5. Accountability

Inclusion Hampshire will implement measures that meet the principles of data protection by design and data protection by default, such as:

Data protection impact assessments will be used, where appropriate.


6. Data protection officer (DPO)

A DPO will be appointed in order to:

An existing employee will be appointed to the role of DPO provided that their duties are compatible with the duties of the DPO and do not lead to a conflict of interests.

The DPO will report to the CEO and Trustee board.

The DPO will operate independently and will not be dismissed or penalised for performing their task. And sufficient resources will be provided to enable them to meet their GDPR obligations.


7. Lawful processing

The legal basis for processing will be identified and documented prior to data being processed.

Under GDPR, data will be lawfully processed under the following conditions:

Where personal data is transferred to a country or territory outside the European Economic Area. we will do so in accordance to data protection law.

8. Consent

Inclusion Hampshire understands that consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes.

Consent will only be accepted where it is freely given, specific, informed and unambiguous indication of the individual’s wishes.

Where consent is given, a record will be kept documenting how and when consent was given.

Inclusion Hampshire ensures that consent mechanisms meet the standards of GDPR. Where consent is not the most appropriate legal basis, an alternative for processing the data will be used.

Consent accepted under the DPA will be reviewed to ensure it meets the standards of GDPR; however acceptable consent obtained under the DPA will not be re-obtained.

Inclusion Hampshire understands that consent can be withdrawn by the individual at any time.

The consent of parents will be sought prior to the processing of a child’s data, except where the processing is related to preventative or counselling services offered directly to a young person.

9. The right to be informed

The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.

If services are offered directly to a young person, Inclusion Hampshire will ensure that the privacy notice is written in a clear, plain manner that they will understand.

In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:

Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided.

Where data is not obtained directly from the data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided.

For data obtained directly from the data subject, this information will be supplied at the time the data is obtained.

In relation to data that is not obtained directly from the data subject, this information will be supplied:


10. The right of access

Individuals have the right to obtain confirmation that their data is being processed.

Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.

Parents / Carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.

Parents also have the right to make a SAR with respect to any personal data held about them.

Inclusion Hampshire will verify the identity of the person making the request before any information is supplied.

If a SAR is made and we do hold information on the individual we will:

A copy of the information will be supplied to the individual free of charge; however, Inclusion Hampshire may impose a ‘reasonable fee’ to comply with requests for further copies of the same information or is manifestly unfounded or excessive. Any fees will be based on the administrative cost of providing the information.

Where a SAR has been made electronically, the information will be provided in a commonly used electronic format.

All requests will be responded to without delay and at the latest, within one month of receipt.


11. The right to rectification (Article 17 GDPR)

Individuals are entitled to have any inaccurate or incomplete personal data rectified without delay.

Where the personal data in question has been disclosed to third parties, Inclusion hampshire will inform them of the rectification where possible.

Where appropriate, Inclusion Hampshire will inform the individual about the third parties that the data has been disclosed to.


12. The right to be forgotten. (Article 16 GDPR)

Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Individuals have the right to erasure in the following circumstances:

13. The right to restrict processing (Article 18 GDPR)

  Individuals have the right to restrict Inclusion Hampshire processing their personal data.

In the event that processing is restricted, Inclusion Hampshire will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.

As directed in Article 18 of GDPR, Inclusion Hampshire will restrict the processing of personal data in the following circumstances:

If the personal data in question has been disclosed to third parties, Inclusion Hampshire will inform them about the restriction on the processing of the personal data.

14. The right to data portability (Article 20 GDPR)

Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

Data subjects have the the right to be given their data in a structured and commonly used machine readable format and ask for it to be sent to another organisation of their choice.

15. The right to object

Inclusion Hampshire will inform all individuals of their right to object, this will be in the privacy notice and presented clearly and separately from any other information.

16. Data protection impact assessments

Inclusion Hampshire will act in accordance with the GDPR by adopting a Data protection by design approach which demonstrates how it has considered and integrated data protection into processing activities.

Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with Inclusion Hampshire’s data protection obligations and meeting individuals’ expectations of privacy.

A DPIA will be used as part of the planning or when reviewing organisational processes or activities, especially in the use of special category data, they will include:

17. Data breaches

The term ‘personal data breach’ refers to a breach of security which has led to the accidental or unlawful destruction, loss, alteration, disclosure or access to personal data transmitted, stored or otherwise processed.

The CEO will ensure that all staff members are made aware of, and understand, what constitutes as a data breach as part of their continuous development training.

Effective and robust breach detection, investigation and internal reporting procedures are in place at Inclusion Hampshire, which facilitate decision-making in relation to whether the Information Commissioner’s Office (ICO) need be informed or the relevant data subjects only .

Within a breach notification, the following information will be outlined (Article 34 GDPR):

Where a breach is likely to result in a risk to the rights and freedoms of individuals, the Information Commissioner’s Office (ICO) will be informed. All notifiable breaches will be reported to the ICO within 72 hours of Inclusion Hampshire becoming aware of it. The risk of the breach having a detrimental effect on the individual, and the need to notify the ICO , will be assessed on a case-by-case basis, if not required to be reported to the ICO it must be detailed on the internal breach log.

18. Data security

Confidential paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access.

Confidential paper records will not be left unattended or in clear view anywhere with general access.

Digital data is coded, encrypted or password-protected and stored on the Inclusion Suite cloud based system only accessible by authorised persons via individual logins.

Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted.

All electronic devices are password-protected to protect the information on the device in case of theft.

When staff use personal or external agency laptops or computers to access Inclusion Suite cloud based system, they must not download any documents containing identifiable data.

All necessary members of staff are provided with their own secure login and password to  Inclusion Suite and are encouraged to change their password regularly plus log out of all systems when not using.

Emails containing sensitive or confidential information are password-protected if there are unsecure servers between the sender and the recipient.

Emails to multiple persons outside of the organisation are sent blind carbon copy (bcc), so email addresses are not disclosed to other recipients.

Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security, e.g. keeping devices under lock and key. The person taking the information from Inclusion Hampshire premises accepts full responsibility for the security of the data.

Before sharing data, all staff members will ensure:

Under no circumstances are visitors allowed access to confidential or personal information.

Visitors to Inclusion Hampshire are supervised at all times to ensure they have no access to data. The physical security of Inclusion Hampshire’s buildings and storage systems, and access to them, is reviewed on a termly basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place.

Inclusion Hampshire takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action.

The Data Protection Officer is responsible for continuity and recovery measures are in place to ensure the security of protected data.

19. Data retention

Data will not be kept for longer than is necessary, and only ever in line with referring schools and agencies and the current guidelines for that specific purpose.

Unrequired data will be deleted as soon as practicable.

Paper documents will be shredded and electronic memories deleted, once the data should no longer be retained.

20. DBS data

All data provided by the DBS will be handled in line with data protection legislation and the regulatory umbrella organisation we use to process them. Information relating to the completion of and details of the disclosure will be only available to the CEO (and any Senior Managers as they deem necessary) and the HR Officer for Inclusion Hampshire.

Data Protection Officer: Emma Barnard

Contact: You can reach Emma directly through our