Attention: You are using an outdated browser, device or you do not have the latest version of JavaScript downloaded and so this website may not work as expected. Please download the latest software or switch device to avoid further issues.
The Hymers College Archive
What is the Hymers College archive?
The Hymers College ( Hymers) Archive is a collection of documents, photographs, magazines, artefacts, books, and digital material relating to the history of the School and its pupils. This collection dates back to the founding of the school in 1893
What is the purpose of the archive?
Ø Locate, select, document, and preserve the records Hymers College
Ø Make records accessible and encourage their use by:
- The Hymers Community, including staff, pupils, alumni and parents, providing information to support their activities.
- Legitimate public enquirers to assist with their research, private study and interest in the history of Hymers College and related subjects.
There are six broad categories of records in the archive:
Ø Administration
Ø Finance
Ø Pupils
Ø Staff
Ø Curriculum
Ø Co-curricular
The Development Office collects material relating to these areas of school life
How is the archive created?
New material arrives in the archive in three ways:
1. Internal transfer of material selected for permanent preservation as material of “enduring value” from school departments
2. External donations of material from Old Hymerians and others
3. Purchase of material from eBay and other websites by the Development Team
Access
Access to the archive is provided in a number of ways:
Ø In-person educational sessions for current students
Ø Digitisation of material and publication on social media and Hymers specific platforms
Ø A central catalogue which has been made available online
Ø Exhibitions within the School
Ø Talks to external groups
Ø Through the answering of archive enquiries from the Hymers community and the general public via email, phone and letter
GDPR
The Hymers archive adheres to the GDPR that governs the retention and use of personal data. Our basis for the retention of personal data is grounded in Article 89 of the GDPR[1] which allows us to store and maintain archive collections with:
”Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
This refers only to archive documents and not to other documents held by the School that are still used operationally. It refers to archive documents which contain information about living persons. It refers to both physical and digital records. It refers to all personal data including “special category” data.
Records kept indefinitely for the purposes of archiving “in the public interest” are exempt from certain general principles of GDPR if applying those principles would prevent or seriously impair the archiving purpose and provided certain safeguards are followed.
How do Hymers archive records qualify for higher protection under “archiving purposes in the public interest”?
Hymers is an independent school and has charitable status. The John Hymers Bursary scheme provides subsidised or free education, it also has a long history of engagement with the wider public through community and charity work and has links with local state schools. The Hymers archive endeavors to provide access to members of the general public in addition to members of the Hymers community. Access is often given to genealogical and academic researchers. Over the past 3 years since the formation of the Development Office, the Hymers archive has received research enquiries every year from individuals external to the School.
The archive holds historic records of “enduring value”. Whilst the GDPR does not provide a definition, the Hymers records fit the definition given by The National Archives:
“Records which have been subject to an appraisal process and deemed worthy of permanent preservation and have been accessioned by an archive service”
Active retention of pupil records
On admission to Hymers, records of a pupil are created for operational use by the School. These records are in a digital format and the current policy is to keep these records for 25 years from the birth date of the pupil. Once a pupil has left the School, there should be a transfer of key data from these records SIMS system to the Hymers College Toucan database. The key data are as follows:
Ø Full name
Ø Date of birth
Ø Address
Ø Previous school
Ø Grades
Ø Class names/Form teachers
Ø Religion
Ø Ethnicity
Ø Grades and exam board
Ø Prizes
Ø Co-curricular involvement
For more information on Toucantech:
Where is data stored?
ToucanTech stores all data on one of our dedicated secure cloud servers hosted by Amazon Web Services (AWS) with all data remaining within the jurisdiction of the server. Plus customer data is held on a separate database of their own.
How is the data protected?
We encrypt data
We set up SSL certificates for each of our client websites to ensure encrypted data transmission between server and browser and all database data is encrypted using the Amazon encryption key service.
General Data Protection Regulations
We are registered with the UK’s Information Commissioner’s Office (ICO) to handle all of our customer databases, as well as adhering to the privacy policies of multiple global jurisdictions, including the EU’s GDPR and Australian, UK and US data privacy laws.
Accountability for data security at ToucanTech
Our data protection officer (DPO) is our Director of Finance & Operations, who ensures that we comply with international data regulations and that all of our data is processed safely and securely. Every new team member adheres to our Information Security Policy, which is available to view upon request.
Vulnerability and penetration scanning
In order to identify vulnerabilities, we run malware and antivirus scans daily, as well as monthly penetration scans and patch updates as additional security measures.
Additional firewall protections
We use two types of firewalls to ensure protection for our clients and their data. Virtual network firewalls restrict server traffic, and web application firewalls, which detect and protect against unwanted intrusions on all our web servers.
Regular data back-ups and disaster recovery plans
We ensure that full back-ups of all website files and databases are made every 24 hours on our live servers. In addition, a full SQL back-up of each customer's database is saved to a backup server in a separate location on the first day of each month and made available for the customer to download.
And many helpful tools available to help you keep your data secure
Enable different permissions levels for each of your administrators, restricting their access to the data they require to perform their job. Audit trails track the data changes and reports accessed by your team. Plus with MFA (multi-factor authentication), you have one of the most effective ways to prevent unauthorised access to your data.
ToucanTech is a cloud software used by organisations internationally, including schools, universities, nonprofits, clubs and companies, to manage a community database/CRM and a connected website.
A separate document should be created using SIMS to provide a modern “admissions register”, giving brief details of each student starting Hymers in any given year. Brief details should include – name, date of birth, previous school and address.
Toucantech is our networking platform exclusively for Old Hymerians which is accessed only through having an approved profile linked to Toucantech. The privacy policy indicates that users outside of the platform cannot see any individual’s information, and data is stored only for registered users for the duration that they have a profile on the platform.
Retention of Photographs
At present, the School seeks parental consent to take and use photographs of pupils during their time at Hymers. Once an individual has left the School, such photographs are preserved in the School archive. Individuals who decide they no longer wish to allow the School to use their image should contact the School who will ensure that such photographs are not publically displayed in School or online.
Processing for Archiving Purposes in the Public Interest
Lawful processing – There is an (EU) expectation that archive services are supported by a formal legal obligation but in the UK this is often not the case. However, Ministers, DCMS and ICO agree in principle that archive services should continue. House of Commons Written Answer specified this and should provide legal basis: https://www.parliament.uk/business/publications/written-questions-answersstatements/written-question/Commons/2017-11-03/111381/
“We recognise the importance of the permanent preservation of archives for long-term public benefit by museums, galleries, archives and libraries. The General Data Protection Regulation (GDPR) and the Data Protection Bill permit such organisations to process personal data (including sensitive personal data) without consent, where necessary for “archiving purposes in the public interest”
This is subject to appropriate safeguards for the rights and freedoms of data subjects. It also exempts archiving services from complying with certain rights of data subjects (for example, rights to access, rectify or erase their data), where the exercise of such rights would seriously impair or prevent them from fulfilling their objectives.
What safeguards has the School put in place to protect archived personal data from unauthorised or unlawful processing and from accidental destruction or damage?
Ø Physical records containing personal data are kept in areas of the school that are locked and secure, and are only accessible by very limited staff
Ø Digital records that contain personal data are secured in line with the School’s I.T. security policies and procedures
Ø Access to personal data is only given to a small number of staff who have received appropriate GDPR training
Ø Researchers visiting the Hymers archive are not given access to any material that includes personal data
Ø Records that have been selected for permanent preservation will cease to be used operationally for their original purpose once they reside in the archive and have been designated as having “enduring value”.
What is the purpose of the retention of personal data?
Personal data is kept beyond operational use in order to archive in the public interest. Whilst the original stated purpose of the school records is not for archiving and public access, Article 5 (1)(b) of the GDPR provides that the purpose of archiving in the public interest is never incompatible with the original purpose.
Will personal data be processed fairly?
We will ensure that there are adequate safeguards in place to protect the rights and freedoms of the Data Subject. Sensitive data will embargoed until the passage of time makes the data safe for dissemination – one hundred years from the date of birth of the data subject or on their death. Safeguards will prevent the Data Subject from substantial distress or damage or from decisions of legal importance.
Will personal data be processed transparently?
Section 28 (2)(a) of Schedule 2 of the 2018 Act provides the requirement that to give confirmation to the Data Subject of the existence and details of processing of their data does not apply to data that is being processed for “archiving in the public interest” to the extent that the requirement would prevent to impair the archiving process. In order to fulfil the transparency principle of the GDPR we have published the following information on data collection:
1. Identity of the Data Controller – Hymers College
2. Contact details of the Privacy Officer – The Bursar
3. The purpose and legal basis of the processing - ”Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
4. The recipients of the personal data – the Hymers archive
5. Identity of any external Data Processor – Not applicable
6. How long data is stored for – In perpetuity
7. Which Data Subject rights apply to the processing
8. The right to lodge a complaint with the ICO
Once deposited in the archive, personal data in such records must not be erased, filtered, redacted or otherwise amended, as this would compromise the archival integrity of the documents and its ability to be recognised as qualifying for public interest protection.
What will the School do to limit substantial damage and distress to data subjects?
All records containing personal data are kept securely and access is limited to a small number of employees.
No data held in the Hymers archive will be used in decision-making about individuals.
All records retained permanently in the School archive are those records that have been either 1) indicated as records of enduring value on the School’s retention schedule or 2) been donated or purchased from external individuals and fit with the purpose of the archive outlined in this policy
[1] https://www.privacy-regulation.eu/en/article-89-safeguards-and-derogations-relating-to-processing-for-archiving-purposes-the-public-interest-scientific-or-hi-GDPR.htm