General Data Protection Policy
Direct English is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act (DPA).
All staff and students have been informed of the new and updated GDPR (2018). Changes to data protection legislation implemented in the school’s policy shall be monitored in order to remain compliant with all legal requirements.
The legal basis for Collection and Use of your Personal data is as follows:
(a) Consent: the member of staff/student/parent has given clear consent for the school to process their personal data for a specific purpose.
(b) Contract: the process is necessary for the member of staff’s employment contract or student placement contract.
(c) Legal obligation: the process is necessary for the school to comply with the law (not including contractual obligations)
Staff responsible for data protection are in Management, Marketing, and Administration departments. However, all staff must treat all student information in a confidential manner and follow the guidelines as set out in this document. The school is also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided to them. The requirements of this policy are mandatory for all staff employed by the school and any third party contracted to provide services within the school.
- Personal and Sensitive Data:
All data within the school’s control shall be identified as personal, sensitive, or both to ensure that it is handled in compliance with legal requirements, and access to it does not breach the rights of the individuals to whom it relates.
The principles of the Data Protection Act shall be applied to all data processed:
Direct English will ensure that
- that data is fairly and lawfully processed
- that data is processed only for limited purposes
- that all data processed is adequate, relevant and not excessive
- that data processed is accurate, and not keptlonger than is necessary
- that data is processedin accordance with the data subject’s rights
- that data is secure
- that data is not transferred to other countries without adequate protection.
- Fair Processing / Privacy Notice:
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff and students prior to the processing of an individual’s data. All students are required to sign an application form with clearly stated Terms & Conditions which include information on personal data processing within the school according to the school’s policy and legal requirements.
There may be circumstances where the school is required either by law or in the best interests of our students or staff to pass information onto external authorities, for example local authorities or the department of health. These authorities are up to date with data protection laws and have their own policies relating to the protection of any data that they receive or collect. The intention to share data relating to individuals to an organisation outside of our school shall be clearly defined in writing, and details of the basis for sharing given. Data will only be shared with external parties in circumstances where it is a legal requirement to provide such information.
- Data Security:
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them. Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and report the performance.
- Data Access Requests (Subject Access Requests):
All individuals, whose data is held by us, has a legal right to request access to such data. Personal data about students will not be disclosed to third parties without their consent unless it is obliged by law.
Where any personal data is no longer required for its original purpose, an individual can request that the data is erased by the school including any data held by external contractors.
- Photographs and Videos:
Images of staff and pupils may be captured at appropriate times and as part of educational activities for use in school media only. Unless prior consent from students/parents/staff has been given, the school shall not utilise such images for publication or communication to external sources. It is the school’s policy that external parties may not capture images of staff or students without prior consent.
- Location of information and data:
Hard copy data, records and personal information are stored out of sight and in a locked cabinet. Sensitive or personal information and data should not be removed from the school site; however the school acknowledges that some staff may need to transport data between the school and their home in order to access it for work.
The following guidelines are in place for staff in order to reduce the risk of personal data being compromised:
- Paper copies of data or personal information should not be taken off the school site. If these are misplaced they are easily accessed. If there is no way to avoid taking a paper copy of data off the school site, the information should not be on view in public places, or left unattended under any circumstances.
- Unwanted paper copies of data, sensitive information or student files should be shredded. This also applies to handwritten notes if the notes reference any other staff member or student by name.
- Care must be taken to ensure that printouts of any personal or sensitive information are not left in printer trays or photocopiers.
- If information is being viewed on a PC, staff must ensure that the window and documents are properly shut down before leaving the computer unattended. Sensitive information should not be viewed on public computers.
- If it is necessary to transport data away from the school, it should be downloaded onto a USB stick. The data should not be transferred from this stick onto any home or public computers. Work should be edited from the USB, and saved onto the USB only.
These guidelines are clearly communicated to all school staff, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.
- Data Disposal:
The school recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk. All data held in any form of media (paper & documents must be shredded. All (tape, electronic and media) should be wiped and physically destroyed when no longer required.
All data shall be destroyed to agreed levels meeting recognized national standards, with confirmation at completion of the disposal process. Disposal of IT assets holding data shall be in compliance with ICO guidance.
The school has identified a qualified source for disposal of IT assets and collections. The school also uses Shred-it to dispose of sensitive data that is no longer required.