On the 25th May 2018 the General Data Protection Regulation (GDPR) will be applicable and the current Data Protection Act (DPA) will be updated by a new Act giving effect to its provisions. Before that time the DPA will continue to apply.
This Policy sets out the manner in which personal data of staff, students and other individuals is processed fairly and lawfully.
Malvern House collects and uses personal information about staff, students, parents or carers and other individuals who come into contact with the School. This information is gathered in order to enable us to provide education, accommodation, travel and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that our schools comply with their statutory obligations.
Each school has a designated data controller who ensures that we comply with the Data Protection Principles in the processing of personal data, including the way in which the data is obtained, stored, used, disclosed and destroyed. Each school must be able to demonstrate compliance. Failure to comply with the Principles exposes the School and staff to civil and criminal claims and possible financial penalties.
This Policy will ensure:
Malvern House processes personal data fairly and lawfully and in compliance with the Data Protection Principles.
All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities under this policy.
That the data protection rights of those involved with the company are safeguarded. Confidence in the company’s ability to process data fairly and securely.
This Policy applies to:
Personal data of all company employees, board members, students, parents and carers, interns, agents and any other person carrying out activities on behalf of the company or its schools.
The processing of personal data, both in manual form and on computer.
All staff and board members.
The Data Protection Principles
The company will ensure that personal data will be:
- Processed fairly, lawfully and in a transparent manner.
- Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Kept securely and accessible only to authorised persons.
The company will be able to demonstrate compliance with these principles.
The company will have in place a process for dealing with the exercise of the following rights by Board members, staff, students, parents and members of the public in respect of their personal data:
- to be informed about what data is held, why it is being processed and who it is shared with;
- to access their data;
- to rectification of the record;
- to erasure;
- to restrict processing;
- to data portability
- to object to processing
- not to be subject to automated decision-making including profiling
Roles and Responsibilities
The Board responsible for ensuring the appointment of a ‘Data Controller’ (usually this person will be Head of School).
The Data Controller serves the function of Data Protection Officer. They will have responsibility for all issues relating to the processing of personal data and will report directly to the Board.
The Data Controller Officer will comply with responsibilities under the GDPR and will deal with subject access requests, requests for rectification and erasure, data security breaches. Complaints about data processing will be dealt with in accordance with the Schools Complaints Policy.
The Data Controller is responsible for ensuring that all departments and their support services implement good data protection practices and procedures and for compliance with the Data Protection Principles.
It is the responsibility of all staff to ensure that their working practices comply with the Data Protection Principles. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures forming part of this policy
Reasons/purposes for processing information
We process personal information to enable us to: provide education, training and educational support services such as accommodation and travel to our clients. It is also necessary for us to ensure the Safeguarding of our students and maintain student welfare. In addition, this information is required for us to administer our schools property, maintain our own accounts and records and to support and manage our employees.
We also use CCTV systems to monitor and collect visual images for security and the prevention of crime.
Type/classes of information processed
We process information relating to the above reasons/purposes. This information may include:
- name and personal details
- family/next of kin details
- financial details
- education details
- employment details
- student and disciplinary records
- vetting checks
- goods and services
- visual images
We also process sensitive classes of information that may include:
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs of a similar nature
- offences and alleged offences
Who the information is processed about
We process personal information about:
- our students and pupils
- agents or other professional services
- school staff
- members of school or company boards
- complainants and enquirers
- individuals captured by CCTV images
Who the information may be shared with
We sometimes need to share the personal information we process with the individual concerned and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
- education, training, careers and examining bodies
- Agents (domestic or overseas)
- school staff and boards
- family, associates and representatives of the person whose personal data we are processing
- local and central government
- healthcare professionals
- social and welfare organisations
- police forces
- current, past or prospective employers
- business associates and other professional advisers
- suppliers and service providers
- financial organisations
- security organisations
- press and the media
It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.