Data Protection Policy

Exceed In English Ltd
Data Protection

Issue Date: August 2018 Review Date: August 2020

1. INTRODUCTION
Originator: Franz Roberts Responsibility: Franz Roberts
The College needs to keep certain information about employees, students and other users to allow it to monitor, for example, performance, achievements and health and safety. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully. To do this the College must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998 (the 1998 Act). In summary, these state that personal data shall:

Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
Be adequate, relevant and not excessive for those purposes;
Be accurate and kept up to date;
Not be kept for longer than is necessary for that purpose;
Be processed in accordance with the data subject’s rights;
Be kept safe from unauthorised access, accidental loss or destruction;
Not be transferred to a country outside the European Economic Area, unless that country
Has equivalent levels of protection for personal data.

The College and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the College has developed this Data Protection Policy.

2. STATUS OF THE POLICY
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College from time to time. Any failure to follow the policy can, therefore, result in disciplinary proceedings. Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the MD. If the matter is not resolved it should be raised as a formal grievance.

3. NOTIFICATION OF DATA HELD AND PROCESSED
All staff, students and other users are entitled to:

know what information the College holds and processes about them and why;
know how to gain access to it;
know how to keep it up to date;
know what the College is doing to comply with its obligations under the 1998 Act.

The College will, therefore, provide all staff and students and other relevant users with a standard form of notification. This will state all the types of data the College holds and processes about them and the reasons for which it is processed. The College will try to do this at least annually.

4. RESPONSIBILITIES OF STAFF

Checking that any information that they provide to the College in connection with their employment is accurate and up to date.
Informing the College of any changes to information which they have provided, ie changes of address. processed about staff.
Informing the College of any errors or changes. The College cannot be held responsible for any errors unless the staff member has informed the College of them.
Checking the information that the College will send out from time to time, giving details of information kept and processed about staff.

If, and when, as part of their responsibilities, staff collect information about other people (e.g. about students’ coursework, opinions about ability, references to other academic institutions or details of personal circumstances) they must comply with the guidelines for staff.

5. DATA SECURITY

All staff are responsible for ensuring that:

any personal data which they hold is kept securely;
personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
Staff should note that unauthorised disclosure will usually be a disciplinary matter and may be considered gross misconduct in some cases.

Personal information should be:

kept in a locked filing cabinet; or
in a locked drawer; or
if it is computerised, be password protected; or
kept only on disk which is itself secure.

6. STUDENT OBLIGATIONS
Students must ensure that all personal data provided to the College is accurate and up to date. They must ensure that changes of address, etc, are notified to the School Secretary.

Students who use the College computer facilities may, from time to time, process personal data. If they do, they must notify the School Secretary. Any student who requires further clarification about this should contact the Principal.

7. RIGHTS TO ACCESS INFORMATION
Staff, students and other users of the College have the right to access any personal data that is being kept about them either on a computer or in certain files. Any person who wishes to exercise this right should complete the college “Access to Information” form and hand it into the School Secretary, who will forward it to the MD.

In order to gain access, an individual may wish to receive notification of the information currently being held. This request should be made in writing using the standard form attached.

The College will make no charge for the first occasion that access is requested but may make a charge of £10 per each subsequent request, at its discretion.

The College aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 21 days unless there is a good reason for the delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.

8. PUBLICATION OF COLLEGE INFORMATION
Information that is already in the public domain is exempt from the 1998 Act. It is the College policy to make as much information public as possible and, in particular, the following information will be available to the public for inspection:

Names of College senior staff with significant financial responsibilities (for inspection during office hours only).
List of staff.
Photographs of key staff.
Photographs of students who have given their permission.

The College’s internal phone list will not be a public document.

Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the appropriate Data Controller.

9. SUBJECT CONSENT
In many cases the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student onto any course and a condition of employment for staff. This includes information about previous criminal convictions.

College accommodation may bring the applicants into contact with children, including young people between the ages of 14 and 18. The College has a duty under the Children Act and other enactments to ensure that staff are suitable for the job and students for the courses offered. The College also has a duty of care to all staff and students and must, therefore, make sure that employees and those who use the College facilities do not pose a threat or danger to other users.

The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of, for example, a medical emergency.

Therefore, all prospective staff and students will be asked to sign a Consent to Process form, regarding particular types of information, when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.

10. PROCESSING SENSITIVE INFORMATION
Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. This may be to ensure the College is a safe place for everyone, or to operate other College policies such as the Sick Pay Policy or Equal Opportunities Policy. Because this information is considered sensitive and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this without good reason. More information about this is available from the School secretary.

11. EXAMINATION MARKS
Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The College may withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the College.

12. RETENTION AND DISPOSAL OF DATA
The College will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. A list is attached of the archiving guidelines and retention times employed by the College.

When disposing of any document containing personal data, care should be taken to ensure that the document is shredded before consigning to the waste collection.Where there is bulk quantities of such documents, arrangements should be made with the School Secretary.

13. CONCLUSION
Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or access to College facilities being withdrawn, or even prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the principal.

15. APPENDICES

Staff Guidelines for Data Protection (including checklist for recording data)
Standard request for Access to Data
Standard form for consent to process sensitive data
Standard form for notification of Personal Data held by the College
Guidelines for archiving
Model Contract Clauses

APPENDIX 1
STAFF GUIDELINES FOR DATA PROTECTION

All staff will process data about students on a regular basis when marking registers or College work, writing reports or references or as part of a pastoral or academic supervisory role. The College will ensure, through registration procedures that all students give their consent to this sort of processing and are notified of the categories of processing, as required by the 1998 Act. The information that staff deals with on a day-to-day basis will be ‘standard’ and will cover categories such as:

general personal details such as name and address; course work

marks and grades and associated comments;
details about class attendance, coursework marks and grades and associated comments;
notes of personal supervision, including matters about behaviour discipline.

Information about a student’s physical or mental health; sexual life; political or religious views; ethnicity or race is sensitive and can only be collected and processed with the student’s consent. If staff need to record this information they should use the College standard form

Examples: Recording information about dietary needs, for religious or health reasons prior to taking students on a field trip.
Recording information that a student is pregnant, as part of personal duties.

All staff have a duty to make sure that they comply with the data protection principles, which are set out in the College Data Protection Policy. In particular, staff must ensure that records are:

accurate;
up-to-date;
fair;
kept and disposed of safely and in accordance with the College policy.

The College Secretary will be the designated member of staff. This is the only staff member authorised to hold or process data that is:

not standard data or;
sensitive data
details about class attendance,

The only exception to this will be if a non-authorised staff member is satisfied that the processing of the data is necessary and in the best interests of the student or staff member, or a third person, or the College; AND
he or she has either informed the authorised person of this or has been unable to do so and processing is urgent and necessary in all the circumstances.

This should only happen in very limited circumstances.

Example: A student is injured and unconscious but in need of medical attention and a staff tutor tells the hospital that the student is pregnant.

Authorised staff will be responsible for ensuring that all data is kept securely.
Staff must not disclose personal data to any student, unless for normal academic or pastoral purposes, without authorisation or agreement from the Principal, or in line with the College policy.
Staff shall not disclose personal data to any other staff member, except with the authorisation or agreement of the Principal.
Before processing any personal data, all staff should consider the checklist.

Staff Checklist for Recording Data

Do you really need to record the information?
Is the information ‘standard’ or is it ‘sensitive’?
If it is sensitive, do you have the data subject’s express consent?
Has the student been told that this type of data will be processed?
Are you authorised to collect/store/process the data?
If yes, have you checked with the data subject that the data is accurate?
Are you sure that the data is secure?
If you do not have the data subject’s consent to process, are you satisfied it is in the best interests of the student or the staff member to collect and retain the data?
Have you reported the fact of data collection to the authorised person within the required time?

STANDARD REQUEST FORM FOR ACCESS TO DATA
I ........................................................................................ (insert name) wish to have access to:
Either
1. All the data that the College currently has about me, either as part of an automated system or part of a relevant filing system

2. Data that the College has about me in the following categories:
(a) (b) (c) (d) (e) (f) (g) (h)
Please tick
Academic marks or coursework details  Academic or employment references  Disciplinary records  Health and medical matters  Political or religious information  Any statements of opinion about my abilities or performance  Personal details including name, address, date of birth etc.  Other information (please list below) .................................................................................. .................................................................................. .................................................................................. ..................................................................................
appropriate boxes
I understand that I may have to pay a fee of £10 (payable for second and subsequent request for the same category(ies) of information within a twelve month period.
Signed: ....................................................................................
Date: ....................................................................................
☐

STANDARD FORM FOR CONSENT TO PROCESS SENSITIVE DATA
I .......................................................................................... (insert name)
give my consent to Exceed In English Ltd, recording and processing information about me in the following categories:

Race and ethnic origin
Membership of a trade union
Physical or mental health or medical condition
Criminal records

The information will be used for the following purpose:

Administering sick pay and sick leave schemes;
Managing the absence control policy
Checking suitability and fitness to work at the College
Checking suitability and fitness for course places
Administering the College and statutory maternity leave and pay schemes
Managing and maintaining a safe College environment
Managing duties and obligations under the Disability Discrimination Act

I understand that this information will be used only for the purpose set out in the statement above and my consent is conditional upon the College complying with their obligations under the Data Protection Act 1998.
The particular information to be recorded and processed has been shown to me on ....................................................... (insert date) and I confirm that it is correct.

NB: The College Data Protection Policy stipulates that individuals will be advised of any sensitive data to be processed about them.
Signed: ....................................................................................
Date: ....................................................................................

STANDARD FORM FOR NOTIFICATION OF PERSONAL DATA HELD BY THE COLLEGE
This notice is served as part of the requirement of the Data Protection Act 1998. It sets out the types of personal data that this College currently holds about you and gives details of that data.

When you receive this form you should:

Check that the information included about you is correct.
Tell us if there are any errors or if any of the data is incomplete.
Ask to see any of the information if you want further details.

We cannot provide all the data on this form but you do have the right to access most of the information we have about you.

We currently hold information in the following categories:

Personal details: this includes name, address, qualifications, and next of kin (Insert details of this information for the data subject to check)
Details of physical and/or mental health: this includes details about specific conditions individuals may suffer from, such as asthma or diabetes; information about pregnancy, if appropriate; information about sickness absences and any medical reports we may have received. (Insert details of this information for the data subject to check)
Membership/non-membership of trade unions(Insert details of this information for the data subject to check)
Details about student academic performance and expected results, references and recommendations and attendance. (Insert details of this information for the data subject to check)
Details about student course fees, course registration, library and other equipment on loan. (Insert details of this information for the data subject to check)
Details about employee’s work performance, including notes of supervision sessions, appraisals and training assessment. (Insert details of this information for the data subject to check)

MODEL CONTRACT CLAUSES

A. Model Contract Clauses 1. Data Protection

1.1 All staff are required to abide by the College Data Protection Policy, a copy of which is included in the staff handbook.
1.2 A failure to follow any of the guidelines in relation to the collection, keeping, processing or destruction of any personal data, whether regarding another staff member, student or other third party, and whether deliberate or accidental, will be regarded as potential misconduct and may result in disciplinary proceedings being brought.
1.3 Deliberate or negligent misuse of data, whether by unlawful disclosure or otherwise, may be considered gross misconduct and may result in summary dismissal in the most serious cases.

2. Consent to Process

The employee agrees, by virtue of this contract to Exceed In English Ltd processing such information as may be necessary for the proper administration of the employment relationship, both during and after employment, provided that proper regard is had to such data protection principles as may be in force.

In particular, the employee consents to the following information being processed for the purposes set out below.

Any information about:

Mental or physical health, including dates of absence from work due to illness and the reason for the absence
Matters relating to pregnancy and maternity leave
Criminal convictions
Race or ethnic origin
Qualifications
Matters of discipline
Pensionable pay or contributions
Age and years of service
trade union recognised membership of
This information may be processed for any of the following reasons:
Payment of salary, pension, sickness benefit or other payments due under the contract of employment
Monitoring absence or sickness under an absence control or capability policy
Training and development purposes
Redundancy and succession planning
Curriculum planning and organisation

Timetable organisation
Compliance with Equal Opportunities Policy
Compliance with the Disability Discrimination Act
Carrying out checks through List 99 or other appropriate mechanisms.

3. Sick Pay
In order to administer the occupational sick pay and leave scheme, all staff are required to provide information about their absences and the reasons for them. In some cases this will be by way of self-certification. Any refusal to provide this information and consent to the College processing it will result in the College ceasing to pay further sick pay, until the information is provided and the consent given. The College may, at its discretion, dispense with the need for consent to process in some circumstances.

2. Model Clause for use in recruitment literature: Data Protection
The College collects and keeps information from job applicants so that we can send details of future job opportunities to you. We keep your name and address and details of your application. If you do not want us to do this please indicate by ticking the box below.

I do not want you to keep my details on file if I am unsuccessful  in my application (Tick box if appropriate)

3. Model Clause for use in Student Agreement or offers:
The College collects information about all our staff and students for various administrative, academic and health and safety reasons.

Because of the Data Protection Act 1998, we need your consent before we can do this. Since we cannot operate the College effectively without processing information about you, we need you to sign the following consent to process clause. If you do not do so, we will be unable to offer you a course place and may withdraw any offer already made.

If you require any further information about this, please contact the appropriate data controller.

I agree to Exceed In English, processing personal data contained in this form, or other data which the College may obtain from me or other people whilst I am a student. I agree to the processing of such data for any purposes connected with my studies or my health and safety whilst on the premises or for any other legitimate reason.

Signed by the student (or their guardian or representative) Dated: