GR8 Solution Int Ltd Training as The British School of Etiquette (TBSoE)is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act 1998 (DPA). https://ico.org.uk/for-organisations/guide-to-data-protection/data-protectionprinciples/
The purpose is of this policy is to help us achieve our data protection and data security aims by:
Changes to data protection legislation (GDPR, 2018) shall be monitored and implemented in order to remain compliant with all requirements.
The legal bases for processing data are as follows:
(a) Consent: the member of staff/candidate/enquirer has given clear consent for the school to process their personal data for a specific purpose in relation to their employment and/or enrolment on, undertaking and completion of training courses offered by TBSoE.
(b) Contract: the processing is necessary for the member of staff’s employment contract or candidate contract to undertake training.
(c) Legal obligation: the processing is necessary for the school to comply with the law (not including contractual obligations).
The members of staff responsible for data protection are Philip Sykes (Principal) and Lucrecia Palladino (School Administrator). However, all staff must treat all candidate information in a confidential manner and follow the guidelines as set out in this document. TBSoE is also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided as required.
The requirements of this policy are mandatory for all staff employed by the school and any third party contracted to provide services for and on behalf of TBSoE.
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register. Breaches of personal or sensitive data shall be notified within 72 hours to the individual(s) concerned and the ICO.
All data within TBSoE’s control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The definitions of personal and sensitive data shall be as those published by the ICO for guidance, i.e. any data which relates to a living individual who can be identified:
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The principles of the Data Protection Act 1999 shall be applied to all data processed and TBSoE agree to:
ensure that data is fairly and lawfully processed
TBSoE shall be transparent about the intended processing of data and communicate these intentions via notification to staff and candidates prior to the processing of individual’s data. These notifications shall be in accordance with ICO guidance; https://ico.org.uk/global/privacy-notice/ and follow a set procedure for handling data collected in the course of business to ensure we comply with the principles outlined above. There may be circumstances where TBSoE is required either by law or in the best interests of our candidates or staff to pass information onto external authorities, for example local authorities, accreditation or inspection bodies or the department of health. These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect.
The intention to share data relating to individuals to an organisation outside of TBSoE shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information. Any proposed change to the processing of individual’s data shall first be notified to them. Under no circumstances will TBSoE disclose information or data:
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.
Risk and data protection impact assessments (DPIA) shall be conducted in accordance with guidance given by the ICO; https://ico.org.uk/for-organisations/guide-to-the-general-data- protection-regulation-gdpr/accountability-and-governance/data-protection-impact- assessments/
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.
The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data.
All individuals whose data is held by us, have a legal right to request access to such data or information about what is held. TBSoE shall respond to such requests within one month and these should be made in writing to the Principal. No charge will be applied to process the request. Personal data about candidates or staff will not be disclosed to third parties without the consent of the individual, unless it is obliged by law or in their best interest.
Data may be disclosed to the following third parties without consent:
This may be for registration purposes, to allow candidates to sit examinations set by external exam bodies or receive external accreditation or award.
As obliged under health legislation, the school may pass on information regarding the health well-being of those enrolled to comply with regulations regarding the spread of contagious diseases in the interest of public health.
If a situation arises where a criminal investigation is being carried out TBSoE may have to forward information on to the police to aid their investigation. TBSoE will pass information onto courts as and when it is ordered.
In order to protect or maintain the welfare of our candidates, and in cases of suspected abuse or radicalisation, it may be necessary to pass personal data on to support agencies.
Where any personal data is no longer required for its original purpose, an individual can demand that the processing is stopped and all their personal data is erased by TBSoE including any data held by contracted processors.
Images of staff and candidates may be captured at appropriate times and as part of training activities for use in school only. Unless prior consent from candidates/staff has been given, the school shall not utilise such images for publication or communication to external sources. It is the school’s policy that external parties (including candidates) may not capture images of staff or pupils during such activities without prior consent.
Hard copy data, records, and personal information are stored out of sight and in a
locked cupboard. Sensitive or personal information and data should not be removed from the school site, however TBSoE acknowledges that some staff may need to transport data between the registered office/training venue and their home in order to plan or write up feedback in relation to courses being delivered. This may also apply in cases where staff have offsite meetings or are on TBSoE organised visits with candidates.
The following guidelines are in place for staff to reduce the risk of personal data being compromised:
These guidelines are clearly communicated to all TBSoE staff, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.
TBSoE recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner, where required, with demonstrable competence in providing secure disposal services.
All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.
TBSoE has identified a qualified source for disposal of IT assets and collections.TBSoE also uses a shredder to dispose of paper based sensitive data that is no longer required.
Unit 5, Lakeside Business units