INTRODUCTION
The Data Protection Act 2018 protects individuals from the consequences of improperly obtained or processed information. It sets standards for the handling of personal data and establishes the right of individuals to have access to certain data. To comply with the law, information must be collected fairly, stored safely and not disclosed to any other person unlawfully. In order to do this, Redoor Education must comply with all statutory requirements of The Data Protection Act 2018 (“the Act”) by taking all reasonable steps to ensure you aware of your responsibilities under the Act.
Redoor Education needs to gather, keep and process certain information about its employees, students, host families, fix-term contracts and other people the company has a relationship with or may need to contact, to allow it to monitor performance and process results.
This policy applies to the main office of Redoor Education, all staff, local coordinators, homestay hosts, drivers and volunteers, and all contractors and other people working on behalf of Redoor Education.
This data protection policy ensures Redoor Education:
- Complies with data protection law and follows good practice
- Protects the rights of staff, members and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risk of data breach.
DEFINITIONS
Data Controller: decides the manner in which, and purposes for which, personal data is kept. Redoor Education is the data controller under the Act because it processes info on students, staff, host families and professional bodies.
Data: this means information which is:
- Being processed by means of computer or other equipment operating automatically
- Recorded with the intention that it should be processed by means of such equipment
- Recorded as part of a relevant filling system (including a manual system e.g. address book ) or with the intention that it should form part of any relevant filling system.
Personal Data: means data relate to a living individual who can be identified from the data (including the example given in below).
Sensitive Data: Personal Data consisting of information as to the health, ethnic origin, political opinions, religion, trade union memberships life, and criminal convictions of the Data Subject.
Data Subject: means a living individual who is the subject of personal data (example of potential data subjects is given in below).
Processing: this is a broad definition and covers any operation carried out on data including: obtaining, recording, retrieving, disclosing or holding the information or data or carrying out any operation on the data.
Data Processor: in relation to personal data, means any person (other than employees of the Data Controller) who processes the data on behalf of the Data Controller.
Recipient: means any person to whom the data is disclosed, including staff to whom it is disclosed in the course of processing the data for the Data Controller, but does not include any person made in the exercise of any power conferred by law.
Who are data subjects?
- All staffs
- Local coordinators
- Host families
- Drivers
- Students
- Applicants (successful and unsuccessful)
- Clients
- Customers
- Agency workers (current and former)
- Casual workers (current and former)
- Contract workers (current and former)
Who is data controller and responsibility?
Redoor Education Ltd is registered with the ICO as a data controller, and this is renewed annually.
The ICO publishes a Register of data controllers on their website, on which Redoor Education is listed, registration number ZA569924. The data protection officer is Xiaofei Qi.
The data protection officer is responsible for:
- Reviewing all data protection procedures and policies
- Arranging data protection training if required
- Handling data protection queries
- Dealing with requests from individuals relating to the data
- Assisting with any agreements with third parties that may handle sensitive data
- Working with IT contractors to ensure that all systems, services and equipment used for storing data meet acceptable security standards, including ensuring regular checks, scans and updates to ensure security hardware and software are functioning properly.
All staff are responsible for collecting, storing and processing any personal data in accordance with this policy.
The data protection principles
In Summary these state that personal data shall:
- Be obtained and processed Fairly and lawfully and shall not be processed in any manner incompatible with that purpose
- Be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Be accurate and kept up to date
- Not kept longer than necessary
- Processed in accordance with the data subject’s rights under the Act
- Be kept safe from unauthorized access, accidental loss or destruction
- Not be transferred to a country or territory outside of the European Economic Area (EEA) unless we can be assured there is an adequate level of protection for the rights and freedoms of the data subjects
COLLECTING PERSONAL DATA
We collect information from you when you register on our service, respond to one of our surveys or fill out a form. We may collect the following from you:
Name: | This allows us to refer to you when speaking to you and to address any post we may need to send to you specifically. |
Contact details: (Telephone, mailing address and email) | This is needed to enable us to communicate with you, and when required, to send you information and documents. |
Date of birth, Gender,Religon | To ensure you are placed in the right age-level course, schools and/or accommodation |
Country of residence, country of birth, nationality, passport number and passport expiry date: | to help you with visa-related issues |
Education Details, Schools, Level of English language proficiency and academic result | help us monitor your progress and to help track your learning within your school |
Parents details | This allows us to refer to you when speaking to you and enable us to communicate with you. |
Emergency contact details | By providing this information, you agree that you have informed the relevant person(s) of the provision of their contact details to us, and that they are happy for you to do so. |
Health and Medical Details | To help you when you need medical care |
Pastoral Care/Travel and Leisure | This allow us to tailor our service. |
Performance record, Attendance record | track your learning progress and to better tailor the future provision of our services to you. |
USE OF IMAGES
Redoor Education encourage all parents to provide consent of using photo and video, as it enables us to include all the students in depiction of life. However, we respect the parent to refuse consent.
All material published must be assessed to ensure it meets the following safeguarding rules:
- It must not feature any student whose parent/carer has not given consent.
- It must not offer any means of identifying a student by name.
- It must not in any way embarrass the company, student or staff involved.
Photos and videos should be taken either by a member of staff, or a person who has been granted permission by DSL.
Who we share your personal information?
To fulfill our commitment to you, we work with several third-party organizations that perform certain tasks on our behalf. We share your personal information with these third parties only
- when they can provide guarantee that they comply with the data protection 2018 Act.
- With the consent of the individual
- to the extent necessary in order to enable them to provide the service you require on our behalf.
These third parties act on our instructions and are ‘processors’ of your personal information.
Name of subjects | Personal information shared | Why your personal information is shared |
Our agent | Information you enter into our registration form | To enable us process and manage your booking |
Our Local Guardian | All personal information outlined above, which is necessary for the provision of our services by our local group entity. | So that our local group entity may provide services on our behalf to you. |
Accommodation providers | Booking information, including gender, age, nationality and any medical conditions, special needs or dietary preferences. | To ensure you receive the service you have booked and you are in accommodation suitable for your needs. |
Transport providers | Name, arrival details, departure details and accommodation address. | To provide the transport service you have booked. |
Activity/educational providers | Name, age, gender, education details | To provide the activity/study you have booked. |
Insurance providers | Name, age, address, arrival and departure details. | To provide personal insurance you have purchased. |
We need to share contact details with AEGIS office and lead and supporting inspectors for the purposes of a (re)accreditation inspection within their privacy notice and data protection policy, with the relevant permissions and in line with the ICO data protection principles.
DISCLOSURE TO A THIRD PARTY
Personal data should not generally be disclosed to third parties without the express consent of the individual concerned. In this context ‘third party’ includes friends, local authorities, government bodies and police, unless disclose is exempted by the 2018 Act or by other legislation. Under certain circumstance, data may however be released. Note that among other circumstances the Act permits release of data without express consent:
- For the purpose of protecting the vital interests if the individual (e.g. release of medical data where failure to do so could result in harm to, or the death of, the individual)
- For the prevention or detection of crime
- For the apprehension or prosecution of offenders
- For the discharge of regulatory functions, including securing the health, safety and welfare of persons at work
- Where the disclosure is required by legislation, by any rule of law, or by the order of a court
Personal data may also be shared with emergency services and local authorities to help them to respond to an emergency situation that affects any of our students or staff.
We may share contact details with AEGIS office and lead and supporting inspectors for the purposes of a (re)accreditation inspection within their privacy notice and data protection policy, with the relevant permissions and in line with the ICO data protection principles.
Where personal data is transferred to a country or territory outside the European Economic Area, it will do so in accordance with data protection law.
DEALING WITH REQUESTS FOR DATA
Any subject access requests should be directed to the Data Protection Officer at the office where the subject is located.
Personal Data can only be processed in the following circumstances:
- Performance of a contract
- Compliance with a legal obligation
- Public functions
- Legitimate interests of the data controller unless prejudicial to the interests of the individual
- Protection of the Data Subject’s vital interests
- With the consent of the individual (Unless the Child is unable to understand their rights and the implication of a subject access request. (Usually Children below the age of 16, it is not a rule and a pupil’s ability to understand their rights will always be judged o a case-by-case basis).
DEPARTMENTAL POLICIES AND PRACTICES
Telephone disclosure is generally unsatisfactory, as verification of such details (and of the identity of the enquirer) can be difficult. For example, a student’s address, telephone number or email should not be given to a telephone enquirer, even if the enquirer claims to be a close relative or friend.
If you receive a phone call from a third-party requesting information on a member of staff or student you should not disclose any information about the individual, however hard the caller may press.
- You should explain that Redoor Education does not discuss individual without the express permission of the individual concerned
- Assure the caller of your willingness to help them
- Offer to attempt to contact the person concerned and take details of the request for information, including the caller’s number
- Offer to phone the caller back if necessary (this also offers some measure of authentication of the caller)
- If necessary, ask them to put their request in writing
- Offer to accept a sealed envelope for the Department to forward to the individual concerned
Follow similar guidelines when dealing with written requests for information.
PARENTAL REQUESTS TO SEE EDUCATIONAL RECORDS
According to regulation 5 of the Education (Pupil Information) (England) Regulations 2005, parents have the right to access to their child’s school reports. Redoor Education chooses to follow this regulation and give parents the right of access to their child’s record.
YOUR RIGHTS
You have the following rights regarding your personal information.
Right to be informed -You have the right to be provided with clear, transparent and easily understandable information about how we use your personal information and your rights. This is why we are providing you with the details of what information we keep in this Privacy Policy.
Right of access –You are entitled to have your personal information corrected if it is inaccurate or incomplete.
Right to erasure –This is also known as ‘the right to be forgotten’, and, in simple terms, enables you to request the deletion or removal of your personal information where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions (for example, we have the right to continue using your personal information if such usage is necessary for compliance with our legal obligations).
Right to restrict processing-You have the right to ‘block’ or suppress further use of your personal information in certain circumstances (for example, where you think the personal information we are using about you is inaccurate, whilst we verify its accuracy). When usage is restricted, we can still store your personal information, but may not use it further. We keep lists of people who have asked for further use of their personal information to be ‘blocked’ to make sure the restriction is respected in future.
Right to withdraw consent to processing- If you have given your consent to us to use your personal information for a specific purpose, you have the right to withdraw your consent at any time (although if you do so, it does not mean that any use of your personal information up to that point is unlawful).
We are committed to reviewing our policy and good practice annually.
This policy was last reviewed on: ……30/11/2022……………………………………………………