Data Protection Policy
Policy Statement
According to all statutory requirements of The Data Protection Act 1998, Oxford Education Services Ltd (OES) will take all reasonable steps to ensure the accuracy and confidentiality of the information, such as the personal details of students, parents, host families and so on. As a guardianship company, we need to gather and use certain information about individuals. However, all the personal data will be collected, handled and stored to meet the data protection standards, and to comply with the legislation. The principles of this Act are considered when sharing confidential information when legally permissible and when in the interests of the child. OES adhere to the principles of UK GDPR (UK General Data Protection Regulation) and the Data Protection Act 2018 which are to ensure that the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate – kept for no longer than is absolutely necessary
- handled according to people’s rights
- kept safe and secure
- not transferred outside the UK without adequate protection
This policy has been updated to comply with the UK General Data Protection Regulation (UK GDPR) 2018.Our company’s policy aims to provide information about how our company collects personal data, to use the information fairly, to store safely and not disclosed unlawfully. Please see the details below:
Policy
Why this policy exists:
This data protection policy ensures Oxford Education and Services:
Complies with data protection law and follows good practice;
Protects the rights of staff, parents, students, homestays and partners (such as schools);
Is open about how it stores and processes individual’s data;
Protects itself from the risk of data breach.
The Information Commissioner’s Office
The Information Commissioner’s Office (ICO) is “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (ICO website). It is responsible for administering the provisions of the Data Protection Act 1998; the Freedom of Information Act 2000; and the General Data Protection Regulation 2018.
The Act requires every data controller who is processing personal information to register with the ICO (unless exempt). Oxford Education and Services is registered with the ICO as a data controller, and this is renewed annually (Registration reference: ZA000173).
The ICO publishes a Register of data controllers on their website, on which Oxford Education and Services is listed.
The Data Protection Act 1998
Directives lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws. EU directives are addressed to the member states, and are not legally binding for individuals in principle. The member states must transpose the directive into internal law – Acts. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998, when it became now as The Data Protection Act 1998.
The Act protects individuals’ rights concerning information about them held on computer and in any Oxford Education and Services personnel files and databases. These rules apply regardless of whether data is stored electronically, on paper or other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Freedom of Information Act 2000
The Freedom of Information Act 2000 provides public access to information held by public authorities, in two ways:
Public authorities are obliged to publish certain information about their activities; and
Members of the public are entitled to request information from public authorities.
General Data Protection Regulation 2018
Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.
GDPR replaces the 1995 Data Protection Directive (Directive 95/46/EC) -The Data Protection Act 1998. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.
The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance requires organisations to review their approach to governance and how they manage data protection as a corporate issue.
Following the UK’s exit from the EU, the GDPR is retained in domestic law, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The government has published a‘Keeling Schedule’ for the UK GDPR, which shows the amendments.
The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
This Oxford Education and Services Data Protection policy applies to personal data as defined by the Act – that is, data from which a living individual can be identified, either from data alone, or from that data and other information that is held by the data controller. This includes information held on the computer, paper files, photographs etc.
This policy applies to the main office of Oxford Education and Services (OES), all staff and volunteers of OES, and all homestays and other people working on behalf of OES. The scope of the policy applies to all data held by OES relating to identifiable individuals. Everyone who works for OES has responsibility for ensuring data is collected, stored and handled appropriately – all must ensure personal data is handled and processed in line with this policy and data protection principles.
Staff Guidelines
Personal data should not be shared informally – it should not be sent by email – this form of communication is not secure;
Personal data must be encrypted before being transferred electronically. Webmail is the way to access OES emails outside of Outlook or other email client/software. Only people with access details are permitted to access the Qiye webmail system. The webmail is password protected, and this needs to be a specific strength to work;
Employees should not save copies of personal data to their own computers/laptops.
Employees should keep all data secure, taking sensible precautions and following these guidelines;
Strong passwords must be used, and never shared;
Personal data should not be disclosed to unauthorised people, either within OES or externally;
Data should be regularly reviewed and updated if found to be out of date. If no longer required, it should be deleted and/or disposed of;
When not in use, paper format data or files (for instance, DBS applications) should be kept in a locked drawer or filing cabinet;
Employees should make sure paper and printouts are not left where unauthorised people could see them, for instance, on a printer;
Data printouts should be shredded and disposed of securely when no longer required;
When working with personal data, employees should ensure computer/laptop screens are always locked when left unattended;
Where data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts;
If data is stored on removable media (for instance, a CD or USB), these should be encrypted and kept locked away securely when not in use;
Data should only be stored on designated drives and servers, and/or approved cloud computing services;
Data should be backed up frequently, and backups should be tested regularly;
All servers and computers containing data should be protected by approved security software and a firewall;
Personal data should never be saved directly to laptops or other mobile devices like smart phones or tablets, unless encrypted.
How we collect the data
OES may need to acquire the personal information from students, parents,host families and schools.
For the students and parents’ information is provided by the parents or educational agencies. It can include the student and the parents’ full name, contact number, home address, school information, passport information, medical information etc.
For the host families’ information is normally provided by themselves when they apply for a work partnership with us. It can include their full name, family members,home address, contact number, occupation, photos of the property etc.
For the school’s information is provided by the students, parents or educational agencies, as a guardianship organisation, we will need to contact the school while the students’ in the UK. It can include the school’s name, housemaster/mistress’ contact details, personal tutor’s contact details etc.
OES may use this information to:
Carry out our obligations arising from any contracts/ agreements entered into by you and us;
Contact parents, students, homestays and schools;
Undertake administrative functions (for example, HR, contact referees);
Process DBS applications;
Compile marketing lists (e.g. for newsletter and conferences);
Handle complaints;
Conduct research;
Share anonymous details with 3rd parties for the purpose of obtaining professional advice;
Understand people’s views and opinions (for example, via feedback forms);
Send out information that OES thinks might be of interest to others;
Improve our services;
Comply with legal and regulatory obligations;
As part of the accreditation process, OES is required to send the AEGIS office a copy of the contact details for all their homestays, partner schools and parents. They will also provide the names of the students. This data is held securely by AEGIS and is destroyed once the inspection process is finished.
Who we share the data with
OES recognises that keeping children safe from harm requires the early, effective sharing of information and is a vital element of safeguarding and child protection, as per ‘Information Sharing’ March 2015 and ‘Working Together To Safeguard Children’ 2018: “Effective sharing of information between professionals and local agencies is essential for effective identification, assessment and service provision”
In addition, we recognise the need for confidentiality of their student, school, host family, staff and transfer company records and works in adherence to UK GDPR and the Data Protection Act 2018. (Refer to Confidentiality and General Data Protection Regulation Policy)
In the case that a child is believed to have been put at risk or is likely to be put at risk of harm, staff will use their professional judgement when making decisions on what information to share and when. As per HM Government Information Sharing Advice for Safeguarding Practitioners 2015, UK GDPR, “The Data Protection Act 2018 and human rights law do not prevent the sharing of information for the purpose of keeping children safe, but a framework to ensure that organisation and individuals process personal information fairly and lawfully and keep the information they hold safe and secure.“
Our company procedures should be followed and staff should consult with their manager if in any doubt. Such decisions on disclosure should be proportionate to the extent of the harm that a child may be or has been exposed to. Where any doubt exists about sharing the information concerned, advice will be sought from other practitioners without disclosing the identity of the individual where possible.
We will be open and honest with the individual (and/or family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
We will share with informed consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information.
We understand that information can still be shared without consent if, in our judgement (based on facts), there is good reason to do so, such as where safety may be at risk. When sharing or requesting personal information from someone, Oxford Education staff will be aware of the basis upon which they are doing so. Where Oxford Education have consent to share information, staff are mindful that an individual might not expect information to be shared.
We consider the safety and well-being of the individual and others who may be affected, when forming information sharing decisions.
We will only share information which is necessary for the purpose for which the information is being shared, will share information only with those individuals who need to have the information, will ensure the information is accurate and is shared in a secure and timely fashion.
For the students' data, we normally share it with the schools and the host familles. Under some special circumstances, it will be needed to share with the local authorities/services, such as medical or safety issues.
For the host families’ data, we normally share it with the parents, students and schools if the student will stay with the host during the period of time.
For the school’s data, we normally share with the students and parents only.
OES does not share any data with any third party without the permission.
As the host families will hold on some personal information for the students while they are hosting. OES will expect that the host families will not give the students’ information to anthers and keep it securely. Sometimes, the information can be provided to others under special situations, such as medical emergencies and child safety. However, we would like to be reported.
How to store the data
Most data will be stored securely in our database and be set up with passwords, which is the director’s laptop. For instance, the students and parents’ personal information will be set up in a document folder and named as guardianship document. Employees cannot access personal confidential information without director’s permission. Employees do not save copies of personal data to their own computers/laptops.
Any photocopy of personal data is stored in the drawers with a locker at the director's office, e.g., a photocopy of the passport, BRP card or other documents. Only the director has the keys to access those documents. We also keep and secure the original documents in the cabinet with a locker at the staff office, such as students’ school reports, contracts or other information which is received from schools etc.
Data accuracy
The law requires OES to take reasonable steps to ensure data is kept accurate and up to date as possible. It is the responsibility of all employees and people working with OES, who work with data, to take reasonable steps to ensure it is kept accurate and as up to date at possible.
Data should be held in as few places as necessary. Staff should not create any unnecessary additional data sets;
Staff should take every opportunity to ensure data is updated, for instance, details can be updated when a parent calls;
OES will make it easy for data subjects (for instance, homestays and parents) to update their own information OES holds about them;
Any data inaccuracies should be corrected as soon as discovered, for instance if a member can no longer be reached on their stored telephone number, this should be removed from the database).
Retention period of information
For students, the retention period is to scan all necessary documents and stored in our database then the original paper will be shredded immediately. We normally will keep the information for them while under our guardianship or one year from leaving. The paperwork will be shredded if there is no longer needed.
For host families, all information will be stored in our database securely. We will remove the information once the host family no longer hosts our students.
For schools, all information will be kept and handled by the software (Mail Master) if it is necessary when we have the students who are currently studying there, as most information is the teachers’ email addresses or houseparents contact details etc. We will remove the information when the students leave the school.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 3 years. The policy review will be undertaken by the manager or director.
If you have any enquiries in relation to this policy, please contact the manager, Dr. Iling Lee. The contact number is 01865240616 or send an email: oes@englongeducation.com
Data protection risks
This policy helps to protect OES from data security risks including:
Breaches of confidentiality, for instance: information being given out inappropriately;
Failing to offer choice, for instance: all individuals should be free to choose how the company uses data relating to them;
Reputational damage, for instance: the company could suffer if hackers successfully gained access to sensitive data.
Accessing your information
Under the Act, an individual is entitled to ask OES:
For a copy of the personal information held by OES;
For any inaccuracies to be corrected;
How to gain access to such data;
How they are meeting their data protection obligations.
Such requests are known as ‘subject access requests’. Such requests should be made either via email or via the post.
Email requests should be addressed to the data controller at helen.wu@englongeducation.co.uk .
Postal requests should be submitted to: 43 Hythe Bridge Street, Oxford, OX1 2EP
There is no administration charge for any subject access request. The data controller will aim to provide the relevant data within 14 working days. The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Review
We are committed to reviewing our policy and good practice annually.
This policy was last reviewed on: …02/ Dec/2020…………………………(date)
Signed: ….
……………………………………………………………………
Date: ……02/12/2020……………………………………………………………………