Shared Earth Learning Co-op Privacy policy


Data Protection Policy

SELco needs to process relevant personal data regarding members of staff, volunteers, job applicants and young people as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.

SELco has an appointed Data Protection Controller (DPC) who will ensure that all personal data is processed in compliance with this Policy and the UK Data Protection Act 2018 and associated regulations

The Principles

SELco shall, so far as is reasonably possibly, comply with the Data Protection Principles contained in the Data Protection Act to ensure all data is:-

·         Fairly and lawfully processed

·         Processed for a lawful purpose

·         Adequate, relevant and not excessive

·         Accurate and up to date

·         Not kept for longer than necessary

·         Processed in accordance with the data subject's rights

·         Secure

We will record how this data is kept and used.

Definitions

·         Parental consent, includes the consent of a guardian.

·         Data Subject, an individual who is the subject of the personal data.

Personal Data

·      Personal data covers both facts and opinions about an individual where that data identifies an individual. Processing of Personal Data Personal data may also include sensitive personal data as defined in the Act

·       Any information which falls under the definition of personal data will remain confidential and will only be disclosed to third parties with appropriate consent, with certain exemptions – please see ‘Exemptions’ below.

Sensitive Personal Data

·      SELco may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.

Rights of Access to Information

·       Data subjects have the right of access to information held by SELco), subject to the provisions of the UK Data Protection Act 2018 and the Freedom of Information Act 2000.

·    Any data subject wanting to see their personal data should put their request in writing to the DPC.

·    SELco will respond to written requests as soon as is reasonably possible and in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request. The information will be given to the data subject as soon as is reasonably possible after it has come to attention of SELco and in compliance with the relevant Acts.

Exemptions

Certain data processing because of issues related to:

·         National security and the prevention or detection of crime

·         Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon SELco including Safeguarding and prevention of terrorism and radicalisation 

The above are examples of exemptions under the Act. Further information on exemptions should be sought from the DPC.

Accuracy

SELco will ensure that personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them.

Enforcement

If an individual believes that SELco has not complied with this Policy or acted otherwise than in accordance with the UK Data Protection Act 2018, the individual should notify the DPC or the Information Commissioners Office.

Data Security

·      SELco will take appropriate steps to ensure the security of personal data.

·    All staff will be made aware of this policy and their duties under the Act.

·     All staff and young people are required to respect the personal data and privacy of others. They must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to personal data.

·    An appropriate level of data security must be used for the type of data and the data processing being performed. In most cases, personal data must be stored in secure systems and be secured when transported offsite.

·    All data breaches will be reported without undue delay – and within 72 hours – to the Information Commissioner’s Office (https://ico.org.uk).  SELco will inform any individuals affected without undue delay, where the breach could result in ID theft or fraud; physical harm; significant humiliation and/or damage to reputation.

External Processors

SELco will ensure that where data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. the processing is compliant with this policy and the relevant legislation.

Secure Destruction

When data held in accordance with this policy is destroyed, it will be destroyed securely in accordance with best practice at the time of destruction.

Retention of Data

·      SELco may retain data for differing periods of time for different purposes as required by statute or best practices

·    SELco may store some data such as registers, photographs, achievements, indefinitely in its archive.

Right to erasure

·      Data subjects have the right to ask for their information to be erased from our current data. This request will be granted, providing that it doesn’t conflict with legal proceedings and will not include information archived for legal reasons.