GDPR

Introductory Statement

Sky-High Tuition needs to hold and to process large amounts of personal data about its students, employees, applicants, contractors and other individuals in order to carry out its business and administrative functions.

By personal data, Sky-High Tuition refers to any information relating to an identified or identifiable natural person (data subject) who can be identified, directly or indirectly by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

This policy is intended to ensure that personal data is dealt with properly and securely and in accordance with General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA).

GDPR and DPA are the laws that protect personal privacy and upholds individual’s rights. These laws were set to strengthen and unify all data held within an organisation. It explains what kind of information teachers should keep, how to obtain and store this information and how long it should be kept. GDPR and DPA applies to anyone who handles or has access to people’s personal data.

This policy will apply to personal information regardless of the way it is used, recorded and stored and whether it is held in paper files or electronically.

Policy Objectives

Sky-High Tuition aims to help children and seeks to enable each student to develop his/her full potential. Part of our mission is to provide a safe and secure environment for learning and encourage children to develop positive attitude and respect for themselves and others. Complying with its obligations under the GDPR and DPA, the Children’s Act 1989, the Childcare Act 2006, and all other relevant legislation is a fundamental aspect of its mission.

Sky-High Tuition is committed to being concise, clear and transparent about how it obtains and uses personal information and will ensure data subjects are aware of their rights under the legislation.

Sky-High Tuition supports that a Data Subject is a living, identified or identifiable individual about whom we hold personal data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their personal data.

All staff must have a general understanding of the law and understand how it may affect their decisions in order to make an informed judgement about how information is gathered, used and ultimately deleted. All staff must read, understand and comply with this policy.
This policy aims to

ensure that Sky-High Tuition complies with its obligations under the GDPR and DPA.

ensure that the data protection rights of students, staff and other members of the Sky-High Tuition are safeguarded.
Scope of the Policy

This policy applies to the keeping and processing of personal data, both in manual form and on computer, including personal data held on both staff and pupils.

GDPR Article 4 defines Personal data as any information that relates to an identified or identifiable living individual who can be identified directly or indirectly from the information. The information includes factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a living individual. This includes any expression of opinion about an individual and intentions towards an individual. Under the GDPR personal information also includes an identifier such as a name, an identification number, location data or an online identifier.

Sky-High Tuition collects a large amount of personal data every year including: pupil records, staff records, names and addresses of those making enquiries, examination marks, references, fee collection as well as the many different types of research data used by Sky-High Tuition. In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of law enforcement agencies, government agencies and other bodies.

The policy applies to all staff, the board of management, parents/guardians, pupils and others insofar as the measures under the policy relate to them. The policy also applies to all locations from which personal data is accessed including off-campus.

Board of Management records

These may include:

• Name, address and contact details of each member of the board of management
• Records in relation to appointments to the board
• Minutes of board of management meetings and correspondence to the board which may include references to particular individuals

Storage Format

The format in which the above records will be kept will be either manual record (personal file within filing system), computer record (database) or both. They will be kept securely in accordance with the Sky-High Tuition’s data protection obligations.

Purpose for keeping Board of Management records

At Sky-High Tuition, Board of Management details essential to record board appointments and document decisions made by the board.

Section B

Details of the arrangements in place to ensure compliance with the principles set out in the GDPR.

This policy sets down the arrangements in place to ensure that all personal data records held by Sky-High Tuition are obtained, processed, used and retained in accordance with the following principles set out in the GDPR:

Lawfulness, Fairness and Transparency

• Personal data must be processed lawfully, fairly and in a transparent manner
• Purpose Limitation
• Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Personal data must not be used for new, different or incompatible purposes from that disclosed when it was first obtained unless the data subject has been informed of the new purposes and they have consented where necessary.

Data Minimisation

• Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed
• Staff may only process data when their role requires it. Staff must not process personal data for any reason unrelated to their role.
• Sky-High Tuition maintains a Retention Schedule to ensure personal data is deleted after a reasonable time for the purpose for which it was being held, unless a law requires such data to be kept for a minimum time.
• Staff must take all reasonable steps to destroy or delete all personal data that is held in its systems when it is no longer required in accordance with the Schedule.
• Staff must ensure that data subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice.

Accuracy

Personal data shall be accurate and where necessary kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.

Storage Limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed

Integrity and Confidentiality

Appropriate technical and organisational measures shall be taken to safeguard the rights and freedoms of the data subject and to ensure that personal information is processed in a manner that ensures appropriate security of the personal data and protects against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

A student aged between 12 and 16 would be required to give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice. Individuals aged 18 or older may give consent themselves.

Transfer Limitation

In addition, personal data shall not be transferred to a country outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data as determined by the European Commission or where the organisation receiving the data has provided adequate safeguards.

Processing means anything done with personal data, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, use, disclosure, dissemination or otherwise making available, restriction, erasure or destruction. These may be provided by a legally binding agreement between public authorities or bodies, standard data protection clauses provided by the ICO or certification under an approved mechanism.

This means that individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. It may also be possible to transfer data where the data subject has provided explicit consent or for other limited reasons. Staff should contact the DPO if they require further assistance with a proposed transfer of personal data outside of the EEA.

Lawful Basis for processing personal information

Before any processing activity starts for the first time, and then regularly afterwards, the purpose(s) for the processing activity and the most appropriate lawful basis (or bases) for that processing must be selected:

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Sky-High Tuition.
• Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which Sky-High Tuition is subject
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person
• Processing is necessary for the purposes of the legitimate interests pursued by Sky-High Tuition or by a third party.
• The data subject has given consent to the processing of his or her data for one or more specific purposes. Agreement must be indicated clearly either by a statement or positive action to the processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If consent is given in a document which deals with other matters, the consent must be kept separate from those other matters.

Data Protection Impact Assessments

Sky-High Tuition’s processes must embed privacy considerations and incorporate appropriate technical and organisational measures in an effective manner to ensure compliance with data privacy principles.

Documentation and records

Written records of processing activities must be kept and recorded including:

• the name(s) and details of individuals or roles that carry out the processing
• the purposes of the processing
• a description of the categories of individuals and categories of personal data
• categories of recipients of personal data
• details of transfers to third countries, including documentation of the transfer mechanism safeguards in place
• retention schedules
• a description of technical and organisational security measures.
• As part of Sky-High Tuition’s record of processing activities, the Data Protection Officer will document, or link to documentation on:
• information required for privacy notices
• records of consent
• controller-processor contracts
• the location of personal information
• Data Protection Impact Assessments
• Records of data breaches.
• Records of processing of sensitive information are kept on:
• The relevant purposes for which the processing takes place, including why it is necessary for that purpose
• The lawful basis for our processing and
• Whether the personal information is retained or erased in accordance with the Retention Schedule and, if not, the reasons for not following the policy.
• Sky-High Tuition will conduct regular reviews of the personal information it processes and update its documentation accordingly. This may include:
• Carrying out information audits to find out what personal information is held
• Talking to staff about their processing activities
• Reviewing policies, procedures, contracts and agreements to address retention, security and data sharing.

Information Security

Sky-High Tuition will use appropriate technical and organisational measures to keep personal information secure, to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

All staff are responsible for keeping information secure in accordance with the legislation and must follow Sky-High Tuition’s acceptable usage policy.

Sky-High Tuition will develop, implement and maintain safeguards appropriate to its size, scope and business, its available resources, the amount of personal data that it owns or maintains on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). It will regularly evaluate and test the effectiveness of those safeguards to ensure security of processing.

Staff must guard against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. Staff must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure.

Staff must follow all procedures and technologies put in place to maintain the security of all personal data from the point of collection to the point of destruction. Staff may only transfer personal data to third-party service providers who agree in writing to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

Staff must maintain data security by protecting the confidentiality of the personal data. This means that only people who have a need to know and are authorised to use the personal data can access it.

Staff must maintain data security by protecting the integrity of the personal data. This means that personal data is accurate and suitable for the purpose for which it is processed.

Staff must maintain data security by protecting the availability of the personal data. This means that authorised users can access the personal data when they need it for authorised purposes.

Staff must comply with and not attempt to circumvent the administrative, physical and technical safeguards Sky-High Tuition has implemented and maintains in accordance with the GDPR and DPA.

Where Sky-High Tuition uses external organisations to process personal information on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal information. Contracts with external organisations must provide that:

• the organisation may only act on the written instructions of Sky-High Tuition
• those processing data are subject to the duty of confidence
• appropriate measures are taken to ensure the security of processing
• sub-contractors are only engaged with the prior consent of Sky-High Tuition and under a written contract
• the organisation will assist Sky-High Tuition in providing subject access and allowing individuals to exercise their rights in relation to data protection
• the organisation will delete or return all personal information to Sky-High Tuition as requested at the end of the contract

the organisation will submit to audits and inspections, provide Sky-High Tuition with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell Sky-High Tuition immediately if it does something infringing data protection law.

Before any new agreement involving the processing of personal information by an external organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval from the Data Protection Officer.

Storage and retention of personal information

Personal data will be kept securely in accordance with the Sky-High Tuition’s data protection obligations. Personal data should not be retained for any longer than necessary. The length of time data should be retained will depend upon the circumstances, including the reasons why personal data was obtained. Personal information that is no longer required will be deleted in accordance with Sky-High Tuition’s Record Retention Schedule.

OUR OPENING HOURS

OPEN 7 DAYS A WEEK