You can download this data protection policy by clicking here.
Context and overview
Key details
- Policy Prepared by: Rachel Nussbaum (Sole-trader and Principle)
- Policy became operational on: 25th May 2018
- Next review date: 25th May 2019
Introduction
Pull the Other Speech and Drama Education needs to gather and use certain information about individuals, namely parents and their children registered as our students under speech and drama
tuition for examinations.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law and GDPR policy as of May 2018.
Why this policy exists
The data protection policy ensures Pull the Other Speech and Drama Education
- Complies with data protection law and follows good practice
- Protects the rights of its freelance staff, customers and education partners
- Is open about how it stores and processes individual’s data
- Protects itself from the risks of a data breach
Data Protection law
The General Data Protection Rights (GDPR) 2018 states how organisations – including Pull the Other Speech and Drama Education – must collect, handle and store personal information.
1. Lawfulness, Fairness & Transparency
- Legal Basis such as consent or legitimate interests for processing their data.
- Rights are upheld.
- Individuals are informed who is processing their data and the purpose of processing.
2. Purpose Limitation
- Only process data for the purpose in which it was collected, i.e. to manage the school.
3. Data Minimisation
- Only collect and process necessary data.
4. Accuracy
- That information about individuals is correct and up-to-date.
5. Storage Limitation
- Only retain information for a period that is reasonable.
6. Confidentiality & Integrity
- Data is secure at all times.
- All staff handling data are aware of their responsibilities.
- Complete and correctly linked data.
People, risks and responsibilities
Policy Scope
This policy applies to:
- The sole-trader, Rachel Nussbaum, trading as Pull the Other Speech and Drama Education
- All freelance teaching staff working for Pull the Other Speech and Drama Education
- All volunteers working for Pull the Other Speech and Drama Education
It applies to all data that the company holds relating to identifiable individuals and to process students for lessons and examinations. These include:
- Names of parents and children who are registered students
- Postal addresses
- Email addresses
- Telephone numbers
- Student dates of birth
- Student’s name of current school
- Previous speech and drama experience
- Emergency contact names and numbers of relatives or family friends
Special category data will also be held so we can process students correctly for lessons and examinations but to also ensure the health, safety and well-being of the student, these include:
- Medical conditions
- Special needs
Data Protection risks
This policy helps to protect Pull the Other Speech and Drama Education from some data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, Pull the Other Speech and Drama Education would suffer if hackers successfully gained access to sensitive data.
Responsibilities
Everyone who works for or with Pull the Other Speech and Drama Education has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
- Rachel Nussbaum is ultimately responsible for ensuring that Pull the Other Speech and Drama Education meets its legal obligations.
- Keeping updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Dealing with requests from individuals to see the data Pull the Other Speech and Drama Education holds about them.
- Ensuring all systems services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing services and PaySubsOnline.com with whom Pull the Other Speech and Drama Education currently stores its data.
- Approving any data protection statements attached to communications such as emails and letters.
General staff guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required to teach, freelance staff are only given this on a need to know basis.
- Pull the Other Speech and Drama Education will provide training to all their freelance staff to help them understand their responsibilities when handling data.
- Freelance staff should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords should be used and they should never be shared.
- Personal data should not be disclosed to unauthorized people, either within the company or externally.
- Data should be regularly reviewed and updated if it’s found to be out of date. If no longer required, it should be deleted and disposed of at the end of each school year.
- Freelance staff should request help from Pull the Other Speech and Drama Education if they are unsure about any aspect of data protection.
Data Storage
These rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Freelance staff should make sure paper and printouts are not left where unauthorized people could see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between freelance staff.
- If data is stored on removable media (like a CD or DVD) these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing services.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be protected by approved security software and firewall.
Data Use
Personal data is of no value to Pull the Other Speech and Drama Education unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, freelance staff should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Data must be encrypted before being transferred electronically.
- Freelance staff should not save copies of personal data to their own computers. Always access and update the central copy of any data.
Data Accuracy
The law requires Pull the Other Speech and Drama Education to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Pull the Other Speech and Drama Education should put into ensuring its accuracy.
It is the responsibility of all freelance staff who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Freelance staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details on their data system each year.
- Pull the Other Speech and Drama Education will make it easy for data subjects to update the information Pull the Other Speech and Drama Education holds about them. For instance, via the company’s website through the account page with PaySubsOnline.com.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
Subject access requests
All individuals who are the subject of personal data held by Pull the Other Speech and Drama Education are entitled to:
- Ask what information the company holds about them and why.
- Ask how to gain access to it – through creating their personal account login with PaySubsOnline.com.
- Be informed how the company is meeting its data protection obligations. If an individual contacts the company requesting this information, this is called a subject access request.
Subject access is currently accessible through the subjects own personal login to our administration software account, PaySubsOnline.com. This is where all subjects can view their own personal data Pull the Other Speech and Drama Education hold on them and their children.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Pull the Other Speech and Drama Education will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the
board and from the company’s legal advisers where necessary.
Providing information
Pull the Other Speech and Drama Education aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is begin used
- How to exercise their rights.
To these ends, Pull the Other Speech and Drama Education has a privacy statement, setting out how data relating to individuals is used by the company. Please see this statement on the last page of this document.
Privacy Notice All registered signatories would have agreed to the below policy
How information about you and your child will be used.
The new General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. It stipulates that all businesses must seek consent from their customers to keep in contact and hold their data.
In order to deliver our services for lessons and examinations in Speech and Drama we will need to hold your data for the following reasons:
- Placing your child in the correct class for their age and ability.
- Contacting you through text, phone and email with class information and billing.
- Entering your child for speech and drama examinations with LAMDA registered with the Office of Qualifications and Examinations Regulations (OFQUAL) and Speech and Drama classes in local Drama Festivals that are registered with the Information Commissioner’s Office (ICO).
- To ensure your daughter’s safety during lessons, examinations and performances. As a client we will need to send you regular speech and drama class information and billing will be issued either termly or half termly. If you agree to your information being used in this way, please tick the box.
We will never pass your details on to third parties and will only contact you in direct relation to the Speech and Drama classes. We only use the information you have given us for teaching purposes. Once you have given a full term’s notice to cease lessons your data will be deleted at the end of that current academic year.
Updated: 3rd July 2018
By: Rachel Nussbaum (Sole-trader and Principle of Pull the Other Speech and Drama Education)