Aims of the Policy
Birmingham Education Consultants Limited needs to keep certain information on its employees, customers and service users to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers staff, customers and service users.
In line with the Data Protection Act 1998 principles, Birmingham Education Consultants Limited will ensure that personal data will:
- Be obtained fairly and lawfully and shall not be processed unless certain conditions are met.
- Be obtained for a specific and lawful purpose.
- Be adequate and relevant but not excessive.
- Be accurate and where necessary, kept up to date.
- Not be held longer than necessary.
- Be processed in accordance with the rights of data subjects under the Act.
- Be subject to appropriate security measures.
- Not to be transferred outside the European Economic Area (EEA).
The definition of 'Processing' is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes paper based personal data as well as that stored electronically.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. Birmingham Education Consultants Limited will seek to abide by this code in relation to all the personal data it processes, i.e.
- Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
- Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
- Consent: The collection and use of personal data must be fair and lawful and in accordance with the Data Protection Act's eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
- Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
- Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
Type of Information Processed
School Stickers processes the following personal information:
- Employee personal information
- Customer data / contact details
- Service user data
Personal information is kept in the following forms:
- Paper based systems
- Electronic systems
Groups of people within the organisation who will process personal information are:
The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner. We notify and renew our notification on an annual basis as the law requires.
Birmingham Education Consultants Limited have notified the Information Commissioner that we process data for the following purposes:
- Staff Administration
- Advertising, Marketing and Public Relations
- Accounts and Records
If there are any interim changes, these will be notified to the Information Commissioner within 28 days.
The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is Birmingham Education Consultants Limited.
The Data Controller is responsible for:
- Understanding and communicating obligations under the Act
- Identifying potential problem areas or risks.
- Producing clear and effective procedures.
- Notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes within required timescales.
All employed staff who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy may result in disciplinary proceedings.
To meet our responsibilities, employed staff will:
- Ensure any personal data is collected in a fair and lawful way.
- Explain why it is needed at the start.
- Ensure that only the minimum amount of information needed is collected and used.
- Ensure the information used is accurate and where necessary, kept up to date.
- Review the length of time information is held.
- Ensure it is kept safely.
- Ensure the rights people have in relation to their personal data can be exercised.
We will ensure that:
- Everyone managing and handling personal information is trained to do so.
- Anyone wanting to make enquiries about handling personal information, whether a member of staff, customer or service user, knows what to do.
- Any disclosure of personal data will be in line with our policy and procedure.
- Queries about handling personal information will be dealt with swiftly and politely.
Training and awareness raising about the Data Protection Act and how it is followed within Birmingham Education Consultants Limited will take the following forms:
On induction: Training will be given to staff regarding the organisations responsibilities and good practice. They will also be issued with a copy of the Data Protection Policy and Procedure.
General training/ awareness raising: The Data Protection Policy will be made available to all staff and training / refreshers will be given during Team Meetings and when deemed necessary, but at least annually.
Gathering and Checking Information
Before personal information is collected, we will consider:
- What details are necessary for our purposes.
- How long we are likely to need this information for.
- How this information is going to be stored and processed.
We will inform people whose information is gathered about the following:
- Why the information is being gathered.
- What the information will be used for.
- Who will have access to their information (including third parties).
We will take the following measures to ensure that personal information kept is accurate:
- Staff are asked to update us of any changes to their personal circumstances, where relevant as and when this occurs.
- Purchased data used for marketing purposes is updated six monthly by the marketing company that we originally obtained this data from.
- As many of our service users are children and we do not contact them directly it is the responsibility of the user to update the personal details within their individual accounts.
Personal sensitive information will not be used apart from the exact purpose for which permission was given.
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
- Using lockable cupboards (restricted access to keys).
- Password protection on personal information files.
- Setting up computer systems to allow restricted access to certain areas.
- Not allowing personal data to be taken off site (as hard copy, on laptops, memory sticks or any other removable device).
- Back up of data on computers is kept secure.
- Password protected attachments for sensitive personal information sent by email.
- Service user data is kept within secure servers situated off site.
- Training relevant staff on security procedures.
- Computers that are no longer required will be hard formatted on site before being safely recycled.
- Detecting and investigating and breaches of security should they occur.
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.
Subject Access Requests
Anyone whose personal information we process has the right to know:
- What information we hold and process on them
- How to gain access to this information
- How to keep it up to date
- What we are doing to comply with the Act
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to:
Mr Neil Hodges – Managing Director
Birmingham Education Consultants Limited
2 Lawford Terrace
We may make a charge of £10 on each occasion access is requested.
The following information will be required before access is granted:
- Full name and contact details of the person making the request.
- their relationship with the organisation (former/ current member of staff, customer or service user).
- Any other relevant information- e.g. timescales involved
We may also require proof of identity before access is granted. The following forms of identification will be required:
- Passport, birth certificate or driving licence.
Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days (required by the Act) from receiving the written request and relevant fee.
This policy will be reviewed annually to ensure it remains up to date and compliant with the law.