Data protection policy
Kingsley School of English is committed to making sure that the privacy of our data subjects is protected, in line with current data protection regulations.
This is the general data protection policy for Kingsley School of English (KSE) for the educational services and support services we provide.
Aim and scope of policy
This policy explains what information we collect, how we use this information, how our data subjects can tell us if they prefer to limit the use of their information, and the procedures that we have in place to safeguard their privacy.
It also covers our response to any data breach and other rights under GDPR.
We collect personal information from the following data subjects:
- Students and their emergency contacts both in London & their home country
- Teaching and support staff
We collect different types of personal information for these reasons:
- To help students to enrol for our courses and send them the information they need to attend
- To make sure that we are fulfilling our legal obligations
- To help us to monitor and improve the services we offer
- To keep students up-to-date about the courses they have enrolled for, or services they have bought
- To fulfil contracted services
- If we have permission from the user, to market courses and services to them.
We make a commitment to ensure that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related policies.
Where third parties process data on behalf of KSE, we will ensure that the third party takes such measures in order to maintain KSE’s commitment to protecting data. In line with GDPR, we understand that the school will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
Types of data held
Personal data is kept in personnel files or within KSE’s HR systems. The following types of data may be held by KSE, as appropriate, on relevant individuals including teaching and support staff, students, and their emergency contacts:
- name, address, email, phone numbers (including mobile phone)- for individuals and emergency contacts
- date of birth, gender, nationality and first language
- passport, visa/biometric details where necessary (or alternative ID, such as driving licence)
- CVs and other information gathered during recruitment (degree and teaching qualification)
- references from former employers and character references
- National Insurance number
- bank account details
- job title, job descriptions and pay grades
- course of study (for students)
- conduct issues such as letters of concern, disciplinary proceedings
- holiday records
- internal performance information
- medical or health information
- DBS number
- sickness absence records
- tax codes
- terms and conditions of employment
- training details
We collect information:
- when students enrol for a course
Data protection principles
All personal data obtained and held by KSE will:
- be processed fairly, lawfully and in a transparent manner
- be collected for specific, explicit, and legitimate purposes
- be adequate, relevant and limited to what is necessary for the purposes of processing
- be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
- not be kept for longer than is necessary for its given purpose
- be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- comply with the relevant GDPR procedures for international transferring of personal data.
We collect personal data in the full knowledge that your rights are protected. Therefore, you have the right:
- to be informed
- of access
- for any inaccuracies to be corrected (rectification)
- to have information deleted (erasure)
- to restrict the processing of the data
- to portability
- to object to the inclusion of any information
- to regulate any automated decision-making and profiling of personal data.
Kingsley School of English has taken these steps to protect the personal data it holds of relevant individuals:
- it provides information to its staff & students on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
- it provides its staff & students with information to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
- it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
- it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security.
- it recognises the importance of seeking our data subjects’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so. KSE understands that consent must be freely given, specific, informed and unambiguous. KSE will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought.
- it will always make it as easy as possible for our data subjects to choose not to allow us to use their data, providing it does not prevent us from giving them the service requested or undertaking the agreed contract.
- it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences
- it is aware of the implications of international transfer of personal data.
Access to data
Data subjects can check, correct, instruct KSE to limit or erase any personal information we might hold about you. You can also ask us to provide all the information we hold on you.
To do this, you should send your request to the principal.
We promise to action your request within 30 days.
If you are not satisfied with the way your request was handled, you have the right to make a complaint with the Information Commissioner’s Office
OSE may be required to disclose certain data/information to any person for these reasons:
- any employee benefits operated by third parties
- disabled individuals – whether any reasonable adjustments are required to assist them at work
- individuals’ health data – to comply with health and safety or occupational health obligations towards the employee
- for Statutory Sick Pay purposes
- HR management and administration – to consider how an individual’s health affects his or her ability to do their job
- the smooth operation of any employee insurance policies or pension plans.
These kinds of disclosures will only be made when strictly necessary for the purpose.
KSE adopts procedures designed to maintain the security of data when it is stored and transported in accordance with GDPR.
KSE ensures that:
- all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them
- all files or written information of a confidential nature are not left where they can be read by unauthorised people
- regular checks are made on the accuracy of data being entered into computers
- passwords are always used to access the computer system and are not abused by being passed on to people who should not have them
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of KSE becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, KSE will do so without undue delay.