Data Protection Policy

The Literacy Tree Data Protection Policy – 2018

CONTEXT

Literacy Tree is required to process personal data regarding staff and users of Literacy Tree, relevant to its operation and shall take all reasonable steps to do so in accordance with this Policy.
Processing may include obtaining, recording, holding, handling, disclosing, transporting, destroying or otherwise using data.

All staff are responsible for complying with this policy.

2. SCOPE

2.1 This Policy covers the company’s acquisition, handling and disposal of the personal and sensitive personal data it holds on all staff and users of Literacy Tree. It also applies to contractors. It explains the company’s general approach to data protection which is to ensure that individual’s personal data and information is protected and appropriately processed and provides practical guidance which will help to ensure that the School complies with the Data Protection Act 1998 (the Act) and anticipates the General Data Protection Regulations 2018 (GDPR) which became law on 25th May 2018.

3. DEFINITIONS

3.1 Personal data is:

• any information about a living person who can be identified (e.g. their name, address, online identifier such as an IP address, bank details, images of teachers engaging in training, references or expressions of opinion about them). It makes no difference if they can be identified directly from the record itself or indirectly using other information in the company’s possession or likely to come into the company’s possession.
• personal information that has been, or will be, word processed or stored electronically (e.g. computer databases and third party data distributors that the company uses, e.g Mailchimp), personal information that is, or will be, kept in a file which relates to an individual or in a filing system that is organised by reference to criteria which relate to the individuals concerned

3.2 Sensitive personal data is:

• any information about a person’s mental or physical health or condition, their political or religious beliefs, race, ethnicity, sexual life or orientation, trade union membership, criminal offences or alleged offences and any proceedings.

3.4 The Data Controller:

The company is the Data Controller and is responsible for determining the purposes of its use of data - what data it gathers and how this information is used. As the Data Controller the company is responsible for complying with the Act.

3.5 The Information Security Officer:

The company has appointed one of the Directors as its Information Security Officer, responsible for day to day compliance with this Policy. She can be contacted at Unit D129, The Literacy Tree, 40, Martell Road, London SE21 8EN or at lynn@literacytree.com

4. ACQUIRING, USING AND DISPOSAL OF PERSONAL DATA

4.1 The company shall only process personal data for specific and legitimate purposes. These are:

• providing training for teachers
• providing references for staff.
• protecting and promoting the interests and objectives of the company
• promoting the company to prospective clients (schools)
• communicating with clients (schools)
• for personnel, administrative and management purposes. For example to pay staff and to monitor their performance.

4.2 The company shall not hold unnecessary personal data, but shall hold sufficient information for the purpose for which it is required. The company shall record that information accurately and shall take reasonable steps to keep it up-to-date. This includes an individual's contact and medical details.

4.3 The company shall not transfer personal data outside the European Economic Area (EEA) without the data subject's permission unless it is satisfied that the data subject's rights under the GDPR will be adequately protected and the transfer has been approved by the Information Security Officer.

4.4 When the company acquires personal information that will be kept as personal data, the company shall be fair to the data subject and fair to whoever provides the information (if that is someone else) in that their data will be handled and safeguarded in compliance with the GDPR.

4.5 The company shall only keep personal data for as long as is reasonably necessary and in accordance with the retention and disposal guidelines set out in the Privacy Statement (April 2018)

4.6 Disclosing personal data outside of the company: Sharing personal data with others is often permissible so long as doing so is fair and lawful under the GDPR. See our Privacy Statement (April 2018)

5. DATA BREACHES

5.1 Definition: A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure or access to personal data.

5.2 Reporting obligations: Any actual data breach or alleged data breach must be reported to the Information Security Officer as soon as it is discovered, whatever time that might be, to enable its circumstances to be

RELATED POLICIES

Privacy Statement (April 2018)