Issue Date of This Version 1/08/2024

Review Period for This Document - One Year from Original Issue

Due Date for Review/Expiry 1/08/2025

1.1 Impact A&C (‘The School’) is committed to preserving the privacy of its learners and employees and to complying with the Data Protection Act 2018 and GDPR 2016. In order to achieve this commitment, the information that we have about our learners and employees will be collected and used fairly, stored safely and not unlawfully disclosed to any other person.

2.0 Principles
2.1 The School, its staff and others who process or use any personal information must ensure that they follow the data protection principles set out in the Data Protection Act 2018 and other relevant legislation in the UK.

These principles are that personal data shall:

• Be obtained and processed fairly and lawfully
• Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
• Be adequate, relevant and not excessive for those purposes
• Be accurate and kept up to date
• Not be kept longer than is necessary for that purpose
• Be processed in accordance with the data subject rights
• Be kept safe from unauthorised access, accidental loss or destruction
• Not be transferred to any third party

2.2 The School will not release staff or learner data to any third party without the consent of the individual concerned before releasing personal data.

3.0 Responsibilities

3.1 Senior Management
The responsibility of ensuring compliance with this policy and for communicating the policy to all staff lies with the senior management team.

3.2 Data Protection Coordinator
At present the Data Protection Coordinator is the Operations Manager, Sales Manager or Director. They have operational responsibility for the implementation of this policy.

Staff and managers

All staff and managers are responsible for ensuring that staff are aware and are in compliance with this policy.

3.3 All staff and students
All staff and students (and in the case of students under the age of 18, their parents, legal guardians or educational representatives) are responsible for ensuring that all personal data provided to the School is correct and current.

4.0 Compliance
Failure to comply with the data protection policy and procedure may result in disciplinary action.

5.0 Review
The policy and procedure will be reviewed periodically and on ad-hoc basis when it requires changes. Impact A&C reserves the right to update the policy to reflect the latest legal requirements in the UK.

Data Protection Procedure
1.0 Introduction

1.1 The School needs to keep certain information about its employees and learners to monitor recruitment, attendance, performance, achievements and health and safety. It is necessary to process information so that staff can be recruited and paid and our obligations to accrediting bodies can be maintained. To comply with current legislation, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

1.2 This must be done in compliance with Data Protection Principles. According to these principles, data must:

• Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
• Be adequate, relevant and not excessive for that purpose
• Be accurate and current
• Not be kept longer than is necessary for that purpose
• Be processed in accordance with the data subject’s rights
• Be kept safe from unauthorised access, accidental loss or destruction

1.3 The School and all staff who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens the School has developed this policy.

2.0 Responsibilities of staff

2.1 All staff members are responsible for:

• Checking that any information they provide to the School in connection with their employment is accurate and up to date.
• Informing the School of any changes to information, which they provided i.e. change of address.
• Informing the School of any errors or changes. The School is not liable for any errors unless the staff member has informed us of this.

2.2 All staff will process data about individuals on a regular basis, when marking registers, writing reports or references or as part of their pastoral or academic role.

2.3 The School will ensure through registration procedures that all individuals give their consent to this type of processing and are notified of the categories of processing as required by the DPA 2018 and GPPR 2016. The information, that staff deal with on a day to day basis will be standard and will cover categories such as:

• General personal details such as name, contact information and address
• Details about class attendance, coursework marks
• Notes of personal supervision, including matters about behaviour and discipline

2.4 Information about an individual’s physical or mental health, sexual orientation, political or religious views, ethnicity or race, or any other sensitive information can only be processed with consent.

2.5 All staff members have a duty to make sure that they comply with the data protection principles, which are set out in the staff handbook.

2.6 In particular, staff must ensure that records are:

• Accurate
• Up to date
• Fair
• Kept and disposed of safely, and in accordance with the School policy

2.7 The School will designate staff in the relevant area as ‘authorised staff’. These staff members are the only staff authorised to access the data that is:

• Not standard data; or
• Sensitive data

2.8 Authorised staff will be responsible for ensuring that personal data is kept securely. In particular staff must ensure that personal data is:

• Placed in a lockable storage
• Not left on unattended desks or tables
• Not left on unattended on IT equipment or is not accessible to other users; all staff are reminded to log off when not at their work station. All IT equipment must be password protected
• Shredded where appropriate if kept as paper records
• Online personal data should be kept securely on Impact A&C drive or other secured platforms and all staff needs to ensure this information is not shared, leaked (by securing the private wifi sources when accessing the information).

2.9 Staff must not disclose personal data to any individual, unless for normal academic or pastoral purposes, without authorisation or agreement from the data controller, or in line with the School policy.

2.10 Before processing any personal data, all staff should consider:

• Do you really need the information?
• Is the information ‘sensitive’?
• If it is sensitive, do you have the data subject’s express consent?
• Has the individual been told that this type of data will be processed?
• Are you authorised to collect, store and process the data?
• If yes, have you checked with the data subject that the data is accurate?
• Are you sure that the data is secure?
• If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the individual or the safety of others to collect and retain the data?

3.0 Rights to access information

3.1 Staff, individuals, students (or their legal representatives) and other users of the School have the right to access any personal data that is being kept about them either on computers or in certain files. Any person who wishes to exercise this should complete the School request form for Access to Data and give it to reception.

3.2 The School may make a charge for this request but any waiver is at the discretion of the School.

3.3 The School aims to comply with requests for access to personal information as quickly as possible but within 21 days of request unless there is good reason for the delay. In such cases, the reason for the delay will be explained in writing to the data subject making the request.

4.0 Subject Consent

4.1 In some cases, the School can only process personal data with the consent of the individual. However, if the data is sensitive then express consent must be obtained. Agreement to the School processing some specified classes of personal data is a condition of employment for members of staff and a condition of acceptance of an individual onto any course. This will include information about previous criminal convictions.

4.2 The School may also ask for information about particular health needs such as particular forms of medication, or allergies or any conditions such as asthma or diabetes. The School will only use this information for the purposes of health and safety, however, in the event of a medical emergency, consent from the individual will be required.