Policies

Data protection policy

Overview

On the 25th May 2018 the General Data Protection Regulation (GDPR) will be applicable and the current Data Protection Act (DPA) will be updated by a new Act giving effect to its provisions. Before that time the DPA will continue to apply.

This Policy sets out the manner in which personal data of staff, students and other individuals is processed fairly and lawfully.

Language in Action, part of Malvern International, collects and uses personal information about staff, students, parents or carers, seasonal centres, suppliers, providers, agents, and other individuals who come into contact with the company and its seasonal centres. This information is gathered to enable us to provide education, accommodation, travel, and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that our schools comply with their statutory obligations.

Language in Action, part of Malvern International, has a designated data controller who ensures that we comply with the Data Protection Principles in the processing of personal data, including the way in which the data is obtained, stored, used, disclosed, and destroyed. Language in Action, part of Malvern International, must be able to demonstrate compliance. Failure to comply with the Principles exposes Language in Action, part of Malvern International, and its staff to civil and criminal claims and possible financial penalties.

Aim

This Policy will ensure:

Language in Action, part of Malvern International, processes personal data fairly and lawfully and in compliance with the Data Protection Principles.

All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities under this policy.

That the data protection rights of those involved with the company are safeguarded. Confidence in the company’s ability to process data fairly and securely.

Scope

This Policy applies to:

Personal data of all company employees, interns, volunteers, contractors, board members, students, parents and carers, agents, seasonal centres, suppliers, providers, and any other person carrying out activities on behalf of the company.

The processing of personal data, both in manual form and on computer. All staff and board members.

The data protection principles

The company will ensure that personal data will be:

Processed fairly, lawfully and in a transparent manner;
Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed;
Accurate and, where necessary, kept up to date;
Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
Kept securely and accessible only to authorised persons.

The company will be able to demonstrate compliance with these principles. The company will have in place a process for dealing with the exercise of the following rights by Board members, staff, students, parents and members of the public in respect of their personal data:

To be informed about what data is held, why it is being processed and who it is shared with;
To access their data;
To rectification of the record; To erasure;
To restrict processing;
To data portability;
To object to processing;
Not to be subject to automated decision-making including profiling.

Roles and responsibilities

The Director responsible for ensuring the appointment of a ‘Data Controller’ (usually this person will be the Operations Manager).

The Data Controller serves the function of Data Protection Officer. They will have responsibility for all issues relating to the processing of personal data and will report directly to the Director.

The Data Controller Officer will comply with responsibilities under the GDPR and will deal with subject access requests, requests for rectification and erasure, data security breaches. Complaints about data processing will be dealt with in accordance with the LiA Complaints Policy.

The Data Controller is responsible for ensuring that all departments and their support services implement good data protection practices and procedures and for compliance with the Data Protection Principles.

It is the responsibility of all staff to ensure that their working practices comply with the Data Protection Principles. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures forming part of this policy.

Reasons/purpose for processing information

We process personal information to enable us to: provide education, training and educational support services such as accommodation and travel to our clients. It is also necessary for us to ensure the Safeguarding of our students and maintain student welfare. In addition, this information is required for us to administer our centres, maintain our own accounts and records and to support and manage our employees.

Our residential and classrooms providers also use CCTV systems to monitor and collect visual images for security and the prevention of crime.