DATA PROTECTION

Introduction

The College holds personal data about our employees, clients, suppliers, students and other individuals for a variety of business purposes.

This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Compliance Officer (CO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

Definitions

Business purposes

The purposes for which personal data may be used by us:

Personnel, administrative, financial, regulatory, payroll and business development purposes.

Business purposes include the following:

  • Compliance with our legal, regulatory and corporate governance obligations and good practice. For example, our obligations for processing data in relation to staff pension schemes.
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests. For example, fulfilling a request for information in the course of personal injury claim against the College.
  • Ensuring business policies are adhered to (such as policies covering email and internet use). For example, the use of privacy notices and email disclaimers to all.
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, For example, Cornerstone College has a regulatory requirement to carry out disclosure barring service checks on all newly recruited staff.
  • Investigating complaints.
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Marketing our College
  • Improving services

Personal data

Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, students, suppliers and marketing contacts.

Personal data we gather on students may include:

  • Personal details: this includes name, date of birth, address, qualifications, next of kin (and places of work, if relevant), telephone numbers plus a photograph.
  • Details concerning health – for instance whether they are diabetic, suffer from asthma etc.
  • Details of any disabilities which might have an impact on your academic study e.g. dyslexia.
  • Details about academic performance, expected and actual results, references and attendance.
  • A copy of the student contract
  • Copies of any other related agreements – e.g. use of IT, permission to attend trips.
  • Details of any meetings held with family/and or external agencies.
  • Details of any change of course taken.
  • Details of any certificates/assessments held concerning academic progress, e.g. reports, referrals.
  • Personal details required for examination entries and any other communications with examination boards.
  • Details of any disciplinary meetings held with members of staff.

The following information is held by the College on staff:

  • Personal details: name, address, date of birth, qualifications, next of kin.
  • Details of physical and/or mental health: details about specific conditions individuals may suffer from, such as asthma or diabetes.
  • Information about sickness absences and any medical reports we may have received.
  • Details about work performance, including notes of observation sessions, appraisals, and staff development.
  • Personal information: details about start date, pension and pay details, any current disciplinary or grievance matters, any deductions from salary or any loans.
  • Details about any criminal record.
  • References produced by the College.

Sensitive personal data

Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.

In this document the phrase ‘data processing’ means almost anything to do with information in accordance with the Data Protection Act 2018, Cornerstone College ensures that personal information stored by the College is fairly and lawfully processed.

Scope

This policy applies to all staff who must be familiar with this policy and comply with its terms. This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time.  Staff will be notified of changes.

The Data Protection Principles

Cornerstone College  sets this policy in the spirit of the Data Protection Principles; set out by legislation and expressed below:

  1. Data must be processed fairly and lawfully.
  2. Data should be obtained only for one or more specified and lawful purposes
  3. Personal data held shall be adequate, relevant, and not excessive.
  4. Data should be accurate and up to date.
  5. Data should be held no longer than for the purpose it was originally collected.
  6. Data should be processed in accordance with the data subject’s rights under the Act.
  7. Data should be secured.
  8. Data should only be transferred to other countries if they have suitable or equivalent security measures.

Cornerstone College ensures that we process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

Who is responsible for this policy?

The Compliance Officer (CO)  is responsible for the processing of data. The CO must ensure that data processing complies with the Data Protection Act, determine the purposes for which the data will be used and oversee the implementation of this policy.

The Compliance Officer’s responsibilities:

  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and policies on a regular basis.
  • Arranging data protection training and advice for all staff members and those included in this policy.
  • Answering questions on data protection from staff, board members and other stakeholders.
  • Responding to individuals, such as Parents/Guardians, Students and employees who wish to know which data is being held on them by the College.
  • Checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing.

 

Responsibilities of the IT Manager:

  • Ensure all systems, services, software and equipment meet acceptable security standards.
  • Checking and scanning security hardware and software regularly to ensure it is functioning properly.
  • Researching third-party services, such as cloud services the company is considering using to store or process data.

Responsibilities of the Marketing Manager:

  • Approving data protection statements attached to emails and other marketing copy
  • Addressing data protection queries from Parents/Guardians, Students, prospective employees, target audiences or media outlets
  • Coordinating with the CO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy

 

 

Cornerstone College Procedure

The processing of all data:

Cornerstone College shall always have a legitimate reason for the collecting and storing of data (for example to provide information to the Department of Education’s annual census) and will always ensure that the processing of data has no adverse effect on any individual. It will be transparent in processing data and where appropriate inform individuals through a ‘privacy notice’ that their personal information is being processed.

The processing of all data must be:

  • Necessary to deliver our services
  • In our legitimate interests and not unduly prejudice the individual’s privacy
  • In most cases this provision will apply to routine College data processing activities.

Privacy Notice

Cornerstone College’s terms of business contains a Privacy Notice to students, staff, contractors and all other individuals dealing with the College on data protection.

The notice:

  • Sets out the purposes for which we hold personal data on students  and employees
  • Highlights that our work may require us to give information to third parties such as professional advisers and external agencies.
  • Provides that students have a right of access to the personal data that we hold about them.

The privacy notice can be found on Cornerstone College’s website.

Sensitive personal data

In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work/ Safeguarding etc). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

Sometimes it is necessary to process information about a person’s criminal convictions, race and gender and family details. This may be to ensure that Cornerstone College is a safe place for everyone, or to operate other policies, such as the Equality Opportunities Policy and Child Protection and Safeguarding. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes or disabilities. The College will only use the information for the protection of the health and safety of the individual, but will need consent to process this information, for example in the event of a medical emergency. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this without good reason.

Conditions for processing personal data

Before data may be processed one of the following conditions must be met:

  1. the individual (data subject) has given their consent
  2. the processing is necessary in relation to a contract
  3. the processing is necessary because of a legal obligation
  4. the processing is necessary to protect the individual’s vital interests
  5. the processing is necessary for the administration of justice or other statutory functions
  6. any other legitimate interest

Conditions for processing sensitive personal data

Because such information might be used in a discriminatory way, these are more stringent and must include one of the following conditions:

  1. the individual has given consent
  2. the processing is required by employment law
  3. the processing is necessary to protect the vital interests of the individual or third part
  4. the individual has made the information public
  5. the processing is necessary for statutory reasons
  6. the processing is carried out with a third party who is bound by a professional code of conduct (a doctor for example)
  7. the processing is required to monitor equal opportunities
  8. the processing is necessary to prevent crime or protect the public.

 

 

Exemptions

Generally all personal data collected and processed will be subject to the Data Protection Act. However, some exemptions may apply. For example, Cornerstone on occasions will ask for references (a confidential reference given by the College to a third party regarding education, employment/training, appointment to a public office, a service being provided by the data subject etc) that will remain confidential and are exempt from the requirements of the Act. References we have received and kept on file are not exempt. We must, however, ensure that the rights of the referee are considered. Information about the individual referee should not be disclosed without explicit consent (anonymising the information is acceptable). The College cannot refuse to disclose confidential references without providing reasons. Crime and taxation – personal data may have to be disclosed to government departments or the Police. Data will only be released on the basis of properly drawn up requests. Vital interests – personal data may be released if it is in the vital interests of the individual e.g. a medical emergency. Under 19 students – the College will normally release information about a student’s progress and attendance to parents or guardians of students under 19 years of age on the previous 31st August.

Accuracy and relevance

Cornerstone will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the CO.

Your personal data

Employees and students  must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the CO so that they can update your records. Examples of the type of data Cornerstone College may process are set out above in the section titled ‘Definitions, Personal Data’.

Data security

All members of the Cornerstone community must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the CO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations. For example, payment of pensions and salaries are outsourced to third parties.

Storing data securely

In cases when data is stored on printed paper, it is kept in a secure place where  unauthorised personnel cannot access it. Printed data is shredded when it is no longer needed. Data stored on a computer is protected by strong passwords that are changed regularly. All staff and students use a password manager to create and store their passwords.

Data stored on CDs or memory sticks must be locked away securely when they are not being used.

The CO must approve any cloud used to store data.

Servers containing personal data must be kept in a secure location, away from general office space.

Data should be regularly backed up in line with Cornerstone’s backup procedures.

Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.

All servers containing sensitive data must be approved and protected by security software and strong firewall.

We store all sensitive personal information securely either in locked filing cabinets or in computer files which are password protected.

Our computer network system is protected by a robust firewall which is monitored by our premises manager.

All administrative and teaching staff are trained about the proper use of personal data. For example, they only communicate with clients and persons related to clients through authorized channels. They must properly annotate and store all such communication. They must report all breaches of data security to the CO. They are aware that they may be subject to criminal proceedings should they deliberately try to access or disclose without authority

They are aware of the threat posed by ‘phishing’ emails and hackers.

Although rarely used we ensure that fax transmissions of sensitive data are double checked to ensure the correct telephone number. We should ensure that we are confident of the receiver’s identity and that the receiver is standing by their fax machine. We use cover sheets for all fax transmissions and where appropriate seek other modes of transmission.

Before we dispose of any computer equipment we ensure that there is no data stored within the equipment. The College is committed to keeping our security systems and security software systems up-to-date and has suffered no major incidents at the time of writing this policy.

All staff are aware of the importance of checking credentials.

The premises manager is responsible for maintaining security of access, maintaining security of data and physical protection of data on  our premises.  This includes:

  • The proper training of all staff about authorized entry to the building
  • Maintenance of our keypad security entry systems
  • The proper admission procedure for all guests to the College
  • The maintenance of our CCTV system
  • Fire Safety

Breaches of security

Cornerstone takes breaches of security seriously. Examples of potential breaches of security can be caused by a number of factors. Some examples are:

–  Loss or theft of student, staff data and/ or equipment on which data is stored;

–  Inappropriate access controls allowing unauthorised use;

–  Equipment Failure;

–  Human Error;

–  Unforeseen circumstances such as fire or flood;

–  Hacking;

–  ‘Blagging’ offences where information is obtained by deception.

Cornerstone aims to carry out the following procedure to mitigate such circumstances:

  1. have a data recovery plan
  2. proper assessment of risks
  3. notify all related parties such as the ICO, relevant data subjects, the police, banks
  4. institute a proper procedure of evaluation and response
  5. protocol in relation to breach of security is  regularly updated.
  6. The computer databases are password-protected.

See Appendix 1 for full Breach of Security Procedure.

Data retention

Cornerstone retains personal data for no longer than is necessary for the purpose for which it was collected. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines (See Appendix 2) .

Transferring data internationally

There are restrictions on international transfers of personal data which Cornerstone abides by.  Staff and Students are made aware that they must not transfer personal data anywhere outside the UK without first consulting the CO.

Subject access requests

Cornerstone is aware that under the Data Protection Act 2018, individuals are entitled, subject to certain exceptions, to request access to information held about them. Such subject access requests (SARs) should be made to the CO and include contact details and an outline of the specific information required.

Staff who receive a subject access request should refer that request immediately to the CO, who  may ask them to help comply with those requests.

Cornerstone is a paperless organisation and therefore information for SARs will be drawn from data primarily held digitally and/or on paper, excluding safeguarding notes and correspondence, which must be requested separately and will be released at the discretion of the College. The College does not collect information for SARs from Google Chat. All Google Chat content is automatically deleted every 24 hours. The College prohibits using this platform to discuss safeguarding issues, and so on this risk assessed basis the content is not stored for any longer than 24 hours.

Staff and Students may contact the CO if they would like to correct or request information that Cornerstone College holds about them. There are also restrictions on the information to which individuals are entitled under applicable law.

The College aims to comply with subject access requests as quickly as possible, but will ensure that it is provided within a calendar month of receiving the request, unless there is good reason for delay such as redaction of information that relates to other parties. In such cases, the College will inform the data subject in writing of the cause of the delay.

Processing data in accordance with the individual’s rights

Information must be processed consistent with the rights of individuals with regard to processing personal data. These rights include:

  1. A right to a copy of all processed information; in this case the individual will make a ‘subject access request’. We understand that information about our students belongs to them so any request for information by a related third party may only be granted with the consent of the student.

This provision is subject to:

  1. The student’s maturity
  2. The nature of the personal data
  3. Any court orders
  4. Our duty of confidence to the child
  5. The consequences of disclosing the information especially in cases of suspected abuse
  6. Any detriment to the student should the third party not have access to the information
  7. The views of the student.

A request for information which involves others may be declined unless we have the other’s consent.

  1. A right to object to the processing of information. Any such objection must be provided in proper written form and, depending on circumstances defined by the Act, may not always be granted.
  2. In certain circumstances a right to have inaccurate information rectified, blocked, erased or destroyed
  3. right to claim compensation.
  4. A right not to participate in any direct marketing.
  5. Secure.

Marketing

Cornerstone will not send direct marketing material to someone electronically (e.g. via email) unless we have an existing business relationship with them in relation to the services being marketed or an understanding that parties have given consent.

All members of the Cornerstone community will contact the CO for advice on direct marketing before starting any new direct marketing activity.

Training

All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided through an in-house seminar on a regular basis. It will cover:

  • The law relating to data protection
  • Our data protection and related policies and procedures.

Completion of training is compulsory.

It is our policy to develop an understanding of the rights of individuals under the Data Protection Act through internal programmes as well as with training of all teachers and admin staff. Topics would include: What is personal data? How may personal data be used? How should you keep personal data safe? What rights do you have with regard to processing personal data?

Other types of Data not covered by the act.

This is data that does not identify a living individual and therefore is not covered by the remit of the Data Protection Act; this may fall under other access to information procedures.  This would include:

  • Plans (where no individual pupil is named),
  • Teaching Resources,
  • Other information about the College which does not relate to an individual.

Some of this data would be available publically (for instance the diary for the forthcoming year), and some of this may need to be protected by the College. For example, if the Cornerstone has written a detailed scheme of work that it wishes to sell to other Colleges).  Cornerstone may choose to protect some data in this category but there is no legal requirement to do so.

Privacy Notice – transparency of data protection

Being transparent and providing accessible information to individuals about how we will use their personal data is important for Cornerstone.  The following are details on how we collect data and what we will do with it:

What information is being collected?

Who is collecting it?

How is it collected?

Why is it being collected?

How will it be used?

Who will it be shared with?

Identity and contact details of any data controllers

Details of transfers to third country and safeguards

Retention period

Conditions for processing

Cornerstone will ensure that  any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.

Justification for holding personal personal data

Cornerstone will process personal data in compliance with all eight data protection principles as stated in this policy.

Cornerstone will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.

Consent

The data that Cornerstone collects  is subject to active consent by the data subject. This consent can be revoked at any time.  However, Cornerstone reserves the right to process data where consent may not be obtained in line with competing statutory duties; for example in accordance with Cornerstone’s duty of care in relation to safeguarding; see Child Protection and Safeguarding Policy and Procedure and exemptions clause above.

Criminal record checks

Any criminal record checks are justified by law as an education provider.

Data portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The CO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

International data transfers

No data may be transferred outside of the EEA without first discussing it with the CO. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.

Data audit and register

Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

Reporting breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

  • Investigate the failure and take remedial steps if necessary
  • Maintain a register of compliance failures
  • Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

Monitoring

All Students and staff must observe this policy. The CO has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.

All staff and students are responsible for the following:

  • Checking that any information that they provide to the Cornerstone in connection with their employment is accurate and up to date  informing the College of any changes to or errors in information, which they have provided, i.e. changes of address.
  • They must ensure that changes of address, etc are notified to the admin staff. The College cannot be held responsible for any such errors unless the staff member or student has informed the Cornerstone of them.
  • If and when, as part of their responsibilities, staff collect information about other people, for example, about students’ coursework, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with this policy.

Consequences of failing to comply

Cornerstone takes compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.

Surveillance

Cornerstone acknowledges its data protection obligations in relation to CCTV. It adopts, where applicable the ICO’s code of practice.

This section also serves as a notice and a guide to data subjects (including pupils, parents, staff, volunteers, visitors to the College and members of the public) regarding their rights in relation to personal data recorded via the CCTV system.

All fixed cameras are in plain sight on  premises and Cornerstone does not routinely use CCTV for covert monitoring or monitoring of private property outside the  College.

Data captured for the purposes below will not be used for any commercial purpose.

Objectives of the System :

  • To protect pupils, staff, volunteers, visitors and members of the public with regard to their personal safety.
  • To protect the College buildings and equipment, and the personal property of pupils, staff, volunteers, visitors and members of the public.
  • To support the police in preventing and detecting crime, and assist in the identification and apprehension of offenders.
  • To monitor the security of the site.
  • To monitor staff and contractors when carrying out work duties.
  • To promote good behaviour of students.

Locations have been selected that the College reasonably believes require monitoring to address the stated objectives.

Warning signs are placed in prominent positions to inform anyone entering the area, such as pupils, staff, volunteers, visitors and members of the public that they are entering a monitored area, identifying the College as the Data Controller and giving contact details for further information regarding the system.

No images will be captured from areas in which individuals would have a heightened expectation of privacy, including changing and washroom facilities.

Maintenance

The CCTV system will be operational 24 hours a day, every day of the year.

The System Manager (defined below) will check and confirm that the system is properly recording and that cameras are functioning correctly, on a regular basis.

The system will be checked and (to the extent necessary) serviced, annually.

Supervision of the System

Staff authorised by Cornerstone to conduct routine supervision of the System may include:

Images will be viewed and/or monitored in a suitable environment where it is unlikely they will be accessed or inadvertently viewed by unauthorised persons.

Storage of Data

The system is administered and managed by Cornerstone, who will act as the Data Controller. The day-to-day management of images will be the responsibility of the IT Services Manager who will act as the System Manager, or such suitable person as the System Manager.

Images will be stored for two weeks, and automatically over-written unless Cornerstone considers it reasonably necessary for the pursuit of the objectives outlined above, or if lawfully required by an appropriate third party such as the police or local authority.

Where such data is retained, it will be retained in accordance with the Act and our Data Protection Policy. Information including the date, time and length of the recording, as well as the locations covered and groups or individuals recorded, will be recorded in the system log book.

 

 

Access to Images

Access to stored CCTV images will only be given to authorised persons, under the supervision of the System Manager, in pursuance of the above objectives (or if there is some other overriding and lawful reason to grant such access).

The System Manager must satisfy themselves of the identity of any person wishing to view stored images or access the system and the legitimacy of the request. The following are examples when the System Manager may authorise access to CCTV images:

  • Where required to do so by the  Principal, the Police or some relevant statutory authority and in accordance with the law;
  • To make a report regarding suspected criminal behaviour;
  • To enable the Designated Safeguarding Lead or his/her appointed deputy to examine behaviour which may give rise to any reasonable safeguarding concern;
  • To assist the College in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the College’s management of a particular incident;
  • To data subjects (or their legal representatives) pursuant to an access request under the Act provided that the time, date and location of the recordings is furnished to the College (see the Data Protection Policy); 6.2.6 To the College’s insurance company where required in order to pursue a claim for damage done to insured property;
  • In any other circumstances required under law or regulation.

Where images are disclosed aforementioned above a record will be made in the system log including the person viewing the images, the time of access, the reason for viewing the images, the details of images viewed and a crime incident number (if applicable).

Where images are provided to third parties  above, wherever practicable steps will be taken to obscure images of non-relevant individuals.

Other CCTV systems

Cornerstone may be provided by third parties with CCTV images and will manage these in accordance with the College’s own Data Protection Policy and/or Behaviour policy.

For example, many pupils travel on coaches provided by third party contractors and a number of these coaches are equipped with CCTV systems. Cornerstone  may use these in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the College’s  management of a particular incident.  Parents are informed of this as part of the Coach Service Registration document, to which they agree when registering their son or daughter for the coach service.

Complaints

Any complaints in relation to the College’s CCTV system or its use of CCTV should be referred to the Principal.

We have notified the Information Commissioner’s Office that we process and store personal information, as we are required to do by the Data Protection Act.

Compliance Officer: Dr Obikwu

DATA PROTECTION REGISTRATION NO: ZB596724

Authorised byThe Principal
DateSeptember 2023
Effective date of the policySeptember 2023
Circulation

Teaching staff / all staff / parents /

Students on request

Review dateSeptember 2024

Appendix 1: Data Breach Procedure

Policy Statement

Cornerstone holds large amounts of personal and sensitive data. Every care is taken to protect personal data and to avoid a data protection breach. In the unlikely event of data being lost or shared inappropriately, it is vital that appropriate action is taken to minimise any associated risk as soon as possible. This breach procedure applies to all personal and sensitive data held by Cornerstone.

This procedure applies to all College staff.

Purpose

This breach procedure sets out the course of action to be followed by all staff at Cornerstone  if a data protection breach takes place.

 

 

Legal Context

The Data Protection Act 1998 makes provision for the regulation of the processing (use) of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

Principle 7 of the Act states that organisations which process personal data must take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

Types of Breach

Cornerstone takes breaches of security seriously. Examples of potential breaches of security can be caused by a number of factors. Some examples are:

Loss or theft of pupil, staff data and/ or equipment on which data is stored;

  • Inappropriate access controls allowing unauthorised use;
  • Equipment Failure;
  • Human Error;
  • Unforeseen circumstances such as fire or flood;
  • Hacking;
  • ‘Blagging’ offences where information is obtained by deception.

Immediate Containment/Recovery

In discovery of a data protection breach, the following steps should be followed:

  1. The person who discovers/receives a report of a breach must inform the CO. If the breach occurs or is discovered outside normal working hours, this should begin as soon as is practicable.
  2. The CO must ascertain whether the breach is still occurring. If so, steps must be taken immediately to minimise the effect of the breach. An example might be to shut down a system, or to alert relevant staff such as the IT technician.
  3. As a registered Data Controller, it is Cornerstone’s  responsibility to take the appropriate action and conduct any investigation.
  4. The CO must also consider whether the Police need to be informed. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
  5. The CO must quickly take appropriate steps to recover any losses and limit the damage. Steps might include:
  • Attempting to recover lost equipment.
  • Consideration should be given to a global email to all College staff. If an inappropriate enquiry is received by staff, they should attempt to obtain the enquirer’s name and contact details if possible and confirm that they will ring the individual making the enquiry back.
  • Whatever the outcome of the call, it should be reported immediately to the CO.
  • The use of back-ups to restore lost/damaged/stolen data. e. If bank details have been lost/stolen, consider contacting banks directly for advice on preventing fraudulent use.
  • If the data breach includes any entry codes or IT system passwords, then these must be changed immediately and the relevant agencies and members of staff informed.

Investigation

In most cases, the next stage would be for the CO to fully investigate the breach.  They should ascertain whose data was involved in the breach, the potential effect on the data subject and what further steps need to be taken to remedy the situation.

The investigation should consider:

  • type of data;
  • Its sensitivity;
  • What protections are in place (e.g. encryption);
  • What has happened to the data;
  • Whether the data could be put to any illegal or inappropriate use;
  • How many people are affected;
  • What type of people have been affected (pupils, staff members, suppliers etc) and whether there are wider consequences to the breach.
  • A clear record should be made of the nature of the breach and the actions taken to mitigate it.

The investigation should be completed as a matter of urgency and, wherever possible, within five days of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.

Notification

Some people/agencies may need to be notified as part of the initial containment. However, the decision will normally be made once an investigation has taken place. The CO should, after seeking expert or legal advice, decide whether anyone should be notified of the breach.

In the case of significant breaches, the Information Commissioner’s Office (ICO) should be notified. Incidents should be considered on a case by case basis. The following points will help you to decide whether and how to notify:

  • Are there any legal/contractual requirements to notify?
  • Will notification help prevent the unauthorised or unlawful use of personal data?
  • Could notification help the individual – could they act on the information to mitigate risks?

If a large number of people are affected, or there are very serious consequences, you should notify the ICO. The ICO should only be notified if personal data is involved. There is guidance available from the ICO on when and how to notify them.

Consider the dangers of over-notifying. Not every incident warrants notification and over-notification may cause disproportionate enquiries and work.  The notification should include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to mitigate the risks posed by the breach.  When notifying individuals, give specific and clear advice on what they can do to protect themselves and what you are willing to do to help them.

You should also give them the opportunity to make a formal complaint if they wish following the College’s Complaints Procedure.

Review and Evaluation

Once the initial aftermath of the breach is over, the CO should fully review both the causes of the breach and the effectiveness of the response to it. It should be written and sent to the next available management team meeting for discussion.

If systemic or ongoing problems are identified, then an action plan must be drawn up to put these right.

If the breach warrants a disciplinary investigation, the manager leading the investigation should do so in line with Cornerstone’s Complaints Policy.

This breach procedure may need to be reviewed after a breach or after legislative changes, new case law or new guidance. Consideration should be given to reviewing this breach procedure whenever the data protection policy is reviewed.

Implementation

Cornerstone will ensure that staff are aware of the Data Protection Policy and its requirements including this breach procedure. This should be undertaken as part of induction and supervision. If staffs have any queries in relation to the policy, they should discuss this with their line manager or CO.

Appendix 2: Retention and Disposal Schedule

Management & Organisation

Record
Minimum Retention Period
Action After Retention

Senior Management Team-Meeting Minutes
Current academic year + 6 years
Archive for Permanent Preservation

Staff Meeting Minutes
Academic year + 6 years
Destroy

College Development Plan
Retain in College for 10 years from closure of Plan
Archive  for Permanent Preservation

Policies
Retain while current. Retain 1 copy of old policy for 2 years after being replaced
Destroy

Visitors Book
Current academic  year + 6 years
Destroy

Circulars to Staff, Parents and Pupils
Current academic year + 3 years
Destroy

College Brochures/ Prospectus
Current academic year + 3 years
Destroy

Comments/Complaints
5 years after closing. Review for further retention in the case of contentious disputes
Destroy

Annual Report
Retain in College for 10 years from date of Report
Archive for Preservation

Emergency Planning/Business Continuity Plan
Until superseded
Destroy

Legislation and Guidance from DE, ELB, ESA, CCMS etc

Record
Minimum Retention Period
Action After Retention

Circulars, Guidance, Bulletins from DE, ELB etc
Until superseded
Destroy

Correspondence re: Statistical Returns to DE, ELB etc
Current financial year + 6 years
Destroy

DE Reports, Inspections
Until superseded
Destroy

Students

Record
Minimum Retention Period
Action After Retention

Pupil Admission Data

Applications for enrolment
3 years after enrolment
Destroy

Transfer applications (Transfer Forms)
3 years after enrolment
Destroy

Pupil Attendance Information/Registers
Date of Register + 10 years
Archive for Preservation

Pupil Education Records  – College/Progress Reports etc
Until pupil is 23 years old
Destroy

Pupil Education Records  – College/Progress Reports etc (Special Educational Needs)
Until Pupil is 26 years old
Destroy

Child Protection Information- Record of concerns where case was not referred to Social Services
10 years after last entry on file
Destroy

Child Protection Information- Social Services investigation outcome was unfounded or malicious
10 years after last entry on file
Destroy

Child Protection Information- Social Services investigation outcome was inconclusive, unsubstantiated or substantiated
Until pupil is 30 years old
Destroy

Disciplinary Action (Suspension/Expulsion)/Offences – bullying
Until pupil is 23 years old
Destroy

Disciplinary Action (Suspension/Expulsion)/Offences – bullying (Special Educational Needs)
Until pupil is 26 years old
Destroy

Timetables + Class Groupings
Retain while current
Destroy

Examination Results
Current College year + 6 years
Destroy

Careers Advice
Current College year + 6 years
Destroy

Trips – Financial & Administration details
Current financial year + 6 years
Destroy

Trips-Attendance/Staff Supervision etc
Current financial year + 6 years. In the case of an incident/accident involving a pupil, retain until pupil is 23 years old or 26 for a pupil with special educational needs
Destroy

Reports of Stolen/Damaged Items
Current financial year + 6 years
Destroy

Medical Records – records of Students with medical conditions and details for the administration of drugs when necessary.
Until pupil is 23years old or in the case of a Special Needs Students, until 26 years old
Destroy

Staff

Record
Minimum Retention Period
Action After Retention

Staff Personnel Records (including, appointment details, training, staff development etc.)
7 years after leaving employment
Destroy

Interview notes and recruitment records
Date of interview + 6 months
Destroy

Staff Salary Records
7 years after leaving employment
Destroy

Staff Sickness Records (copies of Medical Certs)
Current College year + 6 years
Destroy

Substitute Staff Records-non teaching
Current College year + 6 years
Destroy

Student Records-non teaching
Current College year + 6 years
Destroy

Procedures for Induction of Staff
Until superseded
Destroy

Staff/Teachers’ Attendance Records
7 years after leaving
Destroy

Staff Performance Review
7 years after leaving
Destroy

Finance

Record
Minimum Retention Period
Action After Retention

Annual budget and budget deployment
Current financial year + 6 years
Destroy

Budget Monitoring
Current financial year + 6 years
Destroy

Annual Statement of Accounts         (Outturn Statement)
Current financial year + 6 years
Destroy

Order Books, Invoices, Bank Records, Cash Books, Till Rolls, Lodgement books etc
Current financial year + 6 years
Destroy

Postage Book
Current financial year + 6 years
Destroy

Audit Reports
Current financial year + 6 years
Destroy

 

 

 

Health & Safety

Record
Minimum Retention Period
Action After Retention

Accident Reporting (Adults)
Date of incident + 7 years
Destroy

Accident Reporting (Children)
Until pupil is 23years old or in the case of a Special Needs pupil, until 26 years old
Destroy

Risk Assessments – work experience locations/pupils
7 years
Destroy

H & S Reports
15 years
Destroy

Fire Procedure
Until superseded
Destroy

Security System File
For the life of the system
Destroy