top of page

Data Protection Policy

Introduction

W1se Angels is committed to preserving the privacy of its learners and employees and to complying with the Data Protection Act 1998. To achieve this commitment information about our learners, employees and other clients and contacts must be collected and used fairly, stored safely and not unlawfully disclosed to any other person. 

 

Information that is already in the public domain is exempt from the Data Protection Act 1998. It is Centre policy to make as much information public as possible and in particular the following information will be available to the public. 

Principles

The Centre, its staff and others who process or use any personal information must ensure that they follow the data protection principles set out in the Data Protection Act 1998. These are that personal data shall: 

 

  • Be obtained and processed fairly and lawfully 

  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose 

  • Be adequate, relevant and not excessive for those purposes 

  • Be accurate and kept up to date 

  • Not be kept longer than is necessary for that purpose 

  • Be processed in accordance with the data subject rights 

  • Be kept safe from unauthorised access, accidental loss or destruction 

  • Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data. 

 

The Centre will not release staff or learner data to third parties except to relevant statutory bodies. In all other circumstances, the Centre will obtain the consent of the individuals concerned before releasing personal data.

Responsibilities of staff

Information about yourself 

 

All staff are responsible for:

​

  • Checking that any information they provide to the Centre in connection with their employment is accurate and up-to-date

  • Informing the Centre of any changes to the information, which they have provided i.e. change of address 

  • Informing the Centre of any errors or changes. The Centre cannot be held responsible for any errors unless the staff member has informed us of them.

​

Information about other people 

 

All staff must comply with the following guidelines: 

 

All staff will process data about individuals on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or academic supervisory role. The Centre will ensure through registration procedures, that all individuals give their consent to this type of processing, and are notified of the categories of processing, as required by the 1998 Act. The information that staff deal with on day-to-day basis will be ‘standard’ and will cover categories such as:

 

  • General personal details such as name and address

  • Details about class attendance, course work marks and grades and associated comments 

 

Information about an individual’s physical or mental health; sexual orientation; political or religious views, trade union membership or ethnicity or race is sensitive and can only be collected and processed with consent. 

 

All staff have a duty to make sure that they comply with the data protection principles, which as re set out in the Centre’s Data Protection Policy. In particular, staff must ensure that records are: 

 

  • Accurate 

  • Up-to-date 

  • Fair 

  • Kept and disposed of safely, and in accordance with the Centre policy

 

The Centre will designate staff in the relevant area as ‘authorised staff’. These staff are the only staff authorised to access data that is: 

 

  • Not standard data; or 

  • Sensitive data 

 

The only exception to his will be if a non-authorised member is satisfied and can demonstrate that the processing of the data is necessary: 

​

  • In the best interest of the individual or staff member, or a third person, or the Centre AND 

  • He or she has either informed the authorised person of this, or has been unable to do so and processing is urgent and necessary in all the circumstances 

  • This should only happen in very limited circumstances. For example, an individual is injured and unconscious and in need of medical attention, or a member of staff tells the hospital that the individual is pregnant or a Jehovah’s Witness.

 

Authorised staff will be responsible for ensuring that all personal data is kept securely. In particular staff must ensure that personal data is:

 

  • Put away in lockable storage 

  • Not left on unattended desks or tables 

  • Unattended ICT equipment should not be accessible to other users 

  • ICT equipment used off-site must be password-protected 

  • Data files on CD or memory stick or email attachments used off-site containing personal data must be password-protected 

  • Paper records containing personal data must be shredded where appropriate 

 

Staff must not disclose personal data to any other staff member except with the authorisation or agreement of the designated data controller, or in line with the Centre policy.

 

Before processing any personal data, all staff should consider the following: 

 

  • Do you really need to record the information?

  • Is the information ‘sensitive’?

  • If it is sensitive, do you have the data subject’s express consent?

  • Has the individual been told that this type of data will be processed?

  • Are you authorised to collect/ store/ process the data?

  • If yes, have you checked with the data subject that the data is accurate?

  • Are you sure that the data is secure?

  • If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the individual or the safety of others to collect and retain the data?

Responsibilities of staff

Staff, individuals and other users of the Centre have the right to access any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the Centre Standard Request Form for Access to Data and send to HR Manager. This request should be made in writing using the Standard Form to Access Data also located on the staff intranet.

​

​The Centre aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days (in line with legislation) unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request. 

Subject consent

In many cases, the Centre can only process personal data with the consent of the individual. In some case, if the data is sensitive, express consent must be obtained. Agreement to the Centre processing some specified classes of personal data is a condition of acceptance of an individual onto any course, and a condition of employment for staff. This includes information about previous criminal convictions. 

 

Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The Centre has a duty under the Children Act and other enactment to ensure that staff are suitable for any job offered. The Centre also has a duty of care to all staff and learners and must therefore make sure that employees and those who use the Centre facilities do not pose a threat or danger to other users. 

 

The Centre will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The Centre will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example. 

 

Therefore, all prospective staff and learners will be asked to sign either an appropriate HR form or an individual document regarding particular types of information when an offer of employment or a course place is made. A refusal to sign such documents may result in the offer being withdrawn.

Guidelines for retention of personal data 

data-protection-policy.png
bottom of page