Data Protection Policy
THE POLICY
Edubox needs to collect and use certain information about individuals in order to ensure the smooth and efficient running and operation of its business and services.
These may include customers (both schools and parents/children), employees and other people the organisation has a relationship with or may need to contact.
The policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
This policy ensures that Edubox:-
i) complies with data protection law and follows good practice
ii) protects the rights of staff, customers and partners
iii) is open and transparent about how it stores and processes individuals’ data
iv) protects itself from the risks of a data breach
DATA PROTECTION LAW
The General Data Protection Regulation ("GDPR") and the Data Protection Act 2018 ("Data Protection Laws") describe how organisations including Edubox must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The company endorses fully and adheres to the following six principles of data protection, as set out in the Article 5 of the GDPR.
• Data must be processed lawfully, fairly and in a transparent manner in relation to individuals.
• Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
WHO THIS POLICY APPLIES TO
This policy applies to:
• Edubox main hub.
• All staff employed by Edubox
• Anybody who may be working on behalf of Edubox (ie subcontractors)
DATA PROTECTION RISKS
This policy helps to protect from data security risks including:-
i) Breaches of confidentiality – for example information being given out inappropriately.
ii) Reputational damage. For example, the company could suffer if hackers successfully gained access to sensitive data.
RESPONSIBILITIES
Everyone who works for Edubox has some responsibility for ensuring data is collected, stored and handled appropriately.
GUIDELINES FOR STAFF
The only people able to access data covered by this this policy should be those who need it for their work.
Data should not be shared informally.
Edubox will provide guidelines to all employees in order to understand their responsibilities when handling data.
Employees should keep all data secure by taking appropriate and proportional precautions (electronically and non-electronically).
Relating to electronic data, strong passwords must be used and should never be shared (save where Edubox expressly requires you to do so).
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated in the event of the information being out of date. Data should be deleted and disposed of if not used within 6 years provided there is no legal reason to keep the data for a longer period.
Employees should request advice from their line manager or the Director if they are unsure about any aspect of data protection.
STORAGE OF DATA - PAPER INFORMATION
When not required, paper or files should be kept securely at the Registered Company Office and Edubox Hub.
Employees should treat any printouts of personal information as Private and Confidential. They should not leave any documents where unauthorised people could see them, for example on a printer/photocopier/in a school.
When no longer required, data printouts should be disposed of by the shredding of the documents.
STORAGE OF DATA - ELECTRONIC DATA
Any data which is stored electronically must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
Data should be protected by strong passwords, changed regularly and never shared between employees.
If data is stored on removable media (like a USB memory stick, CD etc), these should be locked away securely when not being used.
Data should only be stored on Edubox drives and servers.
Data should be backed up frequently and checked regularly by the IT company contracted by Edubox.
Data should not be saved directly to personal laptops or other personal mobile devices such as tablets or smart phones.
All servers and computers containing data should be protected by approved security software and a firewall.
USE OF DATA
When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
Data of a personal nature should not be shared informally between employees. Electronically, data should only be sent through recognised secure systems (ie Edubox intranet or Password protected software, if sharing agreed information with a school/council department – for this to happen, an Information Sharing Agreement needs to be in place). In the event of paper copies being shared, this be completed by sending information out direct to the teacher by Royal Mail or in the case of sending to a school by either a) Royal Mail or b) using password protected software.
Personal data should never be transferred outside of the European Economic Area.
Employees should not save copies of personal data to their own computers. Computers and iPads belonging to Edubox are provided to staff in order to access company information.
ACCURACY OF DATA
The law requires Edubox to take reasonable steps to ensure data is kept accurate and up to date – it is the responsibility of all employees who work with the data to ensure the information is kept as accurate and up to data as possible.
Data should be held in as few places as necessary. Staff should not create any unnecessary additional data sets and this information should be held on the drives and servers provided by Edubox.
Staff should take every opportunity to ensure data is accurate and updated. For instance by confirming a customer’s details when they call.
Edubox should make it easy for data subjects to update the information that Edubox holds about them. For instance, advise customers via the website how to contact the company.
Data should be updated as inaccuracies are discovered. For example, if a customer is no longer available on the provided number, it should be removed from the database.
SUBJECT ACCESS REQUEST
All individuals who are the subject of personal data held by Edubox are entitled to:-
• Ask what information Edubox holds about them and why
• Ask how to gain access to it
• Be informed how to keep the information up to date
• Be informed how the company is meeting its data protection obligations
A subject access request is when an individual contacts the company requesting the information it holds about them.
Requests can be made by completing the ‘Subject Access Request’ form but the use of this form is not a formal requirement. Edubox will need to verify the identity of anyone making a subject access request before handing over any information.
If requested, Edubox will aim to provide the relevant data within 30 days.
DISCLOSING DATA FOR OTHER REASONS
In certain circumstances, Data Protection Laws allow personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, the Director will disclose requested data. However it must be ensured that the request is legitimate, seeking assistance from the company’s legal advisers where necessary.
CONSENT
The GDPR sets a high standard for consent and requires a positive opt-in. Neither pre-ticked boxes nor any other method of default consent are allowed. As required by the GDPR, the company takes a "granular" approach ie it asks for separate consent for separate items and will not use vague or blanket requests for consent. As well as keeping evidence of any consent, the company ensures that people can easily withdraw consent (and tells them how this can be done).
It should be noted, however, that consent is only one of the lawful bases on which data processing depends. In brief, the others include the following
• Contract: if processing someone’s personal data is necessary to fulfil the company's contractual obligations to them (eg to provide a quote)
• Legal obligation: if processing personal data is necessary to comply with a common law or statutory obligation
• Vital interests: not one that will occur often as it refers to processing personal data to protect someone’s life (and even then, it cannot be relied on with regard to health data or other special category data if the individual is capable of giving consent
• Legitimate interests: the most flexible lawful basis for processing and one which applies when data is used in ways people would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
PROVIDING INFORMATION
Edubox aims to ensure that individuals are aware that their data is being processed and that they understand how the data is being used and how to exercise their rights.
Edubox has a Privacy Notice setting out how data relating to individuals is used by the company – this is available on request.