Data Protection Policy
1. General Statement of BBIS’ Duties
As part of its day to day operations, BBIS processes relevant personal data (which may be held on paper, electronically or otherwise) regarding Students (including past, current and prospective Students) and their parents and others who have parental responsibility in relation to the Students. BBIS recognises the need to treat such data in an appropriate and lawful manner in accordance with the GDPR. Data will be destroyed in accordance with the GDPR. Paper data will be destroyed by a cross cut shredder.
2. Data Protection Officer
The Data Protection Officer (DPO) is Tamas Fuzesy Finance Director who is responsible for ensuring that all personal data is processed in compliance with this policy and the Principles of the GDPR
3. The Principles
BBIS shall comply with the GDPR Principles (the Principles) contained in the GDPR which say that personal data must be:
- Fairly and lawfully processed;
- Processed for limited purposes and in an appropriate way;
- Adequate, relevant and not excessive for the purpose;
- Accurate and up-to-date;
- Not kept for longer than necessary for the purpose;
- Processed in accordance with the data subject’s rights;
- Not transferred to people and organisations situated in countries without adequate protection.
4. Personal Data
Personal data is defined as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”
BBIS may process a wide range of personal data of Students, their parents or persons with parental responsibility for them as part of its operations. This personal data may include (but is not limited to); names and addresses, dates of birth, family details, health information, financial means, contact telephone numbers, and email addresses, bank details, academic, disciplinary, admissions and attendance records, and references.
5. Processing of Personal Data
Processing means doing anything with the data such as accessing, disclosing, destroying or otherwise using data.
BBIS will usually only process personal data where, in relation to personal data regarding Students, the pupil or the parent(s) or other person(s) having parental responsibility have given consent on the pupil’s behalf or where the personal data relates to parents or other person(s) having parental responsibility such persons have given consent.
BBIS will also process personal data where the processing is necessary for BBIS to comply with its legal obligations to Students, their parents or persons with parental responsibility.
In other cases, processing may be necessary for the protection of the Students’ vital interests, BBISs legitimate interests or the legitimate interests of third parties. The full list of conditions for the lawful processing of data is set out in the Data Protection Act.
6. Sensitive Personal Data
Sensitive personal data about ethnic origin, political opinions, religious or similar beliefs, health, sex life, criminal proceedings or convictions will usually only be processed when the parent(s) or other person(s) having parental responsibility for the pupil have given explicit consent on behalf of the pupil or on their own behalf in relation to sensitive personal data about themselves, usually in writing. Consent will not be required to comply with a legal obligation of BBISs or to protect the Students’ vital interests. The full list of conditions is set out in the Data Protection Act 1998.
BBIS may process sensitive personal data relating to Students, including as appropriate:
- Information about a pupil’s physical or mental health or condition in order to monitor attendance and academic progress and make decisions with regard to the Students educational needs;
- In order to comply with legal requirements and obligations to third parties.
7. Processing for Limited Purposes
BBIS will only process personal data for the specific purpose or purposes notified to Students and their parents or other persons having parental responsibility for them or for any other purposes specifically permitted by the Data Protection Act.
8. Adequate, Relevant and Non-Excessive Processing
Personal data will only be processed to the extent that it is necessary for the specific purposes notified to Students and their parents or other persons having parental responsibility for them.
9. Data Retention
BBIS will not keep personal data relating to Students or their parents or other persons having parental responsibility for them for longer than is necessary for the purpose. This means that data will be destroyed or erased from BBISs systems when it is no longer required. For guidance on how long certain data is likely to be kept before being destroyed, contact the DPO.
10. Processing in line with Pupil/ Parental Rights
Students and their parents and other persons having parental responsibility for them have the right to:
- Request access to any personal data BBIS holds about them.
- Prevent the processing of their data for direct-marketing purposes.
- Ask to have inaccurate data held about them amended.
- Prevent processing that is likely to cause unwarranted substantial damage or distress to them or anyone else.
- Object to any decision that significantly affects them being taken solely by a computer or other automated process.
11. Data Security
BBIS will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against accidental loss of, or damage to, personal data.
BBIS has in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. BBIS will only transfer personal data to a third party if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.
Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
12. Providing Information to Third Parties
Personal data will not be disclosed to a third party without the consent of the pupil’s parents or other person having parental responsibility for them unless BBIS is satisfied that they are legally entitled to the data. Where BBIS discloses personal data to a third party, it will have regard to the Principles.
13. Rights of Access
Subject to the exceptions referred to below, Students and their parents and other persons having parental responsibility for them have a right of access to information held by BBIS. Any individual wishing to access their personal data should put their request in writing to the DPO.
Certain data is exempt from the right of access under the Data Protection Act. This includes information which identifies other individuals, information which BBIS reasonably believes is likely to cause damage or distress, and information which is subject to legal professional privilege.
BBIS will also treat as confidential and will not disclose any reference given by BBIS for the purpose of the education of any pupil. BBIS acknowledges that an individual may have the right to access a reference relating to them received by BBIS. However such a reference will only be disclosed if it is possible to disclose the reference without identifying who has given it or where the individual will not identify the source of the reference or where the referee has given their consent or if disclosure is otherwise reasonable in all the circumstances.
14. Whose Rights
The rights under the Data Protection Act are the individual to whom the data relates. BBIS will, however, in most cases rely on parental consent to process data relating to Students.
BBIS will grant the pupil direct access to their personal data if in BBIS’s reasonable belief the pupil understands the nature of the request and it is felt to be in the best interests of the pupil to do so. As a general guide, a child age 12 or older is expected to be mature enough to understand the request they are making. A child may however be mature enough at an earlier age, or may lack sufficient maturity until a later age. All requests will be considered on a case by case basis. Students are deemed to have given their consent to BBIS disclosing their personal data to their parents or persons having parental responsibility for them but that implied consent can be withdrawn by the pupil giving notice in writing to BBIS.
Where a pupil raises a concern confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents or persons having parental responsibility for them, BBIS will maintain confidentiality unless it has reasonable grounds to believe that the pupil does not fully understand the consequences of withholding their consent, or where BBIS believes disclosure will be in the best interests of the pupil or other Students.
There are situations where access to information may be withheld by BBIS:
a) The Data Protection Act contains a number of exemptions when information may be withheld, these include:
- information which might cause serious harm to the physical or mental health of the pupil or another individual;
- cases where the disclosure would reveal a child is at risk of abuse;
- information contained in adoption and parental order records.
b) Unstructured personal information.
BBIS will generally not be required to provide access to information held mutually and in an unstructured way.
16. Disclosure of Information
BBIS may receive requests from third parties to disclose personal data it holds about Students, their parents or persons having parental responsibility for them. BBIS confirms that, subject as set out below, it will not generally disclose information unless the individual has given their consent in writing or one of the specific exemptions under the Data Protection Act applies. However BBIS does intend to disclose such data as is necessary to third parties for the following purposes:
- To give a confidential reference relating to a pupil to any educational institution which it is proposed that the pupil may attend.
- To give information relating to outstanding fees or payment history to any educational institution which it is proposed that the pupil may attend.
- To publish the results of achievements of Students of BBIS.
- To disclose details of a pupil’s medical condition where it is in the pupil’s interests to do so, for example for medical advice, insurance purposes or to organisers of school trips.
Where BBIS receives a disclosure request from a third party in relation to the matters referred to above it will take reasonable steps to verify the identity of that third party before making any disclosure.
17. Use of Personal Information by BBIS
BBIS will, from time to time, make use of personal data relating to Students, their parents or guardians in the following ways. Should a Parent wish to limit or object to any such use this should be notified the DPO in writing.
- To make use of photographic images of Students in school publications and on BBIS website. However, BBIS will not publish photographs of individual Students with their full names without the express agreement of the appropriate individual, parents are able to opt out of this by a declaration on the parental agreement.
- For fundraising, marketing or promotional purposes and to maintain relationships with Students of BBIS, including transferring information to any association, society or club set up for the purpose of establishing or maintaining contact with Students, or for development, fundraising, marketing or promotional purposes.
BBIS will ensure that all personal data held in relation to an individual is accurate and up to date. Data which is inaccurate or out of date will be erased or destroyed. Individuals must notify the DPO of any changes to information held about them or if they become aware that there are inaccuracies in the personal data held about them.
BBIS will take reasonable steps to ensure that members of staff and owners will only have access to personal data relating to Students, their parents where it is necessary for them to do so. All owners and staff will be made aware of this policy and their duties under the Data Protection Act. BBIS will ensure that all personal information is held securely and is not accessible to unauthorised persons. When disposing of records and equipment BBIS will make sure that personal information cannot be retrieved from them.
Personal data will not be held for longer than is necessary.
If an individual believes that BBIS has not complied with this policy or acted otherwise than in accordance with the Data Protection Act, they should notify the DPO in the first instance. BBIS’s Complaints Procedure may also be used. A copy of the procedure is available on BBISs website and from the DPO.
|Author||Dr David Porritt|
|Position of Author||Principal|
|Reviewed by||David Porritt, Tamas Fuzesy, Gabor Kocsor, Jon Spinks|
|Review Frequency||2 years|
|Next Review Date||February 2024|