Data Protection Policy
1. Introduction
A-life takes data protection and information security seriously. This policy describes how and why we obtain, store and process data which can identify an individual and also what the responsibilities of the company (A-life) and of the Staff. We may update this policy from time to time to remain up to date and compliant with the DPA (Data Protection Act 1998) and the GDPR (General Data Protection Regulation) in which case you will be notified that the policy has been updated and provided with a copy to familiarise yourself with.
2. The Information held by A-life
2.1 Information held on an employee:
Employees’ personal data will be kept safe, secure and up to date. Data that A-life may keep about an employee includes:
- name
- address
- date of birth
- sex
- education and qualifications
- work experience
- National Insurance number
- tax code
- details of any known disability
- emergency contact details
We will also keep details about an employee such as:
- employment history with the company
- employment terms and conditions (eg pay, hours of work, holidays, benefits, absence)
- any accidents connected with work
- any training taken
- any disciplinary action
An employee has a right to be told:
- what records are kept and how they’re used
- the confidentiality of the records
- how these records can help with their training and development at work
If an employee asks to find out what data is kept on them, the company will provide a copy of the information within 40 days of the request. The company will not keep data any longer than is necessary and will follow the rules laid out in the data protection.
2.2 Information held on anyone else
Customers’ personal data will be kept safe, secure and up to date. Data that A-life may keep about customers includes:
- School name
- Contact name
- School address
- School website address and IP address
- School social media address/es
- School email address
- School telephone number
- Contact (personal) email address
- Contact (personal) telephone number
- History of purchases the school has made with A-life
- Information relating to the school that is readily available on Edubase (e.g. primary school, approx. number of pupils, special educational needs school)
Information is collected from customers when they register with the company via the A-life website or via email, or when they contribute to or use some of the advanced features on the website. The information the company will collect is clearly set out on the web page on which it is collected. In addition, the company may collect an IP address and use cookies unless the customer has configured their web browser not to accept them. The company will also collect relevant information from the school’s website or from Edubase in order to offer services that are relevant to the school. When a customer books for A-life to visit their school, at times the company may collect personal email addresses and telephone numbers of the main contact, or the contact to meet on the day. This personal data is collected from that individual via email or telephone, and is only done so when consent is obtained from them.
3. Why the information is processed by A-life
A-life will collect information about a school so that the company can offer services to that school that will be relevant to them. When the company collects personal email addresses, it is so that the company can contact the main contact directly to arrange the booking, rather than through the school office. If the company collects a personal telephone number, it is used to make arrangements for and on the day. This contact number will only be used by employed office staff, or by a self-employed coach who will have previously agreed to follow this policy and data protection rules.
Personal email addresses will be kept securely after the booking so that the company can contact the customer for the next booking, however, the customer has a right to have this deleted at any time by asking the company in writing via email or letter. If the company has collected a personal telephone number, this will be deleted within two weeks after visiting the school and will no longer be used unless the company collects it again in future for the same purposes, at which time consent will also be obtained.
4 Lawful basis for collecting and processing personal data – consent
4.1 The lawful basis for the company processing any personal data that it holds on a customer is through obtained consent. Consent means offering people genuine choice and control over how their data is used. The information the company holds on schools is only the information freely available through the public websites of a school. If the school contact supplies the company with a personal email address or telephone number after initial contact is made by the company through the main school office, the school contact is giving consent for their personal data to be processed by the company through the action of providing it willfully. The action of the individual giving the company their personal email address and telephone number, they are consenting to the company using that data for the sole purposes of arranging and facilitating a booking. The individual can withdraw their consent at any time by writing to the company via email or letter, at which time the company will securely dispose of any personal data held on them within 30 days of the request.
4.2 Consent is managed as an ongoing process. Anyone that we hold personal information on through consent is given the right to withdraw consent at any time. Any emails or letters being sent to personal email addresses will have information below the signature relating to this ongoing process and the opportunity to request for personal data to be deleted.
5. How is the information stored and processed
Any information held by the company on employees or customers is held securely. Information held about customers is stored in an encrypted CRM system which is regularly monitored for security. Any information held in spreadsheets or documents outside of the CRM system is password encrypted. All access to this data is through company approved computers/ laptops that are password protected. Data held by A-life is accessible via an online connection, and so all staff with access to the CRM system or any other system that holds personal data, will be given the appropriate awareness training for data protection, and given the appropriate training measures so that they can continue to process the information in a safe and secure manner.
6. Who we disclose it to
6.1 The company will only pass on information about an individual (as opposed to aggregate information) to third parties to enable it to perform services requested by the individual or with their prior consent.
6.2 The company may also disclose or access individual’s account details if required to do so by law or by any Governmental body.
7. Right to be informed
Individuals will be informed that their data is collected, why it is processed and who it is shared with. This information is published in our privacy notice on our website and within any forms, emails or letters we send to individuals.
The information will be supplied free of charge in any circumstance.
8. Right of access
Individuals have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that we provide in our privacy notice.
- A copy of the information held will be provided free of charge. However, a fee may be reasonably charged if a request:
- is manifestly unfounded or excessive, particularly if it is repetitive, unless we have refuse to respond; or
- is for further copies of the same information (that’s previously been provided).
- The fee will be based on the administrative cost of providing the information.
Information will be provided without delay and at least within one calendar month of receipt. This period may be extended by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation).
A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
The identity of the person making the request must be verified, using “reasonable means”.
If the request is made electronically, the information will be provided in a commonly used electronic format.
8. Right to rectification of data
Individuals have the right to have personal data rectified if it is inaccurate or incomplete.
We will respond to a request without delay and at least within one month of receipt. This period can be extended by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). If the information has been disclosed to a data processor (third party) we will inform them of the rectification where possible.
9. Right to erasure
Individuals have the right to be forgotten and can request the erasure of personal data when:
- it is no longer necessary in relation to the purpose for which it was originally collected/processed;
- the individual withdraws consent;
- the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
- it was unlawfully processed (ie otherwise in breach of the GDPR);
- it has to be erased in order to comply with a legal obligation; or
- it is processed in relation to the offer of information society services to a child.
10. Retention and disposal schedule of information
Personal information that is no longer relevant should be disposed of as soon as it becomes unnecessary to hold it. Personal email addresses will be stored as long as we are still in contact with a school, unless the individual withdraws their consent for personal data to be held.
Personal telephone numbers must be deleted from the CRM and any other places it may be stored, such as a mobile telephone, within two weeks after we have visited the school. This must be done at the same time as following the aftersales process.
11. Data breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
A breach of information must be reported to the ICO where it is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the company must notify those concerned directly and without undue delay.
In all cases the company must maintain records of personal data breaches, whether or not they were notifiable to the ICO.
In the case of an information breach, this must be reported to the DPO (Data Protection Officer) immediately so that the DPO can accurately report it and take appropriate measures. Not all breaches are notifiable to the ICO, however, a notifiable breach must be reported to the ICO within 72 hours of the business becoming aware of it.
12. Data processor contracts
Where an external data processor is used, for instance, an external CRM provider, we will have up to date contracts in place with them to ensure they can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
13. Information security
13.1 A-life takes information security very seriously and has put in place the appropriate security measures to keep any personal information held by the company secure. It is vital that all staff are aware of the process to follow to ensure information security is maintained.
13.2 roles and responsibilities:
The company director/ DPO is responsible for ensuring all staff understand how to keep stored personal information secure.
The company is responsible for ensuring the appropriate fire wall and internet security is used and provided for all computers used for work purposes.
The company is responsible for ensuring all external data processors are meeting GDPR guidelines.
All staff members are responsible for following the necessary processes to keep all personal information secure.
All staff members are responsible for reporting any information breaches immediately to the DPO.
The DPO is responsible for investigating all data breaches in accordance with the GDPR guidelines, and reporting any notifiable breaches to the ICO within 72 hours.
The DPO is responsible for regularly checking the GDPR and DPA guidelines and updating this policy when appropriate.
When this policy has been updated, the DPO is responsible for notifying all staff that is concerns.
All staff are responsible for familiarising themselves with this policy and any updates as they are notified.
Individual staff members must make every effort in following the recommended guidelines for protecting personal data, and understand that they may be committing a criminal offence if they deliberately try to access, or to disclose, information without authority.
13.2 Computers and passwords
All computers or portable laptops used by any staff member to access any information held by the company, must be password protected and not kept anywhere that would cause unreasonable risk of a data breach. Laptops should never be left in a locked car or in a public café; they must be kept securely and it is the responsibility of the staff member to ensure this.
Passwords must never be given out to anyone other than the staff member whom it was first given to. Passwords must remain protected, and any breach of security must be reported immediately and passwords must be changed accordingly.
On leaving the company, any staff member who has had access to company data, passwords, and personal data must immediately delete any information from their personal computers that may allow them access to this information in future. Any company computers or laptops must be returned to the company immediately. The staff member must not maintain any information on the company after leaving.
This policy should be regularly reviewed by the DPO and updated as necessary to comply with the DPA and GDPR guidelines. All staff will be notified of such changes.
For the purpose of this policy:
‘COMPANY’ refers to A-life and the staff within it
‘STAFF’ refers to any employed staff or subcontractor that is undertaking any kind of work with the company.
Data Protection Officer – Peter Adams